我在modsecurity中有很多规则,但是如果主机在SSL https://SERVER_IP中是数字,则这些规则都无效,我得到以下响应:


  400错误的请求没有发送必需的SSL证书


我的SSL仅对我的域名有效,但是modsecurity不能正常工作吗?因为任何请求都要先通过modsecurity才能转到应用程序之类。

题:

1-我该如何解决?

2-为什么modsecurity不起作用,如果我不修复它,我会感到很沮丧吗?

这是我的nginx.conf:

load_module modules/ngx_http_modsecurity_module.so;

user nobody;
worker_processes 1;
error_log               /var/log/nginx/error.log error;
pid                     /var/run/nginx.pid;

events {
    worker_connections  5000;
    use                 epoll;
    multi_accept        on;

}
http {
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;

    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsec/main.conf;

    client_header_timeout 20s;
    client_body_timeout 20s;
    client_max_body_size 20m;
    client_header_buffer_size 6k;
    client_body_buffer_size 128k;
    large_client_header_buffers 2 2k;

    send_timeout 10s;
    keepalive_timeout 30 30;
    reset_timedout_connection       on;
    server_names_hash_max_size 1024;
    server_names_hash_bucket_size 1024;
    ignore_invalid_headers on;
    connection_pool_size 256;
    request_pool_size 4k;
    output_buffers 4 32k;
    postpone_output 1460;

    include mime.types;
    default_type application/octet-stream;

    # SSL Settings
    ssl_certificate         /etc/nginx/ssl/cf_cert.pem;
    ssl_certificate_key     /etc/nginx/ssl/cf_key.pem;
    ssl_client_certificate /etc/nginx/ssl/origin-pull-ca.pem;
    ssl_verify_client on;
    ssl_verify_depth 5;

    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 1h;
    ssl_protocols       TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers        "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";
    ssl_session_tickets on;
    ssl_session_ticket_key /etc/nginx/ssl/ticket.key;
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_ecdh_curve secp384r1;
    ssl_buffer_size 4k;

    # Logs
    log_format  main    '$remote_addr - $remote_user [$time_local] $request '
                        '"$status" $body_bytes_sent "$http_referer" '
                        '"$http_user_agent" "$http_x_forwarded_for"';
    log_format  bytes   '$body_bytes_sent';
    access_log off;

    # Cache bypass
    map $http_cookie $no_cache {
        default 0;
        ~SESS 1;
        ~wordpress_logged_in 1;
    }

    etag off;
    server_tokens off;

    # Headers
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Frame-Options deny always;

    server {
        listen 443 ssl http2;
        server_name domain.com;

        root /home/user/public_html;
        index index.php index.html;

        access_log /var/log/domain/domain.com.bytes bytes;
        access_log /var/log/domain/domain.com.log combined;
        error_log /var/log/domain/domain.com.error.log warn;

        location / {
            location ~.*\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {
                expires max;
            }

            location ~ [^/]\.php(/|$) {
                try_files $uri =404;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_pass    unix:/opt/alt/php-fpm73/usr/var/sockets/user.sock;
                fastcgi_index   index.php;
                include         /etc/nginx/fastcgi_params;
            }
        }
    }
}

最佳答案

简而言之:这与modsecurity无关。

您的服务器配置要求客户端发送客户端证书。如果客户端未发送此类证书,则TLS握手将失败-这是您看到的错误。

modsecurity仅在HTTP级别分析应用程序数据。使用HTTPS,首先需要成功完成TLS握手,然后再交换任何应用程序数据。由于在这种情况下TLS握手由于客户端未发送证书而失败,因此在交换任何HTTP数据之前(因此在使用modsecurity之前)将关闭连接。

关于security - 如果未发送所需的SSL证书,则modsecurity不起作用,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/56534780/

10-14 15:02