impimp
Reputation: 1
Apache mod_security blocking rewrite http to https (and www to non-www)
httpd-vhosts.conf
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
DocumentRoot "c:/wamp64/www/mysite"
Alias /.well-known c:/wamp64/www/mysite/.well-known
RewriteEngine On
RewriteRule ^ https://example.com [L,R=301]
</VirtualHost>
httpd-ssl.conf
<VirtualHost *:443>
ServerName example.com
SSLEngine on
SSLCertificateFile "C:/wamp64/cert/example.com-chain.pem"
SSLCertificateKeyFile "C:/wamp64/cert/example.com-key.pem"
DocumentRoot "c:/wamp64/www/mysite"
<Directory "c:/wamp64/www/mysite/">
Options +Includes +FollowSymLinks +MultiViews
AllowOverride All
Order Deny,Allow
Allow from all
Require all granted
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]
</Directory>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set Expect-CT "enforce, max-age=300, report-uri='https://example.com/'"
Header set Access-Control-Allow-Origin "*"
Header set X-Frame-Options: "SAMEORIGIN"
Header set X-Content-Type-Options: "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy "no-referrer"
</VirtualHost>
#
<VirtualHost *:443>
ServerName www.example.com
SSLEngine on
SSLCertificateFile "C:/wamp64/cert/www.example.com-chain.pem"
SSLCertificateKeyFile "C:/wamp64/cert/www.example.com-key.pem"
DocumentRoot "c:/wamp64/www/mysite"
<Directory "c:/wamp64/www/mysite/">
Options +Includes +FollowSymLinks +MultiViews
AllowOverride All
Order Deny,Allow
Allow from all
Require all granted
</Directory>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set Expect-CT "enforce, max-age=300, report-uri='https://example.com/'"
Header set Access-Control-Allow-Origin "*"
Header set X-Frame-Options: "SAMEORIGIN"
Header set X-Content-Type-Options: "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy "no-referrer"
RewriteEngine On
RewriteRule ^ https://example.com [L,R=301]
</VirtualHost>
Without mod_security2 everything works without problems. When mod_security2 is on redirects are blocked (403). When I add to httpd.conf
SecRuleRemoveById 959100
Redirects works again. Please help, as I know it is not safe to remove this rule. Thank you
PS. logs: https://drive.google.com/file/d/1AD42nQw27MPpZl9GEwioDtW2DpKBWRAL/view?usp=sharing
PS2. Removing headers doesnt change anything
Upvotes: 0
Views: 705
Answers (1)
xanadu
Reputation: 476
Looking at your log samples, we can see why your requests are being blocked (with 403 status code responses):
[msg "Outbound Anomaly Score Exceeded (score 0): individual paranoia level scores: , , , "]
This tells us two things:
- Your outbound anomaly score is set to 0. It should not be. (For reference, the default value is 4.)
- Some of the key scoring variables are not being initialised, which is probably why you have those rogue commas at the end without any score values (
scores: , , ,is supposed to show score numbers). I suspect thatREQUEST-901-INITIALIZATION.confis not being loaded. You need to make sure the Core Rule Set files are beinginclude-d correctly.
If you need some guidance with writing a functioning Apache + ModSecurity + Core Rule Set configuration then take a look at this thorough tutorial.
Upvotes: 0
Related Questions
- force HTTPS to HTTP
- Why won't my mod_rewrite work for HTTPS like HTTP
- Force both HTTPS and WWW
- Impossible to force www URL in HTTPS
- Forcing HTTPS on Apache with strange results
- Problems with https and www redirect
- rewrite https and www
- SSL on Apache doesn't work when mod_security enabled
- Force HTTP for non WWW and WWW
- Mod rewrite issue with https, strip www from url