Re: [mod-security-users] issue with response body processing
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] issue with response body processing
|
From: Alex <adm...@ah...> - 2015-10-19 04:23:24
|
Hi Christian, What appears in the audit log (which appears to dump the response body) is a load of binary gibberish. If I switch off the compression, javascript code is in the response body (and is logged and doesnt cause an issue), which is fine. I assume embedded mode is what I should have since it is a stock install of apache and modsecurity. Theres no proxying going on that I am aware of. Something is causing modsecurity not to make the inspection take place before compression. I'll see if I can get some more info for the list if that is going to help :) Cheers Alex. On 2015-10-19 15:03, Christian Folini wrote: > Hello, > > On Mon, Oct 19, 2015 at 02:52:03PM +1100, Alex wrote: > >> Thank you for the followup. There is no reverse proxy setup in place, >> modsecurity is running on the application server. Does this change >> anything? > > Well, the doc says: > > "This directive is necessary in reverse proxy mode when the backend > servers support response compression, but you wish to inspect response > bodies. Unless you disable backend compression, ModSecurity will only > see compressed content, which is not very useful. This directive is not > necessary in embedded mode, because ModSecurity performs inspection > before response compression takes place." > > So technically, you should not have your problem in the first place. > So maybe it is not the compression after all. The match in your > response body suggests binary, but not quite. > What is this actually? Request and Response headers would be welcome. > > Ahoj, > > Christian |
