Recommendation for allowing my own scripts to get in
Posted: Wed Jul 23, 2014 1:39 pm
I have Perl scripts on my site that sometimes talk to one another using the Perl module LWP::UserAgent, like this…
Recently, possibly due to a server change, the above request began failing with HTTP Status 403 Forbidden. By guessing, I was able to fix the problem by telling my requests to spoof Firefox, like this…
I think, but I am not sure because my web host only gives me second-hand access to the logs on this shared host, that these rejected requests result are coincident with log entries like this:
My question is: What is the best way to work around this? My web host has offered to disable mod_security, but I don't think that would be a good idea. I also don't like the suggestion given, to disable libwww-perl, because this site is a on shared web host, and what if they do a security audit and decide to re-enable it again without telling me, or move me to a different server, or if I move to a different web host? It will take me two days to track down all of these little tweaks that made my site work. Does that make sense?
I think that modifying my "calling" script to use a different user agent, as I have, is a good workaround, but spoofing Firefox 30.0 is a kludge. Is there a good, future-proof User Agent string? What if I just made up my own User Agent string, "Jerry 1.0"? Is that a good idea?
Thanks,
Jerry Krinock
Code: Select all
use LWP::UserAgent;
my $ua = new LWP::UserAgent;
my $orderProcessor = "$main::gScriptsPathUrl/ProcessOrder.pl" ;
my $request = new HTTP::Request('POST', $orderProcessor) ;
$request->content_type('application/x-www-form-urlencoded');
$request->content($encodedQueryString) ;
$ua->timeout(20) ; # 20 second timeout
my $response = $ua->request($request);
Code: Select all
$ua->agent("Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0") ;
Code: Select all
ModSecurity: Access denied with code 403 (phase 2). Match of "rx (^w3c-|systran\\\\))" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec_rules/20_asl_useragents.conf"] [line "147"] [id "330039"] [rev "4"] [msg "Atomicorp.com WAF Rules: Suspicious Unusual User Agent (libwww-perl). Disable this rule if you use libwww-perl. "] [severity "CRITICAL"] [hostname "sheepsystems.com"] [uri "/cgi-bin/test/ProcessOrder.pl"] [unique_id "U87-V0VJqJ8AAGWTKqkAAAAH"]I think that modifying my "calling" script to use a different user agent, as I have, is a good workaround, but spoofing Firefox 30.0 is a kludge. Is there a good, future-proof User Agent string? What if I just made up my own User Agent string, "Jerry 1.0"? Is that a good idea?
Thanks,
Jerry Krinock