diff --git a/doc/modsecurity2-apache-reference.xml b/doc/modsecurity2-apache-reference.xml index fc2e9e23..1c9b1cf3 100644 --- a/doc/modsecurity2-apache-reference.xml +++ b/doc/modsecurity2-apache-reference.xml @@ -1009,12 +1009,13 @@ SecAuditLogStorageDir logs/audit Development of a state of the art external protection tool will be a focus of subsequent ModSecurity releases. However, a fully functional tool is already available as part of the Apache httpd tools project - (http://www.apachesecurity.net/tools/). The - tool is called httpd-guardian and can be used to defend against Denial - of Service attacks. It uses the blacklist tool (from the same project) - to interact with an iptables-based (Linux) or pf-based (*BSD) firewall, - dynamically blacklisting the offending IP addresses. It can also - interact with SnortSam (http://www.snortsam.net). Assuming + (http://www.apachesecurity.net/tools/). + The tool is called httpd-guardian and can be used to defend against + Denial of Service attacks. It uses the blacklist tool (from the same + project) to interact with an iptables-based (Linux) or pf-based (*BSD) + firewall, dynamically blacklisting the offending IP addresses. It can + also interact with SnortSam (http://www.snortsam.net). Assuming httpd-guardian is already configured (look into the source code for the detailed instructions) you only need to add one line to your Apache configuration to deploy it: @@ -1788,8 +1789,8 @@ SecRule HTTP_Host "!^$" "deny,phase:1" + sanitize. This should work appropirately in a proxy setup or within + phase:5 (logging).
@@ -1808,8 +1809,9 @@ SecRule HTTP_Host "!^$" "deny,phase:1"This phase is run just before logging takes place. The rules placed into this phase can only affect how the logging is performed. This phase can be used to inspect the error messages logged by Apache. - You can not deny/block connections in this phase as it is too - late. + You can not deny/block connections in this phase as it is too late. This + phase also allows for inspection of other response headers that weren't + available during phase:3 or phase:4.
@@ -1850,10 +1852,12 @@ SecRule HTTP_Host "!^$" "deny,phase:1"id_: SecRule ARGS:/^id_/ dirty - - In ModSecurity 1.X, the ARGS variable stood - for QUERY_STRING + POST_PAYLOAD, - whereas now it expands to to individual variables. + + + In ModSecurity 1.X, the ARGS variable stood + for QUERY_STRING + POST_PAYLOAD, + whereas now it expands to to individual variables. +
@@ -2255,10 +2259,10 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd" Note This variable may not have access to some headers when running in - embedded-mode. Headers such as Server, Date and Connection are added - during a later Apache hook just prior to sending the data to the client. - This data should be available, however, when running in - proxy-mode. + embedded-mode. Headers such as Server, Date, Connection and Content-Type + are added during a later Apache hook just prior to sending the data to + the client. This data should be available, however, either during + ModSecurity phase:5 (logging) or when running in proxy-mode.