ModSecurity: Allowing Google Verification

by Mike on April 24, 2010

in Web Server

Google Webmaster Tools is a valuable resource for understanding your web site and how to manage it correctly.  Another tool that is extremely helpful from the security end is ModSecurity.  However, often when you install ModSecurity it ends up blocking Webmaster Tools as the verification page is not available by default. ModSecurity is a great tool for protecting your web server but just like SELinux, it often creates roadblocks to use in day to day operations.  Now there are two responses to the roadblocks, disable the security or fight your way through it.   The solution is to write a rule to solve the problem.

Here is an example of the google verification page being denied.  Some of the log data has been removed to enhance readability.  When you view the modsec_audit.log you will see something like what you see below.  The “–c2fc3a4b-A–” of the log shows that “GET /google39udjjm72jkjdxs89.html HTTP/1.1″ is an attempt to read your google page verifier and then you see the host “Host: example.com”.  The next section of the log “–c2fc3a4b-F–” shows that access is forbidden “HTTP/1.1 403 Forbidden”.  Finally you can see in the log section “–c2fc3a4b-H–” that it was stopped in phase 4 “Action: Intercepted (phase 4)”

Other ModSecurity Information
How Good is Modsecurity
ModSecurity Getting Started
robots.txt
Apache Course

–c2fc3a4b-A–
[17/Apr/2010:09:07:38 --0500] QBeoc0Wvb-oAAEneDGcAAAAM 192.168.3.4 44613 69.175.111.250 80
–c2fc3a4b-B–
GET /google39udjjm72jkjdxs89.html HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.19) Gecko/2010033100 Iceweasel/3.0.6 (Debian-3.0.6-3)

–c2fc3a4b-F–
HTTP/1.1 403 Forbidden
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

–c2fc3a4b-H–
Action: Intercepted (phase 4)
Stopwatch: 1271513258371187 2779 (882 2324 -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.5.

–c2fc3a4b-Z–

Solution to Allow the Google Site Verifier
The solution is to add a line in your /modsecurity_crs_15_customrules.conf to allow access to this page and then restart apache.  The SecRule creates a rule that will allow connections to the specific URL that google has supplied you with.  The hash after “google” will be different on each site.

SecRule REQUEST_URI “^/google39udjjm72jkjdxs89.html” “allow”

Previous post:

Next post: