We Keep Coding

Downsides to whitelisting localhost in mod_security?

I've just enabled mod_security on my CentOS server via WHM with OWASP ModSecurity Core Rule Set.
I've seen some very useful stuff so far but also some very annoying, not very useful things such as:
016-06-23 10:00:01 127.0.0.1 WARNING 200 960008: Request Missing a Host Header
2016-06-23 10:00:01 127.0.0.1 NOTICE 200 960009: Request Missing a User Agent Header More
2016-06-23 10:00:01 127.0.0.1 200 981204: Inbound Anomaly Score Exceeded (Total Inbound Score: 5): Request Missing a User Agent Header
Basically 95% of the hits (which are a lot) are like this, form localhost.
What is this exactly? And are there security concerns should I simply whitelist localhost?
Thanks

Only you can answer this to be honest.
It sounds like you have something running locally which connects to you webserver. Maybe a script to check if the site is up? Maybe something else that gets something webserver.
Whatever it is not setting:
The Host Header: which site you want to visit - so guessing script is using IP address to connect or just not passing the hostname.
The user agent: all browsers pass a user agent so when this is not present its highly likely it's a script. That's not to say whether that script is malicious or useful.
Neither of those rules are really problems or security concerns in themselves. They are just a sign that it's likely not a browser so likely is a script so maybe want to block.
To be honest I'd find out what is doing this. As I say I would guess it might be a heartbeat check script to check site it still up. If so, then no problem whitelisting localhost for these two rules. If not then you can decide whether you want to whitelist or not.
I personally prefer to only whitelist what's necessary rather than blanket whitelist all of localhost, so to whitelist these rules you can add config like this BEFORE the rules (as the ctl command expects the rules it's amending to come after it):
SecRule REMOTE_ADDR "#ipMatch 127.0.0.1" "id:1000,phase:2,nolog,ctl:ruleRemoveById=960008;ctl:ruleRemoveById=960009"

Configure Access-Control-Allow-Origin for monit

I am trying to grab json data from monit and display it on a status page for management to see the current status of a handful of processes. This info would be displayed in Confluence running on the same machine but since Confluence (apache) and monit are running on different ports it is considered to be cross domain.
I know I can write a server side process to serve this data but that seems to be overkill and would actually take longer that it took to set monit up in the first place :)
The simplest solution is to configure monit's headers (Access-Control-Allow-Origin) to allow the other server. Does anyone know how to do this? I suspect there is a way since M/Monit would run into the same issue. I have tried some blind attempts on the "httpd... allow" lines but it complains about the syntax with x.x.x.x:port or using keyword "port" in that location.

ok... going to answer my own question (sort of).
First, I think I may have asked the question wrong. I don't deal with a lot of cross domain issues. Sorry about that.
But here is what I did to get to the monit info from the other servers: pretty simple using proxies in apache where the main server is:
ProxyPass /monit http://localhost:2812
ProxyPassReverse /monit http://mainserver/monit
ProxyPass /monit2 http://server2:2812
ProxyPassReverse /monit2 http://mainserver/monit2
I did this for each of the servers and tested that I can get to either the monit web interface or to the _status?format=json sub pages. I can now call them using ajax on our main web page.
This also has the benefit that I can lock down the monit access control to just the main server but have the info show on a more visible page. :)

I don't think you would need a proxy to just display monit's api or http info. It depends on how you have your network and dns configured. If you'd like to use only localhost, then that might be necessary. But, monit does have a facility to use global host ip access using allow directives in it's own config rc file

How to create a friendly url in Tomcat?

I want to modify my application URL from //localhost:8080/monitor/index.html to just monitor , so that on putting monitor on browser, my application should open. Is there a way to achieve this, can someone suggest the configuration changes which will be required for this.
Can I map my short URL to the existing one may be somewhere in web.xml. I am not sure about the approach any suggestions will be great.
Thanks and regards
Deb

You're mixing up several different protocol layers in your question.
If you just enter nothing but "monitor" in the browser URL bar the browser is going to first lookup "monitor" in DNS and finding nothing it will then probably send a query to Google or your configured search engine. In the past browsers have taken other steps, such as appending ".com" and prepending "www." but I don't think modern browsers do that any more.
So far, your server is not even remotely involved.
If you're a large ISP user (TimeWarner, Comcast) and use their DNS it's also possible the ISP will intercept your failed DNS lookup and route the request to a "helpful" search page (i.e. SPAM) of their own.
At this point the request is still nowhere near your server.
I suppose you could mess with the /etc/hosts file on your local system to resolve "monitor" to the proper hostname, but that's an extremely brittle solution that has to be hard coded on each machine you want to have this "shortcut" link (and which breaks when the hostname changes).
You're much better off just setting up a web shortcut in your browser that points to the right place.

Web-page redirection

I am trying to achieve the following:
when a user types "print" (or "http://print") in the address-bar of the browser :
I want the user to be re-directed to a page : www.abc.com/print/
How can one achieve this ? I tried to lookup some squid configurations but was unable to find the same.
Thanks!
Edit : I do not understand the deal with down votes, this is a perfectly valid question.

If you want to enable a user on your LAN to type "print" in the address bar and be redirected to a given hostname, you'll have to supply a DNS record to that effect. This is not accomplished on a web server, nor is it web development in any respect.
There are several methods to resolving a given hostname to a given IP or to another hostname. One way is to edit the client hosts file, as described in another answer. One could also, if you have a DNS server running within your LAN environment, add A records to this effect.
You must understand how hostname lookups work from a browser. When you type something in the address bar, your browser uses your operating system to resolve the hostname to an IP address. Your operating system uses its hosts file, internet connection, and other mechanisms to accomplish this. This process itself has several tiers and steps that are outside the scope of the browser and which cannot be influenced by the browser. Nor will arbitrary web servers be consulted in this process. Your aim is to inject something in this process that resolves the hostname "print" to the webserver of your choosing - THEN web development might come in to play.
See: http://www.quackit.com/how-websites-work/how-dns-works.cfm

Can we detect if a site is on CDN?

Is there a way to detect if a site is on a Content Delivery Network and if yes, can we tell which service are they using?

A method that is achievable from the command line is using the 'host' command, with the -a flag set to see the DNS record e.g.
host -a www.visitbritain.com
Returns:
www.visitbritain.com. 0 IN CNAME d18sjq5nyxcof4.cloudfront.net.
Here you can see that the CNAME entry tells us that the site is using cloudfront as the CDN.

Just take a look at the urls of the images (and other media) of the site.
Reverse lookup IP's of the hostnames you see there and you will see who own them.

I built this little tool to identify the CDN used by a site or a domain, feel free to try it.
The URL: http://www.whatsmycdn.com/

You might also be able to tell from the HTTP headers of the media if the URL doesn't give it away. For example, media served by SimpleCDN has Server: SimpleCDN 5.6a4 in its headers.

cdn planet now have their cdn finder tool on github
http://www.cdnplanet.com/blog/better-cdn-finder/ The tool installs on the command line and allows you the feed in host names and check if they use a CDN.

If Website using GCP CDN you simply check it using curl
curl -I <https://site url>
In reponse you can find following headers there available
x-goog-metageneration: 2
x-goog-stored-content-encoding: identity
x-goog-stored-content-length: 17393
x-goog-meta-object-id: 11602
x-goog-meta-source-id: 013dea516b21eedfd422a05b96e2c3e4
x-goog-meta-file-hash: cf3690283997e18819b224c6c094f26c

Yes you can find by
host -a www.website.com

Apart from some excellent answers already posted here which include some direct methods which may or may not work for all the websites out there, there is also an indirect way to see if a CDN is there. And especially if its your own website and you want to know if you are getting what you are paying for !
The promise of a CDN is that connections from your users are terminated closer to them so that they get less TCP / TLS connection establishment overhead and static content is cached closet to them so that it loads faster, puts less strain on your origin servers.
To verify this, you can take measurements of site load times across the globe and see if all the users get similar loads times. No you dont have to get a machine everywhere in the world to do that ! Someone has already done that for you
Head to https://prober.tech/ and the URL you wish to test for load times.
Because this site itself is in Cloudflare's CDN, you can put that link itself in the test box and use it as baseline !
More information on using the tool can be found here