[mod-security-users] Output Filters with mod_jk2

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello modsec guys,

I am sure someone already used modsecurity on a webserver which is
connecting to tomcat servers. I am running into the following problem:

Having rules like SecFilterSelective OUTPUT "evilstring" is working fine
as long as the document containing that evilstring is being served by
apache itself or of course, via mod_proxy. But it does not work like I
want it to with mod_jk(2).

If I request a page within a context mapped by mod_jk, p.e.
/app/evilfile containing the string, I get a successful pattern match:
mod_security: Access denied with code 200. Pattern match "evilstring"
at OUTPUT [uri "/app/evilfile"]

but

I am not receiving my standard error page for 404, 200, 500, 302 or
whatever I configure. I always get this reply (Yes I use 200s):

HTTP/1.1 200 OK
Date: Thu, 01 Sep 2005 10:54:19 GMT
Server: masked 1.0
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>200 OK</title>
</head><body>
<h1>OK</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator,
 xxx and inform them of the time the error occurred,
and anything you might have done that may have
caused the error.</p>
<p>More information about this error may be available
in the server error log.</p>
<p>Additionally, a 200 OK
error was encountered while trying to use an ErrorDocument to handle the
request.</p>
</body></html>

which is obviously only half of what I want. With Apache served pages,
the reply is a perfect friendly 404(200). There is no information in the
error_log.

The effect is the same both when using 1.8.7 oder 1.9dev3; also going
with the early hook does not change things (I confirmed it by sending
TRACE requests).

So does someone of you have a clue what to do or where to have a look
at? Thanks in advance.

-mark