|
From: Christian F. <chr...@ne...> - 2018-04-06 14:46:57
|
Hey Marco, Good to read you here. What rule set are you using? But regardless of the ruleset, I think you should run a full traffic log and try to reproduce the request getting a 403. If the error- and the audit-log is not telling you anything, the ModSec DebugLog will. Unless it's not ModSecurity interfering. My 2 cents, Christian On Fri, Apr 06, 2018 at 04:36:11PM +0200, Marco Pizzoli wrote: > Hi all, > we are using Apache 2.4.x with ModSec 2.9.2 proxying Outlook Web Access > 2016. > > I ran for a while in DetectionOnly, so whitelisting every necessary rule. > When I switched to "On" (block), I started getting issues. > > During the first request the backend system answers with 401, and providing > 3 WWW-Authenticate headers: > WWW-Authenticate: Basic realm="myhostname.mydomain" > WWW-Authenticate: Negotiate > WWW-Authenticate: NTLM > > During the following request Apache directly answers 403 without proxying > the request to the backend... nor logging anything useful. > > I don't understand how the switching from "DetectionOnly" to "On" could > interfere with the processing without logging anything. > > I ask you what are the undocumented settings that are changed under the > hood together with that configuration switch... > > Thank you in advance > Marco > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
