Join Log in
Score:0
Abe avatar Server

Modsecurity Blocks the site on load because cdn-loop: cloudflare

de flag
Abe

A fresh install of Ubuntu 20.04, nginx version 1.23.2 and Modsecurity 3.3.4. When I visit www.example.com I get 403 Forbidden. When I change:

http {
    modsecurity on;

to

http {
    modsecurity off;

the site loads normally. The reason is CDN-Loop by Cloudflare. CDN-Loop is a typical Cloudflare header but Modsecurity closes the connection. The error log shows the following:

Logs and dumps


---LxD3aa9l---A--
[17/Dec/2022:15:58:03 +0000] 1671292XXXXX.5XXXX6 192.xxx.a.xx 38XXX 192.xxx.b.xx 80
---LxD3aa9l---B--
GET / HTTP/1.1
cf-visitor: {"scheme":"https"}
accept-encoding: gzip
cdn-loop: cloudflare
Connection: close
sec-fetch-mode: navigate
cf-ipcountry: 
Host: example.com
X-Forwarded-For: 1x3.111.ax.45, 172.111.bx.136
X-Real-IP: 172.111.bx.136
cf-ray: 77b0dba33ddb9b8f-xyz
cache-control: max-age=0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
X-Forwarded-Proto: https
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1234.56
sec-fetch-site: none
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108", "Microsoft Edge";v="108"
sec-fetch-user: ?1
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
upgrade-insecure-requests: 1
sec-fetch-dest: document
accept-language: en-US,en;q=0.9,fr;q=0.8
cf-connecting-ip: 1x3.111.ax.45


---LxD3aa9l---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a


---atvQ9f4R---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `^(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=> (714 characters omitted)' against variable `REQUEST_HEADERS:accept' (Value: `image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8' ) [file "/etc/nginx/modsec/coreruleset-3.3.4/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1147"] [id "920600"] [rev ""] [msg "Illegal Accept header: charset parameter"] [data "image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8"] [severity "2"] [ver "OWASP_CRS/3.3.4"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [hostname "192.xxx.2.3x"] [uri "/favicon.ico"] [unique_id "167129268381.104766"] [ref "v559,53t:lowercase"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$' against variable `REQUEST_LINE' (Value: `GET /favicon.ico HTTP/1.1' ) [file "/etc/nginx/modsec/coreruleset-3.3.4/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "48"] [id "920100"] [rev ""] [msg "Invalid HTTP Request Line"] [data "GET /favicon.ico HTTP/1.1"] [severity "4"] [ver "OWASP_CRS/3.3.4"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "192.xxx.2.3x"] [uri "/favicon.ico"] [unique_id "167129268381.104766"] [ref "v0,25"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `8' ) [file "/etc/nginx/modsec/coreruleset-3.3.4/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "81"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 8)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.4"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "192.xxx.2.3x"] [uri "/favicon.ico"] [unique_id "167129268381.104766"] [ref ""]

How can I solve this issue?

259
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.