HTTPd - Reverse proxy configuration

If you are using ModSecurity with embedded into the application server then it behaves differently to how it works when used in conjunction with an external backend via mod_proxy.

Compression

If you are serving compressed content from your backend, you will see a lot of intermittent false positives, including matches against script tags. This is because the rules sees the opening tag in the compressed data stream. To overcome this, you will need to set an option

SecDisableBackendCompression on

The default for SecDisableBackendCompression is off. You only need this when connecting to a backend that has compressed responses. For uncompressed servers it’s not needed. If you are using mod_security on the application server it will inspect the content before compression takes place, so you won’t need it for embedded mode either.

Variables

Some variables are not available when using a reverse-proxy configuration. These include

  • AUTH_TYPE

  • REMOTE_USER

  • SCRIPT_BASENAME

  • SCRIPT_FILENAME

  • SCRIPT_GID

  • SCRIPT_GROUPNAME

  • SCRIPT_MODE

  • SCRIPT_UID

  • SCRIPT_USERNAME

If you look at the documentation for ModSecurity, it should be really obvious why these aren’t available when using proxying - all of these values belong to the backend server.