Topics

1

Mod_Security / Excluded rule for a domain is ignored

« on: March 27, 2023, 09:09:39 PM »

I encounter a blockage with an MP4 file associated with an embedded video player.

Looking in the Apache error log, it's about a ModSecurity rule. So, I tried to exclude the concerned rule from CWP (Security/ModSecurity/Domains/<concerned_domain>/Edit Rules), but every time I saved the file, despite the message "success", it was not there (empty text area when I open it again).

So, I took a look on disk and the path indicated by CWP didn't exist: /usr/local/apache/conf/userdata/<user>/<domain>/modsec.conf. Then, I created the path and renewed the operation from within CWP... And this time, the file modsec.conf was effectively created clicking the save button.

But, even after a restart of Apache, the exclusion is ignored; same error!

At this stage, I wonder if it's because the file is in the wrong location (but CWP found it for editing), if it's because I have to include modsec.conf at some point in a parent .conf file, if it's due to a mistake in my syntax or a known issue with ModSec or CWP...

Here is the error (anonymized):

Code: [Select]

[Mon Mar 27 22:22:52.425976 2023] [:error] [pid 1008302:tid 140528217736960] [client 2a02:842b:853b:f90a:f020:63132] [client 2a02:842b:fc87:f90a:f020] ModSecurity: Access denied with code 403 (phase 2). String match "bytes=0-" at REQUEST_HEADERS:Range. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "428"] [id "958291"] [rev "2"] [msg "Range: field exists and begins with 0."] [data "bytes=0-"] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"] [maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] [hostname "foobar.tld"] [uri "/vid/intro.mp4"] [unique_id "ZCH7HJJr-iBQGILntBDpjAAAAIo"], referer: https://foobar.tld/
Here is /usr/local/apache/conf/userdata/dummy/foobar.tld/modsec.conf:

Code: [Select]

# Prevent OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ on /vid/intro.mp4
SecRuleRemoveById 958291
And my context: CWP7, Apache 2.4, AlmaLinux 8.7.

What do you think?

2

SSL / Unable to install AutoSSL with IPv6 only

« on: March 25, 2023, 07:01:06 PM »

Hello,

My first post here, and new to CWP too. Well, here is my context:

- My ISP is using CGNAT, so I can't do port forwarding on IPv4. So, I did-it on IPv6 redirecting ports 80 & 443 to my server.
- The server is with Apache 2.4 in AlmaLinux 8.7 x86_64
- My domain (say "foo.tld") is defined as an add-on of a user through CWP 7
- I'm using a DDNS service for foo.tld, defining AAA record only to the server's IPv6 (ie. no A record for IPv4).
- The domain is well registered at a registrar pointing the name servers of the DDNS provider.

This way, the website is well reachable through http:// and the next step is https://. So, I tried to install an AutoSSL (LE) certificate, but it fails with this error: "DNS of your domain doesn't point to this server or you have htaccess restrictions".

At this point, I understand that LE wants an IPv4, while I read here and there (eg. https://github.com/letsencrypt/boulder/issues/593 and https://community.letsencrypt.org/t/support-for-ipv6-only-hosts/354/60) that Let's Encrypt supports the IPv6-only domains since 2016. So, what? Did I made a mistake at some points?

Of course, I tried to add a A record, but it fails too since there's no way to reach my server behind the box-router on the public IPv4.

Is there a way to create (and do renew will work) this AutoSSL certificate in this context? Or what's the alternative (staying in IPv6-only; not using VPN/tunelling with port forwarding on IPv4)?

And last question (I'm not used with this): does a self-signed certificate would do the job the same way as an LE certificate?

I need your enlighted help