[CKAN-Security] ckan and mod_security2

• Previous message: [CKAN-Security] ckan and mod_security2
• Next message: [CKAN-Security] Moderator's spam report for security at ckan.org
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear security at ckan.org,
Just following up on this.
I attached my current ckan_default.conf. So you can check as well.

On Mon, Sep 23, 2019 at 12:22 PM Eli Agbayani <eagbayani at eol.org> wrote:

> Hi,
> How can I install mod_security for my CKAN.
> I followed this tutorial:
> https://tecadmin.net/install-modsecurity-with-apache-on-centos-rhel/
> And installed successfully.
>
> But my CKAN instance is not affected by it.
>
> I've now installed apache mod_security2. And it is now enabled.
> *SecRuleEngine On*
> But how do I connect my CKAN instance with mod_security2 ?
> It seems that my CKAN is not affected by mod_security2.
> I've tried appending like http://myckan/folder?abc=/../../test
> And I don't see in log that the access was denied.
>
> Interestingly the other website in the same server was noticing the
> mod_security
> http://my_mediawiki/folder/?abc=/../../test
> The log captured the mod_security in action.
>
> Hope to hear from you soon.
> Thanks,
> Eli Agbayani
>
>

-- 
You received this message because you are subscribed to the Google Groups "CKAN Security" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security+unsubscribe at ckan.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190926/61cab478/attachment-0001.html>
-------------- next part --------------

WSGISocketPrefix /var/run/wsgi
<VirtualHost xx.xxx.xxx.xx:5000>
    ServerName opendata.eol.org
    ServerAlias https://opendata.eol.org

    WSGIScriptAlias / /etc/ckan/default/apache.wsgi
  
    # Pass authorization info on (needed for rest api).
    WSGIPassAuthorization On

    # Deploy as a daemon (avoids conflicts between CKAN instances).
    WSGIDaemonProcess ckan_default display-name=ckan_default processes=2 threads=15

    WSGIProcessGroup ckan_default

    # Add this to avoid Apache show error:
    # "AH01630: client denied by server configuration: /etc/ckan/default/apache.wsgi"
    <Directory /etc/ckan/default/>
        Order allow,deny
        Allow from all
        # New directive needed in Apache 2.4.3:
        Require all granted
    </Directory>

    ErrorLog /var/log/httpd/ckan_default.error.log
    CustomLog /var/log/httpd/ckan_default.custom.log combined

</VirtualHost>

• Previous message: [CKAN-Security] ckan and mod_security2
• Next message: [CKAN-Security] Moderator's spam report for security at ckan.org
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]