that's not the point i hardly want have multiple firewall instances everywhere while it should be trivial to specify which HTTP versions are valid in a request
IMHO the server should only accept known protocol version which it can peroperly handle at all and IMHO also mod_security is only a workaround for httpd Am 09.07.2013 14:00, schrieb Igor Galić: > have you looked into IronBee? It's developed by the same > people as mod_security, but is concepted as multi-server. > > https://www.ironbee.com/ > > ----- Original Message ----- >> Hi >> >> is there an option to deny invalid HTTP versions? >> _______________________________________ >> >> telnet proxy 80 >> GET / HTTP/2.1 >> host: www.test.rh >> _______________________________________ >> >> the test above leads to a 200 result >> this is hardly a serious client connection >> >> the backend server would not allow it by mod_security >> is there away to deny it also on trafficserver? >> >> SecRule REQUEST_PROTOCOL ^http/0.7$ >> "id:'128',t:lowercase,block,msg:'HTTP/0.7 Request Detected'" >> SecRule REQUEST_PROTOCOL ^http/0.8$ >> "id:'129',t:lowercase,block,msg:'HTTP/0.8 Request Detected'" >> SecRule REQUEST_PROTOCOL ^http/0.9$ >> "id:'130',t:lowercase,block,msg:'HTTP/0.9 Request Detected'" >> SecRule REQUEST_PROTOCOL ^http/1.2$ >> "id:'131',t:lowercase,block,msg:'HTTP/1.2 Request Detected'" >> SecRule REQUEST_PROTOCOL ^http/1.3$ >> "id:'132',t:lowercase,block,msg:'HTTP/1.3 Request Detected'" >> SecRule REQUEST_PROTOCOL ^http/2.0$ >> "id:'133',t:lowercase,block,msg:'HTTP/2.0 Request Detected'" >> SecRule REQUEST_PROTOCOL ^http/2.1$ >> "id:'134',t:lowercase,block,msg:'HTTP/2.1 Request Detected'"
signature.asc
Description: OpenPGP digital signature
