After some more trouble shooting, I've narrowed the problem down to occurring with mod_fastcgi 2.4.6 when a virtual host configured as follows

    Alias /fcgi-bin/ /var/www/vhost/fcgi-bin/

    <Location /fcgi-bin>
        SetHandler fastcgi-script
        Options +ExecCGI
    </Location>

    AddHandler php-cgi-script .php
    Action php-cgi-script /fcgi-bin/php-cgi



On Thu, Feb 21, 2013 at 5:46 PM, Ben WIlliams <benwilliams+modsec@joobworld.com> wrote:
Thanks for checking, but my requests are being serviced by apache and not being cached.
It may be a problem with my php cgi setup. Seems to work correctly until a php script is requested, then the rule doesn't run.


On Thu, Feb 21, 2013 at 1:57 PM, Breno Silva <breno.silva@gmail.com> wrote:
I tested here. Can you confirm if your request is not cached ?
Looks like it is working fine:

Returned:

HTTP/1.1 200 OK
Date: Wed, 20 Feb 2013 14:24:02 GMT
Server: Apache/2.2.14 (Ubuntu) mod_ssl/2.2.14 OpenSSL/0.9.8k mod_fcgid/2.3.4
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 165
Keep-Alive: timeout=300
Connection: Keep-Alive
Content-Type: text/html

Debug.log:

[20/Feb/2013:10:24:02 --0400] [192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][4] Starting phase RESPONSE_HEADERS.
[20/Feb/2013:10:24:02 --0400] [192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][9] This phase consists of 1 rule(s).
[20/Feb/2013:10:24:02 --0400] [192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][4] Recipe: Invoking rule 20d99638; [file "/etc/apache2/modsecurity/modsecurity_crs_15_customrules.conf"] [line "596"] [id "1500000"].
[20/Feb/2013:10:24:02 --0400] [192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][5] Rule 20d99638: SecAction "phase:3,auditlog,log,pass,msg:phase3isWorking,id:1500000"
[20/Feb/2013:10:24:02 --0400] [192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][4] Transformation completed in 3 usec.
[20/Feb/2013:10:24:02 --0400] [192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][4] Executing operator "unconditionalMatch" with param "" against REMOTE_ADDR.
[20/Feb/2013:10:24:02 --0400] [192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][9] Target value: "192.168.0.104"
[20/Feb/2013:10:24:02 --0400] [192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][4] Operator completed in 1 usec.
[20/Feb/2013:10:24:02 --0400] [192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][2] Warning. Unconditional match in SecAction. [file "/etc/apache2/modsecurity/modsecurity_crs_15_customrules.conf"] [line "596"] [id "1500000"] [msg "phase3isWorking"]
[20/Feb/2013:10:24:02 --0400] [192.168.0.105/sid#20dd7a90][rid#20df3fd0][/index.html][4] Rule returned 1.


On Wed, Feb 20, 2013 at 8:06 PM, Ben WIlliams <benwilliams+modsec@joobworld.com> wrote:
Yes, enabled debug log level 9 but in the case of requesting the text/html document the rule doesn't even get evaluated (nothing in debug log for that rule).


On Thu, Feb 21, 2013 at 11:39 AM, Ryan Barnett <RBarnett@trustwave.com> wrote:
Did you turn up debug log to 9, test and review it?

--
Ryan Barnett
Lead Security Researcher
Trustwave - SpiderLabs

On Feb 20, 2013, at 5:37 PM, "Ben WIlliams" <benwilliams+modsec@joobworld.com> wrote:

> Please can someone verify if this is a bug in modsecurity or just my installation.
>
> SecResponseBodyAccess On
> SecResponseBodyMimeType text/plain text/html text/xml
> SecResponseBodyLimit 524288
> SecResponseBodyLimitAction ProcessPartial
>
> SecAction "phase:3,log,pass,msg:'phase3isWorking',id:'1500000'"
>
>
> Request a resource that returns content type text/html and the above rule does not run.
> Request a resource that returns content type image/png image/jpeg etc and rule runs ok.
>
> Thanks
> Ben
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/