|
From: Christian F. <chr...@ne...> - 2018-04-06 18:50:00
|
Hey Marco, Thank you for reporting back. Glad you solved the problem and nice to hear you are using CRS3. Cheers, Christian On Fri, Apr 06, 2018 at 08:16:22PM +0200, Marco Pizzoli wrote: > Hi Christian, > > On Fri, Apr 6, 2018 at 4:46 PM, Christian Folini < > chr...@ne...> wrote: > > > Hey Marco, > > > > Good to read you here. > > > > :-) > > What rule set are you using? > > > > CRS 3 > > > > But regardless of the ruleset, I think you should run a full traffic log > > and try to reproduce the request getting a 403. If the error- and the > > audit-log is not telling you anything, the ModSec DebugLog will. > > > > You will not believe it, but even with this simple answer I managed to find > the culprit! > One of my modsec rules stupidly (and hiddenly) blocking the request. > Missing "pass" in the rule, so inheriting the SecDefaultAction... block! :-/ > > Sorry for the noise, I will be paying more attention in the future... be > assured... > > Thank you very much > Marco > > > > Unless it's not ModSecurity interfering. > > > > My 2 cents, > > > > Christian > > > > On Fri, Apr 06, 2018 at 04:36:11PM +0200, Marco Pizzoli wrote: > > > Hi all, > > > we are using Apache 2.4.x with ModSec 2.9.2 proxying Outlook Web Access > > > 2016. > > > > > > I ran for a while in DetectionOnly, so whitelisting every necessary rule. > > > When I switched to "On" (block), I started getting issues. > > > > > > During the first request the backend system answers with 401, and > > providing > > > 3 WWW-Authenticate headers: > > > WWW-Authenticate: Basic realm="myhostname.mydomain" > > > WWW-Authenticate: Negotiate > > > WWW-Authenticate: NTLM > > > > > > During the following request Apache directly answers 403 without proxying > > > the request to the backend... nor logging anything useful. > > > > > > I don't understand how the switching from "DetectionOnly" to "On" could > > > interfere with the processing without logging anything. > > > > > > I ask you what are the undocumented settings that are changed under the > > > hood together with that configuration switch... > > > > > > Thank you in advance > > > Marco > > > > > ------------------------------------------------------------ > > ------------------ > > > Check out the vibrant tech community on one of the world's most > > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > -- > > https://www.feistyduck.com/training/modsecurity-training-course > > https://www.feistyduck.com/books/modsecurity-handbook/ > > mailto:chr...@ne... > > twitter: @ChrFolini > > > > ------------------------------------------------------------ > > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
