ModSecurity Nginx 自定义禁止页面 + 日志 ID
[英]ModSecurity Nginx Custom Forbidden Page + Log ID
问题描述
We are running the latest Nginx and Modsecurity, everything is working as expected, but we would like to be able to have a custom forbidden page (not the default 403) but that also includes the log ID, so in case a customer is getting denied, they could open a ticket with the support team and add the ID they got, so it will be easier for us to track in the log.
我们正在运行最新的 Nginx 和 Modsecurity,一切都按预期工作,但我们希望能够有一个自定义的禁止页面(不是默认的 403),但也包括日志 ID,以防客户被拒绝,他们可以向支持团队开具工单并添加他们获得的 ID,这样我们就可以更轻松地在日志中进行跟踪。
1 个解决方案
解决方案1
1 2022-04-17 14:17:15
ModSecurity Core Rule Set Developer on Duty here.在这里值班的 ModSecurity 核心规则集开发人员。 It may be possible, and potentially simplest, to configure Nginx with custom behaviour/pages when handling a 403 Forbidden response.在处理 403 Forbidden 响应时,使用自定义行为/页面配置 Nginx 是可能的,而且可能是最简单的。 I'm not an Nginx expert, so I can't comment on precisely how you would do this.我不是 Nginx 专家,所以我无法准确评论您将如何执行此操作。
The alternative is to replace your usage of ModSecurity's deny action with the redirect action.另一种方法是用redirect操作替换您对 ModSecurity 的deny操作的使用。 Instead of responding to a blocking event with a simple 403 Forbidden status code you would instead perform a redirect to a location of your choosing.您无需使用简单的403 Forbidden状态代码来响应阻塞事件,而是执行重定向到您选择的位置。 You can include the unique ID as a query string parameter, like so:您可以将唯一 ID 作为查询字符串参数包含在内,如下所示:
redirect:https://mysite.tld/blocked.html?uid=%{UNIQUE_ID}
If you're using the Core Rule set then the rule you want to look at is 949110, the inbound blocking rule.如果您使用的是核心规则集,那么您要查看的规则是 949110,即入站阻止规则。 (If you're also inspecting response data then you'll also want to look at the outbound blocking rule, too.) (如果您还检查响应数据,那么您还需要查看出站阻止规则。)
Below is something you could test and get started with.以下是您可以测试并开始使用的内容。 It amends the inbound blocking rule to redirect clients to Google, with the search parameter being the unique ID (so you can easily see this idea in action).它修改了入站阻止规则以将客户重定向到 Google,搜索参数是唯一 ID(因此您可以轻松地看到这个想法的实际应用)。 It would need to be placed after your CRS includes, as it makes use of a configure-time rule modification: you can only modify a rule if it's already been defined.它需要放在您的 CRS 包含之后,因为它使用了配置时规则修改:您只能修改已经定义的规则。
# CRS Rule Modification: 949110 - Inbound Anomaly Score Exceeded
#
# When a request meets or exceeds the inbound anomaly score threshold, rather
# than replying with a 403 Forbidden status code, perform a redirect to send the
# client to a pre-determined location.
#
# The redirect URL includes the unique ID of the transaction as a parameter. If
# the redirect location is set up to do so, the unique ID can be displayed to
# the client in a friendly message, e.g. "Something's gone wrong. Please contact
# support@example.com quoting ID <ID_GOES_HERE>." As the unique ID appears in
# the logs it can be used to identify the log lines associated to a specific
# client's blocking event.
SecRuleUpdateActionById 949110 "redirect:https://www.google.com/search?q=%{UNIQUE_ID}"
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.