Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
Mod_Security / Re: Excluded rule for a domain is ignored
« on: March 31, 2023, 12:36:36 PM »
Yes, I used the OWASP ruleset which is the only one allowed through CWP v. free. But, never mind, thanks for your help, but I finally restarted from scratch and installed another panel which better meet my will...
2
Mod_Security / Excluded rule for a domain is ignored
« on: March 27, 2023, 09:09:39 PM »
I encounter a blockage with an MP4 file associated with an embedded video player.
Looking in the Apache error log, it's about a ModSecurity rule. So, I tried to exclude the concerned rule from CWP (Security/ModSecurity/Domains/<concerned_domain>/Edit Rules), but every time I saved the file, despite the message "success", it was not there (empty text area when I open it again).
So, I took a look on disk and the path indicated by CWP didn't exist: /usr/local/apache/conf/userdata/<user>/<domain>/modsec.conf. Then, I created the path and renewed the operation from within CWP... And this time, the file modsec.conf was effectively created clicking the save button.
But, even after a restart of Apache, the exclusion is ignored; same error!
At this stage, I wonder if it's because the file is in the wrong location (but CWP found it for editing), if it's because I have to include modsec.conf at some point in a parent .conf file, if it's due to a mistake in my syntax or a known issue with ModSec or CWP...
Here is the error (anonymized):
Here is /usr/local/apache/conf/userdata/dummy/foobar.tld/modsec.conf:
And my context: CWP7, Apache 2.4, AlmaLinux 8.7.
What do you think?
Looking in the Apache error log, it's about a ModSecurity rule. So, I tried to exclude the concerned rule from CWP (Security/ModSecurity/Domains/<concerned_domain>/Edit Rules), but every time I saved the file, despite the message "success", it was not there (empty text area when I open it again).
So, I took a look on disk and the path indicated by CWP didn't exist: /usr/local/apache/conf/userdata/<user>/<domain>/modsec.conf. Then, I created the path and renewed the operation from within CWP... And this time, the file modsec.conf was effectively created clicking the save button.
But, even after a restart of Apache, the exclusion is ignored; same error!
At this stage, I wonder if it's because the file is in the wrong location (but CWP found it for editing), if it's because I have to include modsec.conf at some point in a parent .conf file, if it's due to a mistake in my syntax or a known issue with ModSec or CWP...
Here is the error (anonymized):
Code: [Select]
[Mon Mar 27 22:22:52.425976 2023] [:error] [pid 1008302:tid 140528217736960] [client 2a02:842b:853b:f90a:f020:63132] [client 2a02:842b:fc87:f90a:f020] ModSecurity: Access denied with code 403 (phase 2). String match "bytes=0-" at REQUEST_HEADERS:Range. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "428"] [id "958291"] [rev "2"] [msg "Range: field exists and begins with 0."] [data "bytes=0-"] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"] [maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] [hostname "foobar.tld"] [uri "/vid/intro.mp4"] [unique_id "ZCH7HJJr-iBQGILntBDpjAAAAIo"], referer: https://foobar.tld/Here is /usr/local/apache/conf/userdata/dummy/foobar.tld/modsec.conf:
Code: [Select]
# Prevent OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ on /vid/intro.mp4
SecRuleRemoveById 958291And my context: CWP7, Apache 2.4, AlmaLinux 8.7.
What do you think?
3
SSL / Re: Unable to install AutoSSL with IPv6 only
« on: March 27, 2023, 02:38:04 PM »
Just an additional point that could help someone a day... I made a mistake: certbot doesn't create a cron job for renewal but has its own service.
So, I checked it using
And seen that it's well there but inactive. I don't know if it's the normal behavior, but I fixed this running
So, I checked it using
Code: [Select]
systemctl list-timers --allAnd seen that it's well there but inactive. I don't know if it's the normal behavior, but I fixed this running
Code: [Select]
sudo systemctl enable certbot-renew.timer
sudo systemctl start certbot-renew.timer.4
SSL / Re: Unable to install AutoSSL with IPv6 only
« on: March 27, 2023, 11:14:51 AM »
Solved!
I couldn't say exactly what was wrong, but I finally created the LE certificate using https://github.com/bikram990/certbot-dns-dynu (my DNS provider being Dynu), then inserted it manually in the right vhost conf.
Maybe a hint: once, I had to logout to the CWP's admin board and after re-login, I got a warning asking me if I would like to fix the httpd in use (didn't save the exact message, but something saying there was confusion between two configurations). Of course, I clicked the fix link
In the end, I don't know if CWP would now be able to generate an AutoSSL certificate, but it's done manually and the way I followed added the needed cron jobs for renewal.
The only drawback I see is that this certificate doesn't appear in the CWP list... Is there something to do CWP detects this certificate which was installed by hand? Of course, the certificate files are not in a standard location, but maybe CWP could scan the vhost conf files and display their existence in some ways on the GUI; even if CWP is not in charge to renew it anymore. What do you think?
I couldn't say exactly what was wrong, but I finally created the LE certificate using https://github.com/bikram990/certbot-dns-dynu (my DNS provider being Dynu), then inserted it manually in the right vhost conf.
Maybe a hint: once, I had to logout to the CWP's admin board and after re-login, I got a warning asking me if I would like to fix the httpd in use (didn't save the exact message, but something saying there was confusion between two configurations). Of course, I clicked the fix link
In the end, I don't know if CWP would now be able to generate an AutoSSL certificate, but it's done manually and the way I followed added the needed cron jobs for renewal.
The only drawback I see is that this certificate doesn't appear in the CWP list... Is there something to do CWP detects this certificate which was installed by hand? Of course, the certificate files are not in a standard location, but maybe CWP could scan the vhost conf files and display their existence in some ways on the GUI; even if CWP is not in charge to renew it anymore. What do you think?
5
SSL / Re: Unable to install AutoSSL with IPv6 only
« on: March 26, 2023, 02:08:25 PM »
Thanks again overseer, I'll read all of this religiously. In the meantime, I'm trying to manage DNS-01 challenge; at this time, I found the certbot plugin about my DNS provider, but I encounter a credentials/token issue against their API, then I pushed a ticket to their support...
6
SSL / Re: Unable to install AutoSSL with IPv6 only
« on: March 25, 2023, 09:18:45 PM »
OK, thanks overseer, I'll answer point by point:
- Yes, it's fully compliant: website is well reached on HTTP and all test passed (Apache is well listening on [::]:80 and [::]:443)
- I created the domain though CWP, then just added the "Listen" directive and changed VirtualHost block about ports for [::]
- Self-signed, I don't know if it works (didn't try), but I guess if LE exists it's because it's better than a self-signed one, no?
- OK, I keep Cloudflare in mind: just now, https only, but very soon I'll need mail and ftp, yes, certainly...
- Paying certs: hmm, I have ones for other websites which are not self-hosted, but the ones I would like to host are there to stay free.
But a last question remains (maybe the main one): why LE's team said it's IPv6-only compliant since 2016, while it's not at validation stage? Does it means it's working afterward, but we need IPv4 during the creation? It sounds a bit confuse for me...
- Yes, it's fully compliant: website is well reached on HTTP and all test passed (Apache is well listening on [::]:80 and [::]:443)
- I created the domain though CWP, then just added the "Listen" directive and changed VirtualHost block about ports for [::]
- Self-signed, I don't know if it works (didn't try), but I guess if LE exists it's because it's better than a self-signed one, no?
- OK, I keep Cloudflare in mind: just now, https only, but very soon I'll need mail and ftp, yes, certainly...
- Paying certs: hmm, I have ones for other websites which are not self-hosted, but the ones I would like to host are there to stay free.
But a last question remains (maybe the main one): why LE's team said it's IPv6-only compliant since 2016, while it's not at validation stage? Does it means it's working afterward, but we need IPv4 during the creation? It sounds a bit confuse for me...
7
SSL / Unable to install AutoSSL with IPv6 only
« on: March 25, 2023, 07:01:06 PM »
Hello,
My first post here, and new to CWP too. Well, here is my context:
- My ISP is using CGNAT, so I can't do port forwarding on IPv4. So, I did-it on IPv6 redirecting ports 80 & 443 to my server.
- The server is with Apache 2.4 in AlmaLinux 8.7 x86_64
- My domain (say "foo.tld") is defined as an add-on of a user through CWP 7
- I'm using a DDNS service for foo.tld, defining AAA record only to the server's IPv6 (ie. no A record for IPv4).
- The domain is well registered at a registrar pointing the name servers of the DDNS provider.
This way, the website is well reachable through http:// and the next step is https://. So, I tried to install an AutoSSL (LE) certificate, but it fails with this error: "DNS of your domain doesn't point to this server or you have htaccess restrictions".
At this point, I understand that LE wants an IPv4, while I read here and there (eg. https://github.com/letsencrypt/boulder/issues/593 and https://community.letsencrypt.org/t/support-for-ipv6-only-hosts/354/60) that Let's Encrypt supports the IPv6-only domains since 2016. So, what? Did I made a mistake at some points?
Of course, I tried to add a A record, but it fails too since there's no way to reach my server behind the box-router on the public IPv4.
Is there a way to create (and do renew will work) this AutoSSL certificate in this context? Or what's the alternative (staying in IPv6-only; not using VPN/tunelling with port forwarding on IPv4)?
And last question (I'm not used with this): does a self-signed certificate would do the job the same way as an LE certificate?
I need your enlighted help
My first post here, and new to CWP too. Well, here is my context:
- My ISP is using CGNAT, so I can't do port forwarding on IPv4. So, I did-it on IPv6 redirecting ports 80 & 443 to my server.
- The server is with Apache 2.4 in AlmaLinux 8.7 x86_64
- My domain (say "foo.tld") is defined as an add-on of a user through CWP 7
- I'm using a DDNS service for foo.tld, defining AAA record only to the server's IPv6 (ie. no A record for IPv4).
- The domain is well registered at a registrar pointing the name servers of the DDNS provider.
This way, the website is well reachable through http:// and the next step is https://. So, I tried to install an AutoSSL (LE) certificate, but it fails with this error: "DNS of your domain doesn't point to this server or you have htaccess restrictions".
At this point, I understand that LE wants an IPv4, while I read here and there (eg. https://github.com/letsencrypt/boulder/issues/593 and https://community.letsencrypt.org/t/support-for-ipv6-only-hosts/354/60) that Let's Encrypt supports the IPv6-only domains since 2016. So, what? Did I made a mistake at some points?
Of course, I tried to add a A record, but it fails too since there's no way to reach my server behind the box-router on the public IPv4.
Is there a way to create (and do renew will work) this AutoSSL certificate in this context? Or what's the alternative (staying in IPv6-only; not using VPN/tunelling with port forwarding on IPv4)?
And last question (I'm not used with this): does a self-signed certificate would do the job the same way as an LE certificate?
I need your enlighted help
Pages: [1]
