Just wondering who’s using what.
I use Fuseguard for some, but I’m just starting to dip my toe in with mod_security for apache using the OWASP rules. Primarily to knock a few things off even before it get the CF or Railo. This involves extending the rule set to cater for CF/Railo but mostly for Farcry’s webtop processes etc. It doesn’t appear to be a big task and at this stage my biggest issue has been not being able to whitelist furls, in particular those which produce long urls like pagination with extra details.
Does anyone thing there would be value in the availability of a definitive mod_security whitelist for FarCry?
1 Like
Hi Phil,
I don’t have any mod_security rules but I’d be interested in hearing what you come up with. If there’s something specific I can help with let me know
As for pagination, it could be anything with either a page
query string variable or a /page/
token in the URL string, or it could be custom if you use your own paginationID
in <skin:pagination>
.
It’s also worth noting that sometimes requests in the webtop go via the front-end index.cfm controller (calls to arrays and library webskins mostly).
cheers,
Justin
Unfortunately most examples of whitelist rules use the locationmatch tag in apache and I believe that will only see the physical page called. So all front end requests it will be index.cfm. The below works because of the physical nature of the files.
# Remove rule the interferes with the cache names
<LocationMatch /cache/*>
<IfModule mod_security2.c>
SecRuleRemoveById 981231
</IfModule>
</LocationMatch>
But this won’t;
<LocationMatch /my-awesome-web-pages/*>
<IfModule mod_security2.c>
SecRuleRemoveById 960015
</IfModule>
</LocationMatch>