modsecurity whitelist to allow file downloads?

Question

I have a site that has modsecurity enabled but I am receiving 403 Forbidden when trying to access PDF documents on the server through the web site. Is there a way to whitelist pdf files to allowed to be served through the site or a possible configuration option?

            --9a349c55-A--
            [14/Aug/2013:10:05:57 --0400] UguOxX8AAQEAAD22d8AAAACN 192.168.1.108 52929 192.168.1.125 80
            --9a349c55-B--
            GET /pdf/sample.pdf HTTP/1.1
            Host: www.example.com
            Connection: keep-alive
            User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36
            Accept: */*
            Referer: http://www.example.com/pdf/sample.pdf
            Accept-Encoding: gzip,deflate,sdch
            Accept-Language: en-US,en;q=0.8
            Cookie: __utma=143856170.1892623529.1376158518.1376158518.1376158518.1; __utmz=143856170.1376158518.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.834637782.1376487927.1376487927.1376487927.1; __utmb=1.4.10.1376487927; __utmc=1; __utmz=1.1376487927.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
            Range: bytes=0-32767

            --9a349c55-F--
            HTTP/1.1 403 Forbidden
            Vary: Accept-Encoding
            Content-Encoding: gzip
            Content-Length: 247
            Keep-Alive: timeout=5, max=100
            Connection: Keep-Alive
            Content-Type: text/html; charset=iso-8859-1

            --9a349c55-E--
            <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
            <html><head>
            <title>403 Forbidden</title>
            </head><body>
            <h1>Forbidden</h1>
            <p>You don't have permission to access /pdf/sample.pdf
            on this server.</p>
            </body></html>

            --9a349c55-H--
            Message: Access denied with code 403 (phase 2). String match "bytes=0-" at REQUEST_HEADERS:Range. [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "248"] [id "958291"] [rev "2.2.5"] [msg "Range: field exists and begins with 0."] [data "bytes=0-32767"] [severity "NOTICE"] [tag "RULE_MATURITY/5"] [tag "RULE_ACCURACY/7"] [tag "https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-958291"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"] [tag "http://www.bad-behavior.ioerror.us/documentation/how-it-works/"]
            Action: Intercepted (phase 2)
            Apache-Handler: proxy-server
            Stopwatch: 1376489157340781 711 (- - -)
            Stopwatch2: 1376489157340781 711; combined=247, p1=176, p2=30, p3=0, p4=0, p5=40, sr=31, sw=1, l=0, gc=0
            Response-Body-Transformed: Dechunked
            Producer: ModSecurity for Apache/2.6.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.5; OWASP_CRS/2.2.5.
            Server: Apache

            --9a349c55-Z--

Answer 1

use REQUEST_URI to build rule with regular expressions and place it at appropriate place in confuguration file/files like

SecRule REQUEST_URI ".*\.pdf$" phase:1,allow

It's not easy to explain secure way to do this in here, it depends on your architecture and the way your modsecurity is configured now.

Answer 2

It looks like the request is blocked by the rule 958291 that assumes that no legit browsers would set "Range" header to start with "0-" (which I think is a clearly wrong assumption - Firefox does this all the time for any large file downloads - but it's a different topic).

Rather then blindly allowing any request for any PDF request through with no further security checks (like suggested by GioMac above), I would suggest just turning off that specific rule for PDF's:

SecRule REQUEST_URI ".*\.pdf\?$" "phase:1,id:1001,nolog,t:urlDecode,t:lowercase,t:normalizePath,ctl:ruleRemoveById=958291"

You can also do the same for MP4, WEBM and other large binary files that your website may have available for download:

SecRule REQUEST_URI ".*\.(mp4|webm|pdf)\?$" "phase:1,id:1001,nolog,t:urlDecode,t:lowercase,t:normalizePath,ctl:ruleRemoveById=958291"