[CKAN-Security] ckan and mod_security2

Eli Agbayani eagbayani at eol.org
Thu Sep 26 14:53:11 UTC 2019

Dear security at ckan.org,
Just following up on this.
I attached my current ckan_default.conf. So you can check as well.

On Mon, Sep 23, 2019 at 12:22 PM Eli Agbayani <eagbayani at eol.org> wrote:

> Hi,
> How can I install mod_security for my CKAN.
> I followed this tutorial:
> https://tecadmin.net/install-modsecurity-with-apache-on-centos-rhel/
> And installed successfully.
> But my CKAN instance is not affected by it.
> I've now installed apache mod_security2. And it is now enabled.
> *SecRuleEngine On*
> But how do I connect my CKAN instance with mod_security2 ?
> It seems that my CKAN is not affected by mod_security2.
> I've tried appending like http://myckan/folder?abc=/../../test
> And I don't see in log that the access was denied.
> Interestingly the other website in the same server was noticing the
> mod_security
> http://my_mediawiki/folder/?abc=/../../test
> The log captured the mod_security in action.
> Hope to hear from you soon.
> Thanks,
> Eli Agbayani

You received this message because you are subscribed to the Google Groups "CKAN Security" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security+unsubscribe at ckan.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190926/61cab478/attachment-0001.html>
-------------- next part --------------

WSGISocketPrefix /var/run/wsgi
<VirtualHost xx.xxx.xxx.xx:5000>
    ServerName opendata.eol.org
    ServerAlias https://opendata.eol.org

    WSGIScriptAlias / /etc/ckan/default/apache.wsgi
    # Pass authorization info on (needed for rest api).
    WSGIPassAuthorization On

    # Deploy as a daemon (avoids conflicts between CKAN instances).
    WSGIDaemonProcess ckan_default display-name=ckan_default processes=2 threads=15

    WSGIProcessGroup ckan_default

    # Add this to avoid Apache show error:
    # "AH01630: client denied by server configuration: /etc/ckan/default/apache.wsgi"
    <Directory /etc/ckan/default/>
        Order allow,deny
        Allow from all
        # New directive needed in Apache 2.4.3:
        Require all granted

    ErrorLog /var/log/httpd/ckan_default.error.log
    CustomLog /var/log/httpd/ckan_default.custom.log combined


More information about the Security mailing list