This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
Mod_Security / Excluded rule for a domain is ignored
« on: March 27, 2023, 09:09:39 PM »
I encounter a blockage with an MP4 file associated with an embedded video player.
Looking in the Apache error log, it's about a ModSecurity rule. So, I tried to exclude the concerned rule from CWP (Security/ModSecurity/Domains/<concerned_domain>/Edit Rules), but every time I saved the file, despite the message "success", it was not there (empty text area when I open it again).
So, I took a look on disk and the path indicated by CWP didn't exist: /usr/local/apache/conf/userdata/<user>/<domain>/modsec.conf. Then, I created the path and renewed the operation from within CWP... And this time, the file modsec.conf was effectively created clicking the save button.
But, even after a restart of Apache, the exclusion is ignored; same error!
At this stage, I wonder if it's because the file is in the wrong location (but CWP found it for editing), if it's because I have to include modsec.conf at some point in a parent .conf file, if it's due to a mistake in my syntax or a known issue with ModSec or CWP...
Here is the error (anonymized):
Here is /usr/local/apache/conf/userdata/dummy/foobar.tld/modsec.conf:
And my context: CWP7, Apache 2.4, AlmaLinux 8.7.
What do you think?
Looking in the Apache error log, it's about a ModSecurity rule. So, I tried to exclude the concerned rule from CWP (Security/ModSecurity/Domains/<concerned_domain>/Edit Rules), but every time I saved the file, despite the message "success", it was not there (empty text area when I open it again).
So, I took a look on disk and the path indicated by CWP didn't exist: /usr/local/apache/conf/userdata/<user>/<domain>/modsec.conf. Then, I created the path and renewed the operation from within CWP... And this time, the file modsec.conf was effectively created clicking the save button.
But, even after a restart of Apache, the exclusion is ignored; same error!
At this stage, I wonder if it's because the file is in the wrong location (but CWP found it for editing), if it's because I have to include modsec.conf at some point in a parent .conf file, if it's due to a mistake in my syntax or a known issue with ModSec or CWP...
Here is the error (anonymized):
Code: [Select]
[Mon Mar 27 22:22:52.425976 2023] [:error] [pid 1008302:tid 140528217736960] [client 2a02:842b:853b:f90a:f020:63132] [client 2a02:842b:fc87:f90a:f020] ModSecurity: Access denied with code 403 (phase 2). String match "bytes=0-" at REQUEST_HEADERS:Range. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "428"] [id "958291"] [rev "2"] [msg "Range: field exists and begins with 0."] [data "bytes=0-"] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"] [maturity "6"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ"] [hostname "foobar.tld"] [uri "/vid/intro.mp4"] [unique_id "ZCH7HJJr-iBQGILntBDpjAAAAIo"], referer: https://foobar.tld/
Here is /usr/local/apache/conf/userdata/dummy/foobar.tld/modsec.conf:
Code: [Select]
# Prevent OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ on /vid/intro.mp4
SecRuleRemoveById 958291
And my context: CWP7, Apache 2.4, AlmaLinux 8.7.
What do you think?
2
SSL / Unable to install AutoSSL with IPv6 only
« on: March 25, 2023, 07:01:06 PM »
Hello,
My first post here, and new to CWP too. Well, here is my context:
- My ISP is using CGNAT, so I can't do port forwarding on IPv4. So, I did-it on IPv6 redirecting ports 80 & 443 to my server.
- The server is with Apache 2.4 in AlmaLinux 8.7 x86_64
- My domain (say "foo.tld") is defined as an add-on of a user through CWP 7
- I'm using a DDNS service for foo.tld, defining AAA record only to the server's IPv6 (ie. no A record for IPv4).
- The domain is well registered at a registrar pointing the name servers of the DDNS provider.
This way, the website is well reachable through http:// and the next step is https://. So, I tried to install an AutoSSL (LE) certificate, but it fails with this error: "DNS of your domain doesn't point to this server or you have htaccess restrictions".
At this point, I understand that LE wants an IPv4, while I read here and there (eg. https://github.com/letsencrypt/boulder/issues/593 and https://community.letsencrypt.org/t/support-for-ipv6-only-hosts/354/60) that Let's Encrypt supports the IPv6-only domains since 2016. So, what? Did I made a mistake at some points?
Of course, I tried to add a A record, but it fails too since there's no way to reach my server behind the box-router on the public IPv4.
Is there a way to create (and do renew will work) this AutoSSL certificate in this context? Or what's the alternative (staying in IPv6-only; not using VPN/tunelling with port forwarding on IPv4)?
And last question (I'm not used with this): does a self-signed certificate would do the job the same way as an LE certificate?
I need your enlighted help
My first post here, and new to CWP too. Well, here is my context:
- My ISP is using CGNAT, so I can't do port forwarding on IPv4. So, I did-it on IPv6 redirecting ports 80 & 443 to my server.
- The server is with Apache 2.4 in AlmaLinux 8.7 x86_64
- My domain (say "foo.tld") is defined as an add-on of a user through CWP 7
- I'm using a DDNS service for foo.tld, defining AAA record only to the server's IPv6 (ie. no A record for IPv4).
- The domain is well registered at a registrar pointing the name servers of the DDNS provider.
This way, the website is well reachable through http:// and the next step is https://. So, I tried to install an AutoSSL (LE) certificate, but it fails with this error: "DNS of your domain doesn't point to this server or you have htaccess restrictions".
At this point, I understand that LE wants an IPv4, while I read here and there (eg. https://github.com/letsencrypt/boulder/issues/593 and https://community.letsencrypt.org/t/support-for-ipv6-only-hosts/354/60) that Let's Encrypt supports the IPv6-only domains since 2016. So, what? Did I made a mistake at some points?
Of course, I tried to add a A record, but it fails too since there's no way to reach my server behind the box-router on the public IPv4.
Is there a way to create (and do renew will work) this AutoSSL certificate in this context? Or what's the alternative (staying in IPv6-only; not using VPN/tunelling with port forwarding on IPv4)?
And last question (I'm not used with this): does a self-signed certificate would do the job the same way as an LE certificate?
I need your enlighted help
Pages: [1]