I am building mod_security firewall with proxy to no. of websites. i want to apply specific rules to only one domain, those rules will not be applicable to other domains.
Example :
SecGeoLookupDb /home/ec2-user/cndata/GeoIP.dat SecRule REMOTE_ADDR "@geoLookup" "chain,id:20,drop,msg:'Block India IP address'" SecRule GEO:COUNTRY_CODE "@streq IN"
Above rule i want to aplly to only one sub-domain/domain not other domains. How i can achieve it ? Please help
Several ways:
For option 2 the new rule could look like this:
SecRule REMOTE_ADDR "@geoLookup" "chain,id:20,drop,msg:'Block India IP address'"
SecRule GEO:COUNTRY_CODE "@streq IN" "chain"
SecRule SERVER_NAME "subdomain.example.com"
Note the SERVER_NAME will be set by the incoming request so there's nothing stopping an attacker faking this (or not sending this at all), though guessing if this is not set correctly then it won't be routed past the proxy properly anyway.
You can also use regular expressions here, for example to add multiple server names to the last part of the rule:
SecRule SERVER_NAME "/subdomain[1-9].example.com/"
Or
SecRule SERVER_NAME "/^(subdomain|subdomain2).example.com$/"
Note: not checked these regexprs wrong on first attempt but hopefully gives you the idea anyway.