Re: [mod-security-users] HTTP POST Hangs with Modsecurity 2.9 and Nginx
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] HTTP POST Hangs with Modsecurity 2.9 and Nginx
|
From: Felipe C. <FC...@tr...> - 2015-03-30 11:52:25
|
Hi Morris, Please try our "nginx_refactoring" branch, available at: - https://github.com/SpiderLabs/ModSecurity/tree/nginx_refactoring You also may want to disable the SecRequestBodyAccess: - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecRequestB odyAccess Br, Felipe ³Zimmerle² Costa Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com <http://www.trustwave.com/> On 3/29/15, 1:10 PM, "Morris Taylor" <mo...@em...> wrote: >Hi there, > > The following is the part of the debug log about a POST Request: > > >[29/Mar/2015:23:26:18 +0800] >[/sid#7f9f8c5c90a0][rid#7f9f86b500a0][/file/new][5] Rule 7f9f87e34338: >SecRule "&TX:COMBINED_FILE_SIZES" "@e >q 1" "phase:2,log,chain,t:none,block,msg:'Total uploaded files size too >large',id:960343,severity:4,rev:2,ver:OWASP_CRS/2.2.9,maturity:9, >accuracy:9,tag:OWASP_CRS/POLICY/SIZE_LIMIT" >[29/Mar/2015:23:26:18 +0800] >[/sid#7f9f8c5c90a0][rid#7f9f86b500a0][/file/new][4] Transformation >completed in 2 usec. >[29/Mar/2015:23:26:18 +0800] >[/sid#7f9f8c5c90a0][rid#7f9f86b500a0][/file/new][4] Executing operator >"eq" with param "1" against &TX:COMBI >NED_FILE_SIZES. >[29/Mar/2015:23:26:18 +0800] >[/sid#7f9f8c5c90a0][rid#7f9f86b500a0][/file/new][4] Operator completed >in 1 usec. >[29/Mar/2015:23:26:18 +0800] >[/sid#7f9f8c5c90a0][rid#7f9f86b500a0][/file/new][4] Rule returned 0. >[29/Mar/2015:23:26:18 +0800] >[/sid#7f9f8c5c90a0][rid#7f9f86b500a0][/file/new][4] Hook insert_filter: >Adding input forwarding filter (r 7f >9f86b500a0). >[29/Mar/2015:23:26:18 +0800] >[/sid#7f9f8c5c90a0][rid#7f9f86b500a0][/file/new][4] Hook insert_filter: >Adding output filter (r 7f9f86b500a0). >[29/Mar/2015:23:26:18 +0800] >[/sid#7f9f8c5c90a0][rid#7f9f86b500a0][/file/new][4] Input filter: >Forwarding input: mode=0, block=0, nbytes=-1 (f 7f9f86b514c8, r >7f9f86b500a0). >[29/Mar/2015:23:26:18 +0800] >[/sid#7f9f8c5c90a0][rid#7f9f86b500a0][/file/new][4] Input filter: >Forwarded 8192 bytes. > > >The debug log for my post request stopped there. According to last two >lines of the log, it seems weird that mod security have trouble to >forward accurate payload to backend server... >-- >BR, Morris > >On Sun, Mar 29, 2015, at 11:41 PM, Morris Taylor wrote: >> Dear All, >> >> Have anyone encountered the same issue? I tried to upload some >> small size file to my web application through the nginx proxy with >> mod security enabled(DetectionOnly) and found my http post request >> was hanging and an empty response was returned. I tried to use >> recommend mod security conf, however, things didn't work at all. >> Therefore, I tried to use tcpdump to inspect the packets between >> the proxy and the backend server, I found most of the packets were >> sent to the proxy, and less were being forward to the backend >> server. It seems mod security has trouble to forward the request >> body(POST DATA) to my backend server. Can anyone help me to solve >> this issue? Thanks! >> >> -- >> BR, Morris >> >> >>------------------------------------------------------------------------- >>----- >> Dive into the World of Parallel Programming The Go Parallel Website, >> sponsored >> by Intel and developed in partnership with Slashdot Media, is your hub >> for all >> things parallel software development, from weekly thought leadership >> blogs to >> news, videos, case studies, tutorials and more. Take a look and join >>the >> conversation now. >>http://scanmail.trustwave.com/?c=4062&d=wqaY1ZxiTSF43h0NWiuha5mdPx1yssDxZ >>rBzgyLXIg&s=5&u=http%3a%2f%2fgoparallel%2esourceforge%2enet%2f >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> >>http://scanmail.trustwave.com/?c=4062&d=wqaY1ZxiTSF43h0NWiuha5mdPx1yssDxZ >>uxx1XaLcA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinf >>o%2fmod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> >>http://scanmail.trustwave.com/?c=4062&d=wqaY1ZxiTSF43h0NWiuha5mdPx1yssDxZ >>r4jgS_fdA&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommerc >>ial%2frules%2f >> >>http://scanmail.trustwave.com/?c=4062&d=wqaY1ZxiTSF43h0NWiuha5mdPx1yssDxZ >>r8n0yOLIQ&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommerc >>ial%2fsupport%2f > >-------------------------------------------------------------------------- >---- >Dive into the World of Parallel Programming The Go Parallel Website, >sponsored >by Intel and developed in partnership with Slashdot Media, is your hub >for all >things parallel software development, from weekly thought leadership >blogs to >news, videos, case studies, tutorials and more. Take a look and join the >conversation now. >http://scanmail.trustwave.com/?c=4062&d=wqaY1ZxiTSF43h0NWiuha5mdPx1yssDxZr >BzgyLXIg&s=5&u=http%3a%2f%2fgoparallel%2esourceforge%2enet%2f >_______________________________________________ >mod-security-users mailing list >mod...@li... >http://scanmail.trustwave.com/?c=4062&d=wqaY1ZxiTSF43h0NWiuha5mdPx1yssDxZu >xx1XaLcA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo% >2fmod-security-users >Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >http://scanmail.trustwave.com/?c=4062&d=wqaY1ZxiTSF43h0NWiuha5mdPx1yssDxZr >4jgS_fdA&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercia >l%2frules%2f >http://scanmail.trustwave.com/?c=4062&d=wqaY1ZxiTSF43h0NWiuha5mdPx1yssDxZr >8n0yOLIQ&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercia >l%2fsupport%2f ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
