Steve.org.uk - mod_ifier

Note

This code is unmaintained.

mod_ifier

Introduction
Rule Types
Comparison to mod_security

Free Software

For Linux
For Windows

Rule Types

Once installed and loaded the mod_ifier module adds several new configuration directives which you can use in your Apache configuration file. These directives are used to implement your filtering rules.

Several examples are included in the download.

top

Viewing Rules

If you include the following in your configuration file you'll be able to view the active rules online.

#
#  Allow ourselves to see the active mod_ifier rule set.
#
#  (Any location may be chosen, this is just an example.)
#
<Location /mod_ifier>
   # Specify the handler to use.
   SetHandler mod_ifier-handler
   # Restrict access.
   Order deny,allow
   Deny from all
   Allow from 127.0.0.1
</Location>

This allows you to visit http://example.com/mod_ifier and see the loaded rules. Here is an example Note: this example contains "bad words"^tm

top

Directives

DropAction execute=/path/to/script,status=123,redirect=http://...

Specify the action to take on a successful block/match, this may be aspecific HTTP status code, a command to execute, or an HTTP-redirect.

You can combine the execution of a command with a HTTP response code or URI redirect with something like this:

#
#  On a match run the local script and return a HTTP code 403.
#
DropAction execute=/usr/bin/foo,status=403

DropAgent "Regular Expression" *

Drop a connection if the submitted User-Agent header matches the specified regular expression.

DropBlacklist 1.2.3.4|1.2.3.4/5

Drop a connection based upon IP address of the client connecting. You may specify either a literal IP address or a CIDR range.

DropHeader "Header-Name" "Regular Expression" *

This directive matches if the submitted request contains the header "Header-Name" matching the specified regular expression.

This is used to implement the DropAgent and DropReferer behaviours.

DropMethod "regular expression" *

This allows you to drop clients using the specified HTTP request method. (GET/POST/OPTIONS/SEARCH/PROPFIND/etc).

DropLog /path/to/log

This allows you to specify a logfile to be updated when a match is made.

DropParam name

Drop any request which contains a CGI parameter with the given name. The value of the submitted CGI parameter isn't important.

DropParamValue name "Regular Expression" *

Drop any request which contains a CGI parameter with the given name and the value matches the supplied regular expression.

DropParamValues "regular expression" *

Drop any request which contains a CGI parameter with the given value - regardless of the name.

DropPath "regular expression" *

Drop any request matching the specified regular expression path.

For example the following matches formail.cgi and formail.pl:

DropPath formail.(pl|cgi)

DropReferer "regular expression" *

Drop a connection based upon the submitted referer header.

DropWhitelist 1.2.3.4|1.2.3.4/5

Never drop the given connection IP address / CIDR mask.

top

Per-Rule Actions

Several of the available rule-types allow you to specify an action to carry out which only applies to that rule. These are marked with ^* in the list above.

As an example in the following configuration snippet we specify that matches generally should result in the return of a HTTP 403 response code - but that matches to /admin/ should result in a 404 error code unless they come from a trusted IP address:

# Default action to carry out on a match
DropAction status=403
# Never match this IP address
DropWhitelist 192.168.1.1
# Result in a 404 on /admin
DropPath /admin status=404

top

[ Sitemap | Contact Me ]