Re: [mod-security-users] HTTP POST Hangs with Modsecurity 2.9 and Nginx

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi there, 

    The following is the part of the debug log about a POST Request:


[29/Mar/2015:23:26:18 +0800]
[/sid#7f9f8c5c90a0][rid#7f9f86b500a0][/file/new][5] Rule 7f9f87e34338:
SecRule "&TX:COMBINED_FILE_SIZES" "@e
q 1" "phase:2,log,chain,t:none,block,msg:'Total uploaded files size too
large',id:960343,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9,
accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT"
[29/Mar/2015:23:26:18 +0800]
[/sid#7f9f8c5c90a0][rid#7f9f86b500a0][/file/new][4] Transformation
completed in 2 usec.
[29/Mar/2015:23:26:18 +0800]
[/sid#7f9f8c5c90a0][rid#7f9f86b500a0][/file/new][4] Executing operator
"eq" with param "1" against &TX:COMBI
NED_FILE_SIZES.
[29/Mar/2015:23:26:18 +0800]
[/sid#7f9f8c5c90a0][rid#7f9f86b500a0][/file/new][4] Operator completed
in 1 usec.
[29/Mar/2015:23:26:18 +0800]
[/sid#7f9f8c5c90a0][rid#7f9f86b500a0][/file/new][4] Rule returned 0.
[29/Mar/2015:23:26:18 +0800]
[/sid#7f9f8c5c90a0][rid#7f9f86b500a0][/file/new][4] Hook insert_filter:
Adding input forwarding filter (r 7f
9f86b500a0).
[29/Mar/2015:23:26:18 +0800]
[/sid#7f9f8c5c90a0][rid#7f9f86b500a0][/file/new][4] Hook insert_filter:
Adding output filter (r 7f9f86b500a0).
[29/Mar/2015:23:26:18 +0800]
[/sid#7f9f8c5c90a0][rid#7f9f86b500a0][/file/new][4] Input filter:
Forwarding input: mode=0, block=0, nbytes=-1 (f 7f9f86b514c8, r
7f9f86b500a0).
[29/Mar/2015:23:26:18 +0800]
[/sid#7f9f8c5c90a0][rid#7f9f86b500a0][/file/new][4] Input filter:
Forwarded 8192 bytes.


The debug log for my post request stopped there. According to last two
lines of the log, it seems weird that mod security have trouble to
forward accurate payload to backend server...
-- 
BR,  Morris

On Sun, Mar 29, 2015, at 11:41 PM, Morris Taylor wrote:
> Dear All,
> 
>      Have anyone encountered the same issue? I tried to upload some
>      small size file to my web application through the nginx proxy with
>      mod security enabled(DetectionOnly) and found my http post request
>      was hanging and an empty response was returned. I tried to use
>      recommend mod security conf, however, things didn't work at all.
>      Therefore, I tried to use tcpdump to inspect the packets between
>      the proxy and the backend server, I found most of the packets were
>      sent to the proxy, and less were being forward to the backend
>      server. It seems mod security has trouble to forward the request
>      body(POST DATA) to my backend server. Can anyone help me to solve
>      this issue? Thanks!
> 
> -- 
> BR, Morris
> 
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub
> for all
> things parallel software development, from weekly thought leadership
> blogs to
> news, videos, case studies, tutorials and more. Take a look and join the 
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/