<< Back to man.ChinaUnix.net   CU网友原创,转载请注明出自ChinaUnix.net及原作者

附录A:推荐配置

下边是推荐的mod_security最小配置。这只是一个设计用来避免给你带来急性头痛的起点。你应该观察它,在可能的地方加强这个配置

# Only inspect dynamic requests

# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)

SecFilterEngine DynamicOnly

# Reject requests with status 403

SecFilterDefaultAction "deny,log,status:403"

# Some sane defaults

SecFilterScanPOST On

SecFilterCheckURLEncoding On

SecFilterCheckCookieFormat Off

SecFilterCheckUnicodeEncoding Off

# Accept almost all byte values

SecFilterForceByteRange 1 255

# Server masking is optional

# SecServerSignature "Microsoft-IIS/5.0"

SecUploadDir /tmp

SecUploadKeepFiles Off

# Only record the interesting stuff

SecAuditEngine RelevantOnly

SecAuditLog logs/audit_log

# You normally won't need debug logging

SecFilterDebugLevel 0

SecFilterDebugLog logs/modsec_debug_log

# Only accept request encodings we know how to handle

# we exclude GET requests from this because some (automated)

# clients supply "text/html" as Content-Type

SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain

SecFilterSelective HTTP_Content-Type \

"!(^application/x-www-form-urlencoded$|^multipart/form-data;)"

# Require Content-Length to be provided with

# every POST request

SecFilterSelective REQUEST_METHOD "^POST$" chain

SecFilterSelective HTTP_Content-Length "^$"

# Don't accept transfer encodings we know we don't handle

# (and you don't need it anyway)

SecFilterSelective HTTP_Transfer-Encoding "!^$"