How to use Modsec rules to certain page?

Question

i want to block proxy(x-forwarded) ip certain page(wp-comments-post.php) using Apache Mod_security.

my current mod_security rule:

SecRule REQUEST_HEADERS_NAMES "^x-forwarded-for" "log,deny,id:48,status:403,t:lowercase,msg:'Don't use Proxy'"

score 1 · Answer 1 · answered Dec 25 '13 at 18:00

1

I believe you can do this if you enclose the modsec rules inside a location directive eg.

<Location /koko/lala/wp-comments-post.php >
SecRule .... 
</Location>

answered Dec 25 '13 at 18:00

lacasitos

346
1
4

score 1 · Accepted Answer · answered Dec 25 '13 at 19:16

You should be able to use something like

<LocationMatch "wp-comments-post.php" >
    SecRule &REQUEST_HEADERS:X-Forwarded-For "@gt 0" "log,deny,id:48,status:403,msg:'Don't use Proxy'"
</LocationMatch>

I haven't got a machine handy to test this on but it ought to deny access to the relevant location if there are >0 X-Forward-For request headers. Lots of companies use proxies so you may find that you need to make this "@gt 1" to reduce false positives. The apache Location and LocationMatch documentation.

How to use Modsec rules to certain page?

2 Answers2