aboutsummaryrefslogtreecommitdiffstats
path: root/config/apache_mod_security
diff options
context:
space:
mode:
authorScott Ullrich <sullrich@pfsense.org>2010-11-23 16:40:01 -0500
committerScott Ullrich <sullrich@pfsense.org>2010-11-23 16:40:12 -0500
commitdac6b5617dc0ebea6b68c4eda354649780cda217 (patch)
tree3af83b585cd45452107a0bab712b8029b402146b /config/apache_mod_security
parent5916e670ad3182efb162e98f186888422f2b7465 (diff)
downloadpfsense-packages-dac6b5617dc0ebea6b68c4eda354649780cda217.tar.gz
pfsense-packages-dac6b5617dc0ebea6b68c4eda354649780cda217.tar.bz2
pfsense-packages-dac6b5617dc0ebea6b68c4eda354649780cda217.zip
Adding SecReadStateLimit. Requires 2.5.13 which should be out shortly.
Diffstat (limited to 'config/apache_mod_security')
-rw-r--r--config/apache_mod_security/apache_mod_security.inc9
-rw-r--r--config/apache_mod_security/apache_mod_security_settings.xml11
2 files changed, 19 insertions, 1 deletions
diff --git a/config/apache_mod_security/apache_mod_security.inc b/config/apache_mod_security/apache_mod_security.inc
index 4eb24c2c..38d53601 100644
--- a/config/apache_mod_security/apache_mod_security.inc
+++ b/config/apache_mod_security/apache_mod_security.inc
@@ -221,6 +221,12 @@ function generate_apache_configuration() {
else
$secauditengine = "RelevantOnly";
+ // SecReadStateLimit
+ if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['SecReadStateLimit'])
+ $secreadstatelimit = "SecReadStateLimit " . $config['installedpackages']['apachemodsecuritysettings']['config'][0]['SecReadStateLimit'] ."\n";
+ else
+ $secreadstatelimit = "";
+
$mod_proxy .= <<<EOF
# Off when using ProxyPass
@@ -409,6 +415,9 @@ EOF;
# Only allow bytes from this range
SecFilterForceByteRange 1 255
+ # Help prevent the effects of a Slowloris-type of attack
+ $secreadstatelimit
+
# Cookie format checks.
SecFilterCheckCookieFormat On
diff --git a/config/apache_mod_security/apache_mod_security_settings.xml b/config/apache_mod_security/apache_mod_security_settings.xml
index e313f3c8..4bbc4ea2 100644
--- a/config/apache_mod_security/apache_mod_security_settings.xml
+++ b/config/apache_mod_security/apache_mod_security_settings.xml
@@ -120,7 +120,6 @@
</description>
<type>input</type>
</field>
-
<field>
<fielddescr>Use mod_disk_cache</fielddescr>
<fieldname>mod_disk_cache</fieldname>
@@ -142,6 +141,16 @@
<type>input</type>
</field>
<field>
+ <fielddescr>Limits number of POSTS accepted from same IP address</fielddescr>
+ <fieldname>SecReadStateLimit</fieldname>
+ <description>
+ <![CDATA[
+ Help prevent the effects of a Slowloris-type of attack. More information about this attack can be found here: http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html
+ ]]>
+ </description>
+ <type>input</type>
+ </field>
+ <field>
<fielddescr>Configures the maximum request body size ModSecurity will store in memory.</fielddescr>
<fieldname>secrequestbodyinmemorylimit</fieldname>
<description>Configures the maximum request body size ModSecurity will store in memory.</description>