Re: [mod-security-users] Friendly blocking fails when HTTP status set
Brought to you by:
victorhora,
zimmerletw
From: Walter H. <mo...@sp...> - 2013-09-15 18:02:47
|
> there is no error 509 > period > > why not using existing status codes like 400 and define for them > a custom error page? this works for sure since we use 400 on > all our machines if modsec is triggered > > http://www.thelounge.net/%3Cscript Hi Harald, I've tried that! I've attempted using error 400, 403, and 406 before mailing the list. The choice of error code has no effect on this problem at all. If *and only if* a website script sent a non-200 response status, and ModSecurity blocks in phase 3 or 4, no matter what the chosen ModSecurity-generated status is, the custom error page in ErrorDocument is not shown. For instance, with error 400, Apache says, "Additionally, a 400 Bad Request error was encountered while trying to use an ErrorDocument to handle the request." Can you see your custom ErrorDocument when a website script has sent a non-200 status? (So to test it, you must trigger some outbound rule; on inbound rules the script just won't run) Cheers, WH |