Modsecurity only allow access from two particular REFERER HEADERs

Question

I have a Modsecurity rule which blocks all requests where the browser Referer Header is different from this: sub1.example.com.

So basically the rule only allows requests when the Header Referer is sub1.example.com:

SecRule REQUEST_HEADERS:REFERER "!@rx (?i)^https?://sub1.example.com/" /
"id:'7001024',phase:1,log,deny,status:404,msg:'Blocking Wrong or Empty Referer'"

My question is: How can I modify this rule to also allow requests with a second referer like sub2.example.com

score 0 · Answer 1 · edited Apr 17 '20 at 16:32

0

I'm not the best with regex but I think this is what you are trying to do:

"!@rx (?i)^https\?://(?:sub1\.example\.com|sub2\.example\.com)/"

That would block anything not matching:

https?://sub1.example.com/
https?://sub2.example.com/

Note: I added some escapes of the ? and .

I also think you could add t:lowercase, and you wouldn't have to use (?i) in the regex.

edited Apr 17 '20 at 16:32

Esa Jokinen

43,252
2
75
122

answered Apr 17 '20 at 16:12

steveH

136
2
5

Modsecurity only allow access from two particular REFERER HEADERs

1 Answers1