ModSecurity: Access denied with code 403 (phase 1). Matched phrase "/.env

Hi,

I've cleaned up the server logs, fixed a few errors, so only one or two errors remain,

Having issues with Apache,
Upgraded web server from Apache Only to Nginx, Vanish Apache
And randomly finding Apache offline so something is not right.

If I switch back to Apache Only, I can't restart Apache at all.
When set to Nginx, Vanish, Apache, Apache goes offline randomly, but I'm able to restart it.

So, I looked in usr/local/apache/logs

ModSecurity: Access denied with code 403 (phase 1). Matched phrase "/.env" at REQUEST_URI. [file "/usr/local/apache/modsecurity-cwaf/rules/02_Global_Generic.conf"] [line "117"] [id "210492"] [rev "3"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"] [hostname "5.55.154.55"] [uri "/.env"] [unique_id "ZQbGaAHhrTaYwGUNEoolBwAAAIE"]

[Sun Sep 17 09:35:53.078555 2023] [:notice] [pid 5153:tid 139887043213184] ModSecurity: StatusEngine call failed. Query: GIXDSLRRFRAXAYLDNBSS6MROGQXDKNZA.FBKW42LYFEQE64DFNYWDCLRWFYZC6MJO.GYXDELBYFYZTELZYFYZTEIBSGAYTELJR.GEWTGMBMFBXHK3DMFEWDELRZFYYSYY3E.GYYGIM3FMUZDMNRTMMYGKNRTMM4TAYLD.ME4DQMZTMQ3TENLDMJRTCYJYGYYGM.1694939744.status.modsecurity.org

Any advice appreciated

Are you using the OWASP or Comodo ruleset with ModSecurity? Comodo is recommended for mere mortals as a starting point; less false-positives and more permissive by default.

@overseer yes have Comodo WAF enabled

I don't know what's causing this but it's knocking off Apache and a proxy server set up for audio streaming.
Every time the proxy failes or restarts, none of the https stream url's work, then Apache stops and knocks the websites off.