0

httpd-vhosts.conf

    <VirtualHost *:80>
        ServerName example.com
        ServerAlias www.example.com
        DocumentRoot "c:/web/www/mysite"
    Alias /.well-known c:/web/www/mysite/.well-known
Redirect permanent / https://example.com [L,R=301]
    </VirtualHost>

httpd-ssl.conf

        <VirtualHost *:443>
    
    ServerName example.com
    
    SSLEngine on
    SSLCertificateFile "C:/web/cert/example.com-chain.pem"
    SSLCertificateKeyFile "C:/web/cert/example.com-key.pem"
        DocumentRoot "c:/web/www/mysite"
        <Directory  "c:/web/www/mysite/">
            Options  +Includes +FollowSymLinks +MultiViews
            AllowOverride All
            Order Deny,Allow
            Allow from all
            Require all granted
        </Directory>
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    Header always set Expect-CT "enforce, max-age=300, report-uri='https://example.com/'"
    Header set Access-Control-Allow-Origin "*"
    Header set X-Frame-Options: "SAMEORIGIN"
    Header set X-Content-Type-Options: "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set Referrer-Policy "no-referrer"
    
    </VirtualHost>
    
    #
    
    <VirtualHost *:443>
    ServerName www.example.com
    
    SSLEngine on
    SSLCertificateFile "C:/web/cert/www.example.com-chain.pem"
    SSLCertificateKeyFile "C:/web/cert/www.example.com-key.pem"
        DocumentRoot "c:/web/www/mysite"
        <Directory  "c:/web/www/mysite/">
            Options  +Includes +FollowSymLinks +MultiViews
            AllowOverride All
            Order Deny,Allow
            Allow from all
            Require all granted
        </Directory>
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    Header always set Expect-CT "enforce, max-age=300, report-uri='https://example.com/'"
    Header set Access-Control-Allow-Origin "*"
    Header set X-Frame-Options: "SAMEORIGIN"
    Header set X-Content-Type-Options: "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set Referrer-Policy "no-referrer"
    
Redirect permanent / https://example.com [L,R=301]
    </VirtualHost>

Without mod_security2 everything works without problems. When mod_security2 is on redirects are blocked (403). When I add to httpd.conf

SecRuleRemoveById 959100

Redirects works again. Please help, as I know it is not safe to remove this rule. # all headers doesn't change anything.

Logs: https://drive.google.com/file/d/1AD42nQw27MPpZl9GEwioDtW2DpKBWRAL/view?usp=sharing

impimp
  • 1

0 Answers0