Broken URLs after enabling mod_security

Question

For example this pdf stopped working after enabling the mod, it generates 403 error.

[Wed May 30 18:47:19 2012] [error] [client xxxxxxxxxxx] ModSecurity: Warning. 
Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" 
required. [file "base_rules/modsecurity_crs_30_http_policy.conf"] 
[line "78"] [id "960034"] [msg "HTTP protocol version is not allowed by policy"] 
[data "HTTP/1.1"] [severity "CRITICAL"] [tag "POLICY/PROTOCOL_NOT_ALLOWED"] 
[tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.10"] [hostname 
"somedomain.net"] [uri "/guide.pdf"] [unique_id "T8ZPFwoAARkAAA3sIQkAAAAG"]

Line 78,

SecRule REQUEST_PROTOCOL "!@within %{tx.allowed_http_versions}" 
"phase:2,t:none,block,msg:'HTTP protocol version is not allowed by policy',
 severity:'2',id:'960034',tag:'POLICY/PROTOCOL_NOT_ALLOWED',tag:'WASCTC/WASC-21',
tag:'OWASP_TOP_10/A6',tag:'PCI/6.5.10',logdata:'%{matched_var}',setvar:'tx.msg=%
{rule.msg}',setvar:tx.anomaly_score=+%      
{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},
setvar:tx.%{rule.id}-POLICY/PROTOCOL_NOT_ALLOWED-%{matched_var_name}=%{matched_var}"

What does that rule do that those URLs are broken?

The question is what does that rule do that those URLs are broken? — Johan Larsson, May 30 '12 at 17:09

score 3 · Accepted Answer · answered May 31 '12 at 11:24

You should have a section in modsecurity_crs_10_config.conf that looks like this:

#
# -=[ HTTP Policy Settings ]=-
#
# Set the following policy settings here and they will be propagated to the 30 rules
# file (modsecurity_crs_30_http_policy.conf) by using macro expansion.  
# If you run into false positves, you can adjust the settings here.
#
SecAction "phase:1,id:'981212',t:none,nolog,pass, \
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded multipart/form-data text/xml application/xml application/x-amf', \
setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/'"

Could you add the line with allowed_http_versions from yours to your question? Or better yet, the whole section?

The log line from your Apache access logs for that same request might also be useful but I suspect we will have enough information with just the allowed_http_versions line from the config.

The error message contains [data "HTTP/1.1"] which indicates that the rule was triggered because HTTP/1.1 is not one of the allowed HTTP versions. Either your allowed_http_versions doesn't contain HTTP/1.1 or there's something else messed up with that set of rules that means that the variable isn't set correctly.

I Didn't have that file :) Thanks for mentionening it. Everything looks better now. — Johan Larsson, Jun 03 '12 at 02:51

Broken URLs after enabling mod_security

1 Answers1