Apache and ModSecurity

O’Leary, Mike

doi:10.1007/978-1-4842-4294-0_14

Mike O’Leary²

2528 Accesses
3 Citations

Abstract

Apache is arguably the most significant web server; the September 2018 Netcraft survey reports that Apache runs 34% of the top million busiest sites, with Nginx reporting 25% and Microsoft 10%.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 69.99; Price excludes VAT (USA)

Softcover Book: USD 89.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

1.
https://news.netcraft.com/archives/2018/09/24/september-2018-web-server-survey.html
2.
If you think this approach is silly and that it would be simpler to add a LoadModule statement to httpd.conf, then consider the fact that /etc/sysconfig/apache2 states, “It might look silly to not simply edit httpd.conf for the LoadModule statements…”
3.
The precise collection of modules loaded depends on the version of OpenSuSE. Shown is the list from OpenSuSE 42.1.
4.
The advantage of a2enmod and a2dismod over direct manipulation of symlinks is that the commands also consider any dependencies the module may have.
5.
The word “referer” is, in fact, misspelled. It was misspelled in the original 1996 RFC for HTTP/1.0, RFC 1945, available at http://tools.ietf.org/html/rfc1945 and the new spelling has stuck. It is still in use in the June 2014 RFC 7231 ( http://tools.ietf.org/html/rfc7231 ), which notes that referer has been misspelled.
6.
https://drownattack.com/
7.
https://security.googleblog.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
8.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf , p. 9.
9.
This list is taken directly from the Apache 2.4 documentation at https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite . Apache 2.2 is similar.
10.
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf
11.
On Apache 2.2, an additional NameVirtualHost directive is also required.
12.
The headers for an HTTP/1.1 request can be found in RFC 2616, which can be found at https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
13.
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
14.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670248
15.
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual . This manual covers both ModSecurity 2.x and ModSecurity 3.x. Since ModSecurity 3.0 was released in December 2017, this book only covers ModSecurity 2.x.
16.
See http://sourceforge.net/p/mod-security/mailman/mod-security-users/?viewmonth=201209
17.
Installing modsecurity-crs may also include the extra package libapache2-modsecurity, but this is a dummy transitional package.

Author information

Authors and Affiliations

Towson, MD, USA
Mike O’Leary

Authors

Mike O’Leary
View author publications
You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

O’Leary, M. (2019). Apache and ModSecurity. In: Cyber Operations. Apress, Berkeley, CA. https://doi.org/10.1007/978-1-4842-4294-0_14

Download citation

DOI: https://doi.org/10.1007/978-1-4842-4294-0_14
Published: 02 March 2019
Publisher Name: Apress, Berkeley, CA
Print ISBN: 978-1-4842-4293-3
Online ISBN: 978-1-4842-4294-0
eBook Packages: Professional and Applied ComputingProfessional and Applied Computing (R0)Apress Access Books

Publish with us

Policies and ethics