Walter McGinnis
2010-Nov-21 21:26 UTC
Apache config for blocking php exploit requests that is compatible with Rails under Passenger
Hi, I was just looking at my logs and noticed a decent amount of 404s as a result of requests trying to use php exploits. I don''t use PHP on my host at all, so I figure it''s time to uniformly deny php requests with Apache to save my Rails apps having to look up the route. My searching has mostly brought back how tos on redirecting TO php rather than block it. I did find a mention of mod_security which looks promising. I''m wondering if it is compatible with Passenger. Any success or horror stories for it? Configuration file you would be willing to share? What else do people recommend? Cheers, Walter -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Frederick Cheung
2010-Nov-21 23:27 UTC
Re: Apache config for blocking php exploit requests that is compatible with Rails under Passenger
On Nov 21, 9:26 pm, Walter McGinnis <walter.mcgin...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Hi, > > I was just looking at my logs and noticed a decent amount of 404s as a > result of requests trying to use php exploits. I don''t use PHP on my > host at all, so I figure it''s time to uniformly deny php requests with > Apache to save my Rails apps having to look up the route. > > My searching has mostly brought back how tos on redirecting TO php > rather than block it.At a very simple level something like RewriteRule \.php$ - [F] Would rewrite any request where the url ended in .php to 403s Fred> > I did find a mention of mod_security which looks promising. I''m > wondering if it is compatible with Passenger. Any success or horror > stories for it? Configuration file you would be willing to share? > > What else do people recommend? > > Cheers, > Walter-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Walter McGinnis
2010-Nov-22 00:08 UTC
Re: Re: Apache config for blocking php exploit requests that is compatible with Rails under Passenger
> > At a very simple level something like > > RewriteRule \.php$ - [F] > > Would rewrite any request where the url ended in .php to 403s >Tried it. I have Passenger in high performance mode and it looks to disable mod_rewrite. http://www.modrails.com/documentation/Users%20guide%20Apache.html#PassengerHighPerformance I may be out of luck if I want to keep that set to on. Cheers, Walter -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Frederick Cheung
2010-Nov-22 08:30 UTC
Re: Apache config for blocking php exploit requests that is compatible with Rails under Passenger
On Nov 22, 12:08 am, Walter McGinnis <walter.mcgin...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > At a very simple level something like > > > RewriteRule \.php$ - [F] > > > Would rewrite any request where the url ended in .php to 403s > > Tried it. I have Passenger in high performance mode and it looks to > disable mod_rewrite. > > http://www.modrails.com/documentation/Users%20guide%20Apache.html#Pas... > > I may be out of luck if I want to keep that set to on. >Well if you really do need it, the docs say that you can turn it on for only certain paths, so you could just activate it for your most highly trafficked pages and leave the remainder with mod_rewrite enabled. Fred> Cheers, > Walter-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Walter McGinnis
2010-Nov-22 20:20 UTC
Re: Re: Apache config for blocking php exploit requests that is compatible with Rails under Passenger
Yes, I read that. It''s a trade-off and for now I would rather keep the high performance on for the virtual host. Not a big deal really, but was hoping for a non-rewrite solution (FilesMatch also doesn''t look to work with PassengerHighPerformance). Always good to check though. Thanks for your input. Cheers, Walter On Mon, Nov 22, 2010 at 9:30 PM, Frederick Cheung <frederick.cheung-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > > On Nov 22, 12:08 am, Walter McGinnis <walter.mcgin...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> > wrote: >> > At a very simple level something like >> >> > RewriteRule \.php$ - [F] >> >> > Would rewrite any request where the url ended in .php to 403s >> >> Tried it. I have Passenger in high performance mode and it looks to >> disable mod_rewrite. >> >> http://www.modrails.com/documentation/Users%20guide%20Apache.html#Pas... >> >> I may be out of luck if I want to keep that set to on. >> > > Well if you really do need it, the docs say that you can turn it on > for only certain paths, so you could just activate it for your most > highly trafficked pages and leave the remainder with mod_rewrite > enabled. > > Fred > >> Cheers, >> Walter > > -- > You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.