Apache-2.4

apache 伺服器對某些客戶端響應 403,用於 wordpress 站點

  • November 7, 2020

我租了一台準系統伺服器,安裝了 Centos 7,然後安裝了 centos web 面板,伺服器設置為僅 apache,使用 apache 2.4.4x 和 php 7。

我在其中一個虛擬主機上建立了一個wordpress站點,經過一段時間的編輯,當我試圖在我的手機上查看該站點時,我發現它看到了403禁止。我還檢查了不同站點中的一些不同電腦,奇怪的是似乎只有我用來編輯站點的瀏覽器才能查看它。

我正在使用 Chrome 我一直在使用 firefox 進行編輯,我再次嘗試了 firefox,它可以工作。但是在我將firefox刷新為出廠設置後,它也給出了403,我嘗試在隱身模式下使用Chrome,它沒有重現問題。

我已將所有文件設置為 644,將所有目錄設置為 755

並且使用我的手機,無論我使用的是wifi還是移動網路,都是403

我在 index.html 中使用元刷新將流量重定向到 site/ 的 wordpress 網站

以下是返回 403 時的日誌摘錄

==> example.com.log <==
YYY.YYY.232.181 - - [07/Nov/2020:08:31:38 +0800] "GET / HTTP/1.1" 200 853 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"

==> example.com.error.log <==
[Sat Nov 07 08:31:39.815669 2020] [:error] [pid 18537:tid 140088488527616] [client YYY.YYY.232.181:51246] [client YYY.YYY.232.181] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:__gads. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: = found within REQUEST_COOKIES:__gads: ID=27dbb135f45c1fd9-22c5888d8fc4000e:T=1604709099:RT=1604709099:S=ALNI_MaW2UgLrOqyys2zp1yt_idCh-PXJg"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "www.example.com"] [uri "/favicon.ico"] [unique_id "X6Xq62SIpp9t4B3qVX2@-QAAAMU"]

==> example.com.log <==
YYY.YYY.232.181 - - [07/Nov/2020:08:31:39 +0800] "GET /favicon.ico HTTP/1.1" 403 220 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"

==> example.com.error.log <==
[Sat Nov 07 08:31:45.131170 2020] [:error] [pid 18537:tid 140088293922560] [client YYY.YYY.232.181:51273] [client YYY.YYY.232.181] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:__gads. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: = found within REQUEST_COOKIES:__gads: ID=27dbb135f45c1fd9-22c5888d8fc4000e:T=1604709099:RT=1604709099:S=ALNI_MaW2UgLrOqyys2zp1yt_idCh-PXJg"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "www.example.com"] [uri "/site"] [unique_id "X6Xq8WSIpp9t4B3qVX2@-gAAANQ"]

==> example.com.log <==
YYY.YYY.232.181 - - [07/Nov/2020:08:31:45 +0800] "GET /site HTTP/1.1" 403 213 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"

==> example.com.error.log <==
[Sat Nov 07 08:31:45.222926 2020] [:error] [pid 18537:tid 140088403027712] [client YYY.YYY.232.181:51273] [client YYY.YYY.232.181] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:__gads. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: = found within REQUEST_COOKIES:__gads: ID=27dbb135f45c1fd9-22c5888d8fc4000e:T=1604709099:RT=1604709099:S=ALNI_MaW2UgLrOqyys2zp1yt_idCh-PXJg"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "www.example.com"] [uri "/favicon.ico"] [unique_id "X6Xq8WSIpp9t4B3qVX2@-wAAAMc"]

==> example.com.log <==
YYY.YYY.232.181 - - [07/Nov/2020:08:31:45 +0800] "GET /favicon.ico HTTP/1.1" 403 220 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
YYY.YYY.232.181 - - [07/Nov/2020:08:32:06 +0800] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36"
YYY.YYY.232.181 - - [07/Nov/2020:08:32:06 +0800] "GET /favicon.ico HTTP/1.1" 404 209 "https://www.example.com/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36"
YYY.YYY.232.181 - - [07/Nov/2020:08:32:12 +0800] "GET /site/ HTTP/1.1" 200 58190 "https://www.example.com/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36"

這與 Web 瀏覽器或文件權限無關,而是與 ModSecurity Web 應用程序防火牆(WAF)的誤報檢測有關。我剛剛添加了換行符以使其更具可讀性:

ModSecurity: Access denied with code 403 (phase 2). 
Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" 
at REQUEST_COOKIES:__gads. 
[file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] 
[line "157"] 
[id "981172"] 
[rev "2"] 
[msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] 
[data "Matched Data: = found within REQUEST_COOKIES:__gads: ID=27dbb135f45c1fd9-22c5888d8fc4000e:T=1604709099:RT=1604709099:S=ALNI_MaW2UgLrOqyys2zp1yt_idCh-PXJg"] [ver "OWASP_CRS/2.2.9"] 
[maturity "9"] 
[accuracy "8"] 
[tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] 
[hostname "www.example.com"] 
[uri "/site"] 
[unique_id "X6Xq8WSIpp9t4B3qVX2@-gAAANQ"]

像 WordPress 這樣的 CMS 系統通常具有在 Web 應用程序中通常不需要的功能,但對於更新網頁內容是必需的,例如添加 HTML、JavaScript 甚至 SQL。訣竅是創建例外,使您能夠使用此功能而不允許任何人做任何事情。這意味著必須縮小例外範圍以防止誤報。

過去,這需要在錯誤日誌中查找[id "???"] [uri "/?"]對並添加異常,例如:

<LocationMatch "/wp-login.php">
 SecRuleRemoveById 950007 950109 950117 950120 950901 981143 981172 981173 970901 970903
</LocationMatch>

<LocationMatch "/wp-content">
 SecRuleRemoveById 950007 950120 958231 970903 981172
</LocationMatch>

隨著最近的 OWASP CRS,這變得更加簡單,因為您可以在以下位置配置異常crs-setup.conf

#
# Modify and uncomment this rule to select which application:
#
#SecAction \
# "id:900130,\
#  phase:1,\
#  nolog,\
#  pass,\
#  t:none,\
#  setvar:tx.crs_exclusions_drupal=1,\
#  setvar:tx.crs_exclusions_wordpress=1,\
#  setvar:tx.crs_exclusions_nextcloud=1,\
#  setvar:tx.crs_exclusions_dokuwiki=1,\
#  setvar:tx.crs_exclusions_cpanel=1"

因此,為了啟用 WordPress 排除規則,這將變為:

SecAction \
"id:900130,\
 phase:1,\
 nolog,\
 pass,\
 t:none,\
 setvar:tx.crs_exclusions_wordpress=1" # enable the WordPress exclusion rules

引用自:https://serverfault.com/questions/1041610