apache 伺服器對某些客戶端響應 403,用於 wordpress 站點
我租了一台準系統伺服器,安裝了 Centos 7,然後安裝了 centos web 面板,伺服器設置為僅 apache,使用 apache 2.4.4x 和 php 7。
我在其中一個虛擬主機上建立了一個wordpress站點,經過一段時間的編輯,當我試圖在我的手機上查看該站點時,我發現它看到了403禁止。我還檢查了不同站點中的一些不同電腦,奇怪的是似乎只有我用來編輯站點的瀏覽器才能查看它。
我正在使用 Chrome 我一直在使用 firefox 進行編輯,我再次嘗試了 firefox,它可以工作。但是在我將firefox刷新為出廠設置後,它也給出了403,我嘗試在隱身模式下使用Chrome,它沒有重現問題。
我已將所有文件設置為 644,將所有目錄設置為 755
並且使用我的手機,無論我使用的是wifi還是移動網路,都是403
我在 index.html 中使用元刷新將流量重定向到 site/ 的 wordpress 網站
以下是返回 403 時的日誌摘錄
==> example.com.log <== YYY.YYY.232.181 - - [07/Nov/2020:08:31:38 +0800] "GET / HTTP/1.1" 200 853 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0" ==> example.com.error.log <== [Sat Nov 07 08:31:39.815669 2020] [:error] [pid 18537:tid 140088488527616] [client YYY.YYY.232.181:51246] [client YYY.YYY.232.181] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:__gads. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: = found within REQUEST_COOKIES:__gads: ID=27dbb135f45c1fd9-22c5888d8fc4000e:T=1604709099:RT=1604709099:S=ALNI_MaW2UgLrOqyys2zp1yt_idCh-PXJg"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "www.example.com"] [uri "/favicon.ico"] [unique_id "X6Xq62SIpp9t4B3qVX2@-QAAAMU"] ==> example.com.log <== YYY.YYY.232.181 - - [07/Nov/2020:08:31:39 +0800] "GET /favicon.ico HTTP/1.1" 403 220 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0" ==> example.com.error.log <== [Sat Nov 07 08:31:45.131170 2020] [:error] [pid 18537:tid 140088293922560] [client YYY.YYY.232.181:51273] [client YYY.YYY.232.181] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:__gads. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: = found within REQUEST_COOKIES:__gads: ID=27dbb135f45c1fd9-22c5888d8fc4000e:T=1604709099:RT=1604709099:S=ALNI_MaW2UgLrOqyys2zp1yt_idCh-PXJg"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "www.example.com"] [uri "/site"] [unique_id "X6Xq8WSIpp9t4B3qVX2@-gAAANQ"] ==> example.com.log <== YYY.YYY.232.181 - - [07/Nov/2020:08:31:45 +0800] "GET /site HTTP/1.1" 403 213 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0" ==> example.com.error.log <== [Sat Nov 07 08:31:45.222926 2020] [:error] [pid 18537:tid 140088403027712] [client YYY.YYY.232.181:51273] [client YYY.YYY.232.181] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:__gads. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: = found within REQUEST_COOKIES:__gads: ID=27dbb135f45c1fd9-22c5888d8fc4000e:T=1604709099:RT=1604709099:S=ALNI_MaW2UgLrOqyys2zp1yt_idCh-PXJg"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "www.example.com"] [uri "/favicon.ico"] [unique_id "X6Xq8WSIpp9t4B3qVX2@-wAAAMc"] ==> example.com.log <== YYY.YYY.232.181 - - [07/Nov/2020:08:31:45 +0800] "GET /favicon.ico HTTP/1.1" 403 220 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0" YYY.YYY.232.181 - - [07/Nov/2020:08:32:06 +0800] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" YYY.YYY.232.181 - - [07/Nov/2020:08:32:06 +0800] "GET /favicon.ico HTTP/1.1" 404 209 "https://www.example.com/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36" YYY.YYY.232.181 - - [07/Nov/2020:08:32:12 +0800] "GET /site/ HTTP/1.1" 200 58190 "https://www.example.com/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36"
這與 Web 瀏覽器或文件權限無關,而是與 ModSecurity Web 應用程序防火牆(WAF)的誤報檢測有關。我剛剛添加了換行符以使其更具可讀性:
ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:__gads. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: = found within REQUEST_COOKIES:__gads: ID=27dbb135f45c1fd9-22c5888d8fc4000e:T=1604709099:RT=1604709099:S=ALNI_MaW2UgLrOqyys2zp1yt_idCh-PXJg"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "www.example.com"] [uri "/site"] [unique_id "X6Xq8WSIpp9t4B3qVX2@-gAAANQ"]
像 WordPress 這樣的 CMS 系統通常具有在 Web 應用程序中通常不需要的功能,但對於更新網頁內容是必需的,例如添加 HTML、JavaScript 甚至 SQL。訣竅是創建例外,使您能夠使用此功能而不允許任何人做任何事情。這意味著必須縮小例外範圍以防止誤報。
過去,這需要在錯誤日誌中查找
[id "???"]
[uri "/?"]
對並添加異常,例如:<LocationMatch "/wp-login.php"> SecRuleRemoveById 950007 950109 950117 950120 950901 981143 981172 981173 970901 970903 </LocationMatch> <LocationMatch "/wp-content"> SecRuleRemoveById 950007 950120 958231 970903 981172 </LocationMatch>
隨著最近的 OWASP CRS,這變得更加簡單,因為您可以在以下位置配置異常
crs-setup.conf
:# # Modify and uncomment this rule to select which application: # #SecAction \ # "id:900130,\ # phase:1,\ # nolog,\ # pass,\ # t:none,\ # setvar:tx.crs_exclusions_drupal=1,\ # setvar:tx.crs_exclusions_wordpress=1,\ # setvar:tx.crs_exclusions_nextcloud=1,\ # setvar:tx.crs_exclusions_dokuwiki=1,\ # setvar:tx.crs_exclusions_cpanel=1"
因此,為了啟用 WordPress 排除規則,這將變為:
SecAction \ "id:900130,\ phase:1,\ nolog,\ pass,\ t:none,\ setvar:tx.crs_exclusions_wordpress=1" # enable the WordPress exclusion rules