Rewrite: Block UserAgent not working

Alles, was den Apache betrifft, kann hier besprochen werden.

Rewrite: Block UserAgent not working

Postby christianmolecki » 19. July 2019 09:34

Hello,

I would like to block the UserAgent "Microsoft Office Protocol Discovery".
My RewriteRule looks like:

Code: Select all
<VirtualHost *:443>
...
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^Microsoft\ Office\ Protocol\ Discovery
RewriteRule . - [R=403,L]
...
</VirtualHost>


But its not working. Can you find the error?
christianmolecki
 
Posts: 5
Joined: 14. December 2017 10:58
Operating System: SLES

Re: Rewrite: Block UserAgent not working

Postby Nobbie » 19. July 2019 10:45

Spaces should be embedded in quotes:

Code: Select all
RewriteCond "%{HTTP_USER_AGENT}" "Microsoft Office Protocol Discovery"
Nobbie
 
Posts: 13171
Joined: 09. March 2008 13:04

Re: Rewrite: Block UserAgent not working

Postby christianmolecki » 22. July 2019 13:46

Thats also not working.
Code: Select all
RewriteEngine On
RewriteCond "%{HTTP_USER_AGENT}" "Microsoft Office Protocol Discovery"
RewriteRule . - [R=403,L]


... - - [22/Jul/2019:14:26:36 +0200] "OPTIONS ... HTTP/1.1" 500 - "-" "Microsoft Office Protocol Discovery"
... - - [22/Jul/2019:14:26:36 +0200] "OPTIONS ... HTTP/1.1" 500 - "-" "Microsoft Office Protocol Discovery"
christianmolecki
 
Posts: 5
Joined: 14. December 2017 10:58
Operating System: SLES

Re: Rewrite: Block UserAgent not working

Postby Nobbie » 22. July 2019 16:20

I think we do not see the full configuration here, as there is an invalid "OPTIONS" clause the reason for error 500 (mostly syntax error). I cannot see any OPTIONS clause here. You are doing something wrong.
Nobbie
 
Posts: 13171
Joined: 09. March 2008 13:04

Re: Rewrite: Block UserAgent not working

Postby christianmolecki » 23. July 2019 09:12

This is httpd.conf

Code: Select all
# /etc/apache2/httpd.conf
#
# This is the main Apache server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information about
# the directives.

# Based upon the default apache configuration file that ships with apache,
# which is based upon the NCSA server configuration files originally by Rob
# McCool. This file was knocked together by Peter Poeml <poeml+apache@suse.de>.

# If possible, avoid changes to this file. It does mainly contain Include
# statements and global settings that can/should be overridden in the
# configuration of your virtual hosts.

# Quickstart guide:
# http://en.opensuse.org/SDB:Apache_installation


# Overview of include files, chronologically:
#
# httpd.conf
#  |
#  |-- uid.conf  . . . . . . . . . . . . . .  UserID/GroupID to run under
#  |-- server-tuning.conf  . . . . . . . . .  sizing of the server (how many processes to start, ...)
#  |-- loadmodule.conf . . . . . . . . . . .  [*] load these modules
#  |-- listen.conf . . . . . . . . . . . . .  IP adresses / ports to listen on
#  |-- mod_log_config.conf . . . . . . . . .  define logging formats
#  |-- global.conf . . . . . . . . . . . . .  [*] server-wide general settings
#  |-- mod_status.conf . . . . . . . . . . .  restrict access to mod_status (server monitoring)
#  |-- mod_info.conf . . . . . . . . . . . .  restrict access to mod_info
#  |-- mod_reqtimeout.conf . . . . . . . . .  set timeout and minimum data rate for receiving requests
#  |-- mod_cgid-timeout.conf . . . . . . . .  set CGIDScriptTimeout if mod_cgid is loaded/active
#  |-- mod_usertrack.conf  . . . . . . . . .  defaults for cookie-based user tracking
#  |-- mod_autoindex-defaults.conf . . . . .  defaults for displaying of server-generated directory listings
#  |-- mod_mime-defaults.conf  . . . . . . .  defaults for mod_mime configuration
#  |-- errors.conf . . . . . . . . . . . . .  customize error responses
#  |-- ssl-global.conf . . . . . . . . . . .  SSL conf that applies to default server _and all_ virtual hosts
#  |
#  |-- default-server.conf . . . . . . . . .  set up the default server that replies to non-virtual-host requests
#  |    |--mod_userdir.conf  . . . . . . . .  enable UserDir (if mod_userdir is loaded)
#  |    `--conf.d/apache2-manual?conf  . . .  add the docs ('?' = if installed)
#  |
#  `-- vhosts.d/ . . . . . . . . . . . . . .  for each virtual host, place one file here
#       `-- *.conf . . . . . . . . . . . . .     (*.conf is automatically included)
#
#
# Files marked [*] are NOT read when server is started via systemd service. When server
# is started via service, defaults from /etc/sysconfig/apache2 are taken into account.
#



#  Filesystem layout:
#
# /etc/apache2/
#  |-- charset.conv  . . . . . . . . . . . .  for mod_auth_ldap
#  |-- conf.d/
#  |   |-- apache2-manual.conf . . . . . . .  conf that comes with apache2-doc
#  |   |-- mod_php4.conf . . . . . . . . . .  (example) conf that comes with apache2-mod_php4
#  |   `-- ... . . . . . . . . . . . . . . .  other configuration added by packages
#  |-- default-server.conf
#  |-- errors.conf
#  |-- httpd.conf  . . . . . . . . . . . . .  top level configuration file
#  |-- listen.conf
#  |-- magic
#  |-- mime.types -> ../mime.types
#  |-- mod_autoindex-defaults.conf
#  |-- mod_info.conf
#  |-- mod_log_config.conf
#  |-- mod_mime-defaults.conf
#  |-- mod_perl-startup.pl
#  |-- mod_status.conf
#  |-- mod_userdir.conf
#  |-- mod_usertrack.conf
#  |-- server-tuning.conf
#  |-- ssl-global.conf
#  |-- ssl.crl/  . . . . . . . . . . . . . .  PEM-encoded X.509 Certificate Revocation Lists (CRL)
#  |-- ssl.crt/  . . . . . . . . . . . . . .  PEM-encoded X.509 Certificates
#  |-- ssl.csr/  . . . . . . . . . . . . . .  PEM-encoded X.509 Certificate Signing Requests
#  |-- ssl.key/  . . . . . . . . . . . . . .  PEM-encoded RSA Private Keys
#  |-- ssl.prm/  . . . . . . . . . . . . . .  public DSA Parameter Files
#  |-- global.conf
#  |-- loadmodule.conf
#  |-- uid.conf
#  `-- vhosts.d/ . . . . . . . . . . . . . .  put your virtual host configuration (*.conf) here
#      |-- vhost-ssl.template
#      `-- vhost.template



### Global Environment ######################################################
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests.

# run under this user/group id
Include /etc/apache2/uid.conf

# - how many server processes to start (server pool regulation)
# - usage of KeepAlive
Include /etc/apache2/server-tuning.conf

# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#ErrorLog /var/log/apache2/error_log

# generated from default value of APACHE_MODULES in /etc/sysconfig/apache2
<IfDefine !SYSCONFIG>
  Include /etc/apache2/loadmodule.conf
</IfDefine>

# IP addresses / ports to listen on
Include /etc/apache2/listen.conf

# predefined logging formats
Include /etc/apache2/mod_log_config.conf

# generated from default values of global settings in /etc/sysconfig/apache2
<IfDefine !SYSCONFIG>
  Include /etc/apache2/global.conf
</IfDefine>

# optional mod_status, mod_info
Include /etc/apache2/mod_status.conf
Include /etc/apache2/mod_info.conf

# mod_reqtimeout protects the server from the so-called "slowloris"
# attack: The server is not swamped with requests in fast succession,
# but with slowly transmitted request headers and body, thereby filling up
# the request slots until the server runs out of them.
# mod_reqtimeout is lightweight and should deliver good results
# with the configured default values. You shouldn't notice it at all.
Include /etc/apache2/mod_reqtimeout.conf

# Fix for CVE-2014-0231 introduces new configuration parameter
# CGIDScriptTimeout. This directive and its effect prevent request
# workers to be eaten until starvation if cgi programs do not send
# output back to the server within the timout set by CGIDScriptTimeout.
Include /etc/apache2/mod_cgid-timeout.conf

# optional cookie-based user tracking
# read the documentation before using it!!
Include /etc/apache2/mod_usertrack.conf

# configuration of server-generated directory listings
Include /etc/apache2/mod_autoindex-defaults.conf

# associate MIME types with filename extensions
TypesConfig /etc/apache2/mime.types
Include /etc/apache2/mod_mime-defaults.conf

# set up (customizable) error responses
Include /etc/apache2/errors.conf

# global (server-wide) SSL configuration, that is not specific to
# any virtual host
Include /etc/apache2/ssl-global.conf

# forbid access to the entire filesystem by default
<Directory />
    Options None
    AllowOverride None
    <IfModule !mod_access_compat.c>
        Require all granted
    </IfModule>
    <IfModule mod_access_compat.c>
        Order deny,allow
        Deny from all
    </IfModule>
</Directory>

# use .htaccess files for overriding,
#AccessFileName .htaccess
# and never show them
#<Files ~ "^\.ht">
#    <IfModule !mod_access_compat.c>
#        Require all denied
#    </IfModule>
#    <IfModule mod_access_compat.c>
#        Order allow,deny
#        Deny from all
#    </IfModule>
#</Files>

# List of resources to look for when the client requests a directory
DirectoryIndex index.html index.html.var

### 'Main' server configuration #############################################
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition.  These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#
Include /etc/apache2/default-server.conf


### Virtual server configuration ############################################
#
# VirtualHost: If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at
# <URL:http://httpd.apache.org/docs/2.4/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.
#
IncludeOptional /etc/apache2/vhosts.d/*.conf


# Note: instead of adding your own configuration here, consider
#       adding it in your own file (/etc/apache2/httpd.conf.local)
#       putting its name into APACHE_CONF_INCLUDE_FILES in
#       /etc/sysconfig/apache2 -- this will make system updates
#       easier :)

LoadModule proxy_module        /usr/lib64/apache2-prefork/mod_proxy.so
LoadModule proxy_ajp_module    /usr/lib64/apache2-prefork/mod_proxy_ajp.so

LoadModule status_module       /usr/lib64/apache2-prefork/mod_status.so
LoadModule rewrite_module      /usr/lib64/apache2-prefork/mod_rewrite.so
LoadModule headers_module      /usr/lib64/apache2-prefork/mod_headers.so


User wwwrun
Group www

Timeout 600
ProxyTimeout 600
HostNameLookups Off

ErrorLog /web/apache2/errorlog/apache-error.log
DocumentRoot /web/apache2/htdocs

ServerName mydomain.com

Header always set X-Frame-Options SAMEORIGIN
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options nosniff
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"


<VirtualHost *:80>

   CustomLog /web/apache2/accesslog/apache-access.log combined

   <Location /server-status>
      SetHandler server-status
      require ip ...
      require all denied
   </Location>


   RewriteEngine On
   RewriteCond %{HTTPS} off
   RewriteCond %{REQUEST_URI} !/server-status
   RewriteRule (.*) https://mydomain.com$1 [R=301,L]

   ErrorDocument 401 /401.html
   ErrorDocument 403 /403.html
   ErrorDocument 404 /404.html
   ErrorDocument 500 /50x.html
   ErrorDocument 501 /50x.html
   ErrorDocument 502 /50x.html
   ErrorDocument 503 /50x.html
   ErrorDocument 506 /50x.html

</VirtualHost>


<VirtualHost *:443>

   CustomLog /web/apache2/accesslog/apache-access.log combined

   SSLEngine On
   SSLCertificateKeyFile "/etc/apache2/cert/private.key"
   SSLCertificateFile "/etc/apache2/cert/certificate.crt"
   

   RewriteEngine On   
   RewriteCond "%{HTTP_USER_AGENT}" "Microsoft Office Protocol Discovery"
   RewriteRule . - [R=403,L]


   ProxyPass /app ajp://127.0.0.1:8009/app
   ProxyPassReverse /app ajp://127.0.0.1:8009/app

   ProxyPass /app1 ajp://127.0.0.1:8009/app1
   ProxyPassReverse /app1 ajp://127.0.0.1:8009/app1

   ProxyPass /app2 ajp://127.0.0.1:8009/app2
   ProxyPassReverse /app2 ajp://127.0.0.1:8009/app2

   ErrorDocument 401 /401.html
   ErrorDocument 403 /403.html
   ErrorDocument 404 /404.html
   ErrorDocument 500 /50x.html
   ErrorDocument 501 /50x.html
   ErrorDocument 502 /50x.html
   ErrorDocument 503 /50x.html
   ErrorDocument 506 /50x.html

</VirtualHost>
christianmolecki
 
Posts: 5
Joined: 14. December 2017 10:58
Operating System: SLES

Re: Rewrite: Block UserAgent not working

Postby Nobbie » 23. July 2019 10:17

There is a problem with that Microsoft "thing" (i have no idea what it is and what it does), i found this very helpfully posting:

http://jgoldhammer.github.io/alfresco-m ... discovery/

Maybe your redirect still does not work for some reason, you should also test "Microsoft Office Existence Discovery" etc. , i cannot test it here, i dont have your environment. Its on you to find out, why the OPTIONS Header still reaches the server. Or (what i would do) simply check only for "Microsoft Office" in the User Agent TAG. This covers all cases:

Code: Select all
RewriteCond "%{HTTP_USER_AGENT}" "Microsoft Office"


P.S.: I just got another idea - the Rewrite actually works! The problem is, you cannot redirect with Code 403, because then Apache tries to execute the HTTP Request and deliver the ErrorDocument 403 (instead of the requested document). But as the OPTIONS Header is invalid from the Microsoft Office thing, this results in an Error 500. You actually should redirect with Code 501 as given in the Link above.
Nobbie
 
Posts: 13171
Joined: 09. March 2008 13:04

Re: Rewrite: Block UserAgent not working

Postby christianmolecki » 23. July 2019 10:37

Thanks for the linked posting.
Now this works for me.

Code: Select all
<Location /app/styles/>

                RewriteEngine On
                RewriteCond %{REQUEST_METHOD} ^(OPTIONS|PROPFIND|HEAD)$ [NC]
                RewriteCond %{HTTP_USER_AGENT} ^Microsoft\ Office\ Protocol\ Discovery
                RewriteRule .* - [R=403,L]
        </Location>


... - - [23/Jul/2019:11:32:39 +0200] "OPTIONS /app/styles/ HTTP/1.1" 403 26216 "-" "Microsoft Office Protocol Discovery"


Thanks for your help.
christianmolecki
 
Posts: 5
Joined: 14. December 2017 10:58
Operating System: SLES


Return to Apache

Who is online

Users browsing this forum: No registered users and 21 guests