|
From: Marco P. <mar...@gm...> - 2018-04-06 18:16:51
|
Hi Christian, On Fri, Apr 6, 2018 at 4:46 PM, Christian Folini < chr...@ne...> wrote: > Hey Marco, > > Good to read you here. > :-) What rule set are you using? > CRS 3 > But regardless of the ruleset, I think you should run a full traffic log > and try to reproduce the request getting a 403. If the error- and the > audit-log is not telling you anything, the ModSec DebugLog will. > You will not believe it, but even with this simple answer I managed to find the culprit! One of my modsec rules stupidly (and hiddenly) blocking the request. Missing "pass" in the rule, so inheriting the SecDefaultAction... block! :-/ Sorry for the noise, I will be paying more attention in the future... be assured... Thank you very much Marco Unless it's not ModSecurity interfering. > > My 2 cents, > > Christian > > On Fri, Apr 06, 2018 at 04:36:11PM +0200, Marco Pizzoli wrote: > > Hi all, > > we are using Apache 2.4.x with ModSec 2.9.2 proxying Outlook Web Access > > 2016. > > > > I ran for a while in DetectionOnly, so whitelisting every necessary rule. > > When I switched to "On" (block), I started getting issues. > > > > During the first request the backend system answers with 401, and > providing > > 3 WWW-Authenticate headers: > > WWW-Authenticate: Basic realm="myhostname.mydomain" > > WWW-Authenticate: Negotiate > > WWW-Authenticate: NTLM > > > > During the following request Apache directly answers 403 without proxying > > the request to the backend... nor logging anything useful. > > > > I don't understand how the switching from "DetectionOnly" to "On" could > > interfere with the processing without logging anything. > > > > I ask you what are the undocumented settings that are changed under the > > hood together with that configuration switch... > > > > Thank you in advance > > Marco > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > -- > https://www.feistyduck.com/training/modsecurity-training-course > https://www.feistyduck.com/books/modsecurity-handbook/ > mailto:chr...@ne... > twitter: @ChrFolini > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
