We have an Apache with modsecurity acting as a reverse proxy for a Microsoft web server. One of the pages is working ok if accessed directly, but fails if accessed through modsecurity. The audit logs show:

[22/Oct/2009:13:31:17 --0200] yVtTdX8AAAEAAB0nII8AAAAC 1672 80
GET /pdf.asp?Destino=http%3A%2F%2FImagem%2Ecamara%2Egov%2Ebr%2FImagem%2Fd%2Fpdf%2FDCD24JAN2006%2Epdf%23page%3D1 HTTP/1.1
Host: imagem.camara.gov.br
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv: Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-br,pt;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://imagem.camara.gov.br/diarios.asp
Cookie: __utma=260181407.2370074344953453600.1251391376.1251391376.1251463115.2; __utmz=260181407.1251463115.2.2.utmcsr=www2.camara.gov.
br|utmccn=(referral)|utmcmd=referral|utmcct=/; ASPSESSIONIDAACQDBSQ=JBIPNBDAEHJGPIDIEIAOKLPM
Cache-Control: max-age=0

HTTP/1.1 403 Forbidden
Vary: accept-language,accept-charset
Accept-Ranges: bytes
Keep-Alive: timeout=15, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
Content-Language: pt-br

Action: Intercepted (phase 2)
Apache-Handler: type-map
Stopwatch: 1256225477710709 3760 (487 2985 -)
Producer: ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/); core ruleset/2.0.1; core ruleset/2.0.1.
Server: Apache/2.2.3 (Red Hat)

There is nothing on the error log. Can anyone help me understand what is going on here? Why is Apache/Modsecurity blocking this page?



If a tree falls in the forest and no one is around to see it, do the other trees make fun of it?