I encounter a blockage with an MP4 file associated with an embedded video player.
Looking in the Apache error log, it's about a ModSecurity rule. So, I tried to exclude the concerned rule from CWP (Security/ModSecurity/Domains/<concerned_domain>/Edit Rules), but every time I saved the file, despite the message "success", it was not there (empty text area when I open it again).
So, I took a look on disk and the path indicated by CWP didn't exist: /usr/local/apache/conf/userdata/<user>/<domain>/modsec.conf. Then, I created the path and renewed the operation from within CWP... And this time, the file modsec.conf was effectively created clicking the save button.
But, even after a restart of Apache, the exclusion is ignored; same error!
At this stage, I wonder if it's because the file is in the wrong location (but CWP found it for editing), if it's because I have to include modsec.conf at some point in a parent .conf file, if it's due to a mistake in my syntax or a known issue with ModSec or CWP...
Here is the error (anonymized):
[Mon Mar 27 22:22:52.425976 2023] [:error] [pid 1008302:tid 140528217736960] [client 2a02:842b:853b:f90a:f020:63132] [client 2a02:842b:fc87:f90a:f020] ModSecurity: Access denied with code 403 (phase 2). String match "bytes=0-" at REQUEST_HEADERS:Range. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "428"] [id "958291"] [rev "2"] [msg "Range: field exists and begins with 0."] [data "bytes=0-"] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"] [maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] [hostname "foobar.tld"] [uri "/vid/intro.mp4"] [unique_id "ZCH7HJJr-iBQGILntBDpjAAAAIo"], referer: https://foobar.tld/
Here is /usr/local/apache/conf/userdata/dummy/foobar.tld/modsec.conf:
# Prevent OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ on /vid/intro.mp4
SecRuleRemoveById 958291
And my context: CWP7, Apache 2.4, AlmaLinux 8.7.
What do you think?
Topic: Excluded rule for a domain is ignored (Read 1888 times)
