0

httpd-vhosts.conf

<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot "c:/wamp64/www/mysite"
Alias /.well-known c:/wamp64/www/mysite/.well-known
RewriteEngine On
RewriteRule ^ https://example.com [L,R=301]
</VirtualHost>

httpd-ssl.conf

<VirtualHost *:443>
ServerName example.com

SSLEngine on
SSLCertificateFile "C:/wamp64/cert/example.com-chain.pem"
SSLCertificateKeyFile "C:/wamp64/cert/example.com-key.pem"
    DocumentRoot "c:/wamp64/www/mysite"
    <Directory  "c:/wamp64/www/mysite/">
        Options  +Includes +FollowSymLinks +MultiViews
        AllowOverride All
        Order Deny,Allow
        Allow from all
        Require all granted
RewriteEngine On
RewriteCond %{HTTPS} off 
RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]
    </Directory>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set Expect-CT "enforce, max-age=300, report-uri='https://example.com/'"
Header set Access-Control-Allow-Origin "*"
Header set X-Frame-Options: "SAMEORIGIN"
Header set X-Content-Type-Options: "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy "no-referrer"

</VirtualHost>

#

<VirtualHost *:443>
ServerName www.example.com

SSLEngine on
SSLCertificateFile "C:/wamp64/cert/www.example.com-chain.pem"
SSLCertificateKeyFile "C:/wamp64/cert/www.example.com-key.pem"
    DocumentRoot "c:/wamp64/www/mysite"
    <Directory  "c:/wamp64/www/mysite/">
        Options  +Includes +FollowSymLinks +MultiViews
        AllowOverride All
        Order Deny,Allow
        Allow from all
        Require all granted
    </Directory>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set Expect-CT "enforce, max-age=300, report-uri='https://example.com/'"
Header set Access-Control-Allow-Origin "*"
Header set X-Frame-Options: "SAMEORIGIN"
Header set X-Content-Type-Options: "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy "no-referrer"

RewriteEngine On
RewriteRule ^ https://example.com [L,R=301]
</VirtualHost>

Without mod_security2 everything works without problems. When mod_security2 is on redirects are blocked (403). When I add to httpd.conf

SecRuleRemoveById 959100

Redirects works again. Please help, as I know it is not safe to remove this rule. Thank you

PS. logs: https://drive.google.com/file/d/1AD42nQw27MPpZl9GEwioDtW2DpKBWRAL/view?usp=sharing

PS2. Removing headers doesnt change anything

impimp
  • 1
  • 1
  • Rule 959100 is the Core Rule Set (CRS) rule responsible for making the outbound blocking decision. That suggests that **something in the response from your web server is triggering CRS rules**, and hence causing a block/deny action to take place. You need to provide error log or audit log data to see precisely what is happening, the location it is happening at, the rules that are being triggered, etc. Without that information it will be nearly impossible for anyone to give you a helpful answer. **Remember to remove any sensitive data from logs you share here.** – xanadu Jan 02 '22 at 15:21
  • 1
    I bet some of the headers added using 'Header' directive is causing it. – azurit Jan 02 '22 at 16:48
  • https://drive.google.com/file/d/1AD42nQw27MPpZl9GEwioDtW2DpKBWRAL/view?usp=sharing – impimp Jan 03 '22 at 07:53
  • Logs in previous comment. # all headers changes nothing. – impimp Jan 03 '22 at 18:46

1 Answers1

1

Looking at your log samples, we can see why your requests are being blocked (with 403 status code responses):

[msg "Outbound Anomaly Score Exceeded (score 0): individual paranoia level scores: , , , "]

This tells us two things:

  1. Your outbound anomaly score is set to 0. It should not be. (For reference, the default value is 4.)
  2. Some of the key scoring variables are not being initialised, which is probably why you have those rogue commas at the end without any score values (scores: , , , is supposed to show score numbers). I suspect that REQUEST-901-INITIALIZATION.conf is not being loaded. You need to make sure the Core Rule Set files are being include-d correctly.

If you need some guidance with writing a functioning Apache + ModSecurity + Core Rule Set configuration then take a look at this thorough tutorial.

xanadu
  • 416
  • 2
  • 7
  • Thank you. I don't know how to fix it (I've read tutorial again - all settings set as in it), – impimp Jan 13 '22 at 18:30
  • My advice would be: start from scratch with the simplest configuration you can. No rewriting, just a *simple plain site* on port 80. Once you have that working correctly *then* add rewrites etc. It doesn't help that you're using Apache + ModSecurity on Windows: I think that is very, very rare, so you may run into unusual, Windows-specific problems which will be hard to find help for. If you still have problems, work through these tutorials from start to finish and you will *definitely* finish with a working configuration: https://www.netnea.com/cms/apache-tutorials/ Good luck! – xanadu Jan 13 '22 at 20:55
  • no need to destroy config, because without this one rule everything works without problems (A+ on the most site tests), in mod_security and CRS everything is set as in tutorials... – impimp Jan 14 '22 at 20:19