ModSecurity icon indicating copy to clipboard operation
ModSecurity copied to clipboard
verified publisher icon owasp-modsecurity

Request header tagging not working on IIS

Open caracostea opened this issue 9 years ago • 4 comments

Unknown command in config: RequestHeader

This occurs when I try to enable the modsecurity_crs_49_header_tagging.conf optional rule.

caracostea avatar Mar 29 '16 22:03 caracostea

RequestHeader is part of Apache ModHeaders and not part of ModSecurity. This is just an example of how to do this on Apache. Sorry for the inconvenience

csanders-git avatar Mar 29 '16 22:03 csanders-git

@csanders-git Is there any way this can be achieved on IIS also?

caracostea avatar Mar 29 '16 22:03 caracostea

It would depend on IIS functionality and their ability to take environment variables. It seems you can use a custom response header specified in XML the question is if ModSecurities setEnv can reach that.

csanders-git avatar Mar 29 '16 22:03 csanders-git

It appears IIS URL Rewrite 2.0 supports handling environment variables and modifying HTTP headers.

Looks like the setvar action is being set using subprocess_env as per: https://github.com/SpiderLabs/ModSecurity/blob/v2/master/apache2/re_actions.c#L1502

But I'm not sure if APR subprocess_env "export" these variables back to Windows (so IIS and others can easily access it) or if they are only kept in Apache's own internal environment variable table which is shared between all the modules and Apache (hence why they do work well for something like ModHeaders).

Apache's documentation doesn't seem very clear in this regard. So maybe trying it out first if you can access these variables outside of APR is a good way to start. If yes, then setenv and IIS Rewrite module could work for you @caracostea.

victorhora avatar May 06 '17 05:05 victorhora