Fix workaround for HTTPoxy vulnerability

Three issues with the previous solution: * `Header unset` instead of `RequestHeader unset` * No check for mod_headers being installed * No alternative for when mod_headers is not installed (this still requires the mod_security module, but that's the best I could do)
2017-02-12 01:36:42 +01:00 · 2017-02-12 01:36:42 +01:00 · 569e3a3b5e
parent 70a765a2c8
commit 569e3a3b5e
1 changed files with 7 additions and 1 deletions
--- a/.htaccess
+++ b/.htaccess
@ -10,7 +10,13 @@
 </IfModule>

 # Fix for https://httpoxy.org vulnerability
-Header unset Proxy
+<IfModule mod_headers.c>
+  RequestHeader unset Proxy
+</IfModule>
+<IfModule mod_security.c>
+  SecRule &REQUEST_HEADERS:Proxy "@gt 0" "id:1000005,log,deny,msg:'httpoxy denied'"
+</IfModule>
+

 <IfModule mod_rewrite.c>
  RewriteEngine on