tailieunhanh - Hardening Apache by Tony Mobily phần 5
Như bạn thấy, bạn có thể quyết định chính xác những phần nào của trang web của bạn được quản lý bởi mô-đun, và làm cho hoàn toàn chắc chắn rằng các phần phải thiết lập các bộ lọc đúng, không quá tải máy chủ Apache của bạn. | Note SecFilterSelective is the preferred way of filtering because it performs narrower searches and is therefore more efficient. Remember that every option of mod_security can be inserted in a Location or a Directory directive in your file or in an .htaccess file . You could write something like this . SecFilterEngine On Directory mnt raid web_site big_application IfModule mod SecFilterCheckURLEncoding On SecFilterForceByteRange 32 126 SecFilterScanPOST On SecFilterDefaultAction deny log status 500 SecFilter space script SecfFilter . . IfModule Directory Directory mnt raid web_site images IfModule mod SecFilterCheckURLEncoding Off SecFilterScanPOST Off IfModule Directory . As you can see you can decide exactly what parts of your site are managed by the module and make absolutely sure that the right sections set the right filters without overloading your Apache server. Rule Chaining and Skipping mod_security allows you to chain several rules together the mechanism is similar to the one used by mod_rewrite. Chains are necessary when you want to trigger a specific event if more than one condition is true. For example assume that you want to run a script when the user guest has an access denied message from a web application. You have to check both the user name and the page requested by the user. Here is what you can do SecFilterSelective REQUEST URI access denied .php chain SecFilterSelective ARG username Aguest log exec usr local bin notify You can also use the parameter skipnext n to skip n rules. You can use this option if you want to improve your server s performance preventing the server from performing unnecessary filter checks. For example SecFilterSelective REMOTE_ADDR REMOTE_HOST skipnext 1 SecFilter first_rule SecFilter secondrule In this case the rule first_rule is evaluated only if the client making the request is not the local machine. Finally the directive Secfilter allow stops the chain evaluation and
đang nạp các trang xem trước