Pages

Monday, November 12

800 posts, and mod_security blocking

Took a look at my mod_security logs tonight.  Apparently, if you use Google's Reader to my rss feed, then actually try to go to my website via the link in the RSS..  trying to do all this when you are behind a Bluecoat Proxy server on your internal network...

You get blocked.  The bluecoat proxy forwards your "X-forwarded for" header to the Google Reader, then, finally when you click on the link to come to my website, Google forwards your internal IP.

Which mod_security didn't like:

"!^(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-
9][0-9]?)|)|unknown)$" at HEADER("X-FORWARDED-FOR")

It doesn't like you.   I commented out the rule, so everything should be fine now.

4 comments:

Ofer Shezaf said...

What rules are you using? I think that the rule is not part of ModSecurity Core Rule Set, so many may not be using it. Do you have other rules you had to comment out?

Ofer Shezaf
ModSecurity Core Rule Set Project Leader

Joel Esler said...

I don't think it's one of the default sets. I have many many many custom rules that I have received from all over the net. This is most likely one of those.

Ofer Shezaf said...

What rules are you using? I think that the rule is not part of ModSecurity Core Rule Set, so many may not be using it. Do you have other rules you had to comment out?Ofer ShezafModSecurity Core Rule Set Project Leader

Joel Esler said...

I don't think it's one of the default sets. I have many many many custom rules that I have received from all over the net. This is most likely one of those.