Closed MeowMeowVenom closed 3 years ago
Could you check ModSecurity audit logs to understand the reason why requests are blocked?
Well, now comes another issue! They are blank for some reason, even after I set them to debug mode.
Gotta fix it :(
Edit: Raising a issue there too regarding this https://github.com/SpiderLabs/ModSecurity-nginx/issues/248
Nginx gave some logs that might help out
2021/07/31 15:39:25 [notice] 21700#21700: ModSecurity-nginx v1.0.2 (rules loaded inline/local/remote: 0/911/0)
2021/07/31 15:39:25 [notice] 21700#21700: signal process started
2021/07/31 15:39:47 [notice] 21718#21718: ModSecurity-nginx v1.0.2 (rules loaded inline/local/remote: 0/911/0)
2021/07/31 15:39:47 [notice] 21718#21718: signal process started
2021/07/31 15:40:08 [error] 21719#21719: *6114 open() "/var/www/mydomain.com/public/t/fonts/fa-solid-900.woff2" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /t/fonts/fa-solid-900.woff2 HTTP/1.1", host: "mydomain.com", referrer: "https://mydomain.com/t/i-t-software"
2021/07/31 15:40:09 [error] 21719#21719: *6115 open() "/var/www/mydomain.com/public/t/fonts/fa-solid-900.woff" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /t/fonts/fa-solid-900.woff HTTP/2.0", host: "mydomain.com", referrer: "https://mydomain.com/t/i-t-software"
2021/07/31 15:40:10 [error] 21719#21719: *6118 open() "/var/www/mydomain.com/public/t/fonts/fa-solid-900.ttf" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /t/fonts/fa-solid-900.ttf HTTP/1.1", host: "mydomain.com", referrer: "https://mydomain.com/t/i-t-software"
2021/07/31 15:40:10 [error] 21719#21719: *6120 open() "/var/www/mydomain.com/public/d/fonts/fa-solid-900.woff2" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /d/fonts/fa-solid-900.woff2 HTTP/1.1", host: "mydomain.com"
2021/07/31 15:40:11 [error] 21719#21719: *6121 open() "/var/www/mydomain.com/public/d/fonts/fa-solid-900.woff" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /d/fonts/fa-solid-900.woff HTTP/1.1", host: "mydomain.com"
2021/07/31 15:40:12 [error] 21719#21719: *6122 open() "/var/www/mydomain.com/public/d/fonts/fa-solid-900.ttf" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /d/fonts/fa-solid-900.ttf HTTP/1.1", host: "mydomain.com"
2021/07/31 15:40:13 [error] 21719#21719: *6123 open() "/var/www/mydomain.com/public/t/fonts/fa-solid-900.ttf" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /t/fonts/fa-solid-900.ttf HTTP/1.1", host: "mydomain.com", referrer: "arc.io"
2021/07/31 15:40:14 [error] 21719#21719: *6125 open() "/var/www/mydomain.com/public/fonts/fa-regular-400.woff2" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /fonts/fa-regular-400.woff2 HTTP/2.0", host: "mydomain.com", referrer: "https://mydomain.com/"
2021/07/31 15:40:15 [error] 21719#21719: *6127 open() "/var/www/mydomain.com/public/fonts/fa-regular-400.woff" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /fonts/fa-regular-400.woff HTTP/2.0", host: "mydomain.com", referrer: "https://mydomain.com/"
2021/07/31 15:40:15 [error] 21719#21719: *6128 open() "/var/www/mydomain.com/public/d/fonts/fa-solid-900.ttf" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /d/fonts/fa-solid-900.ttf HTTP/2.0", host: "mydomain.com", referrer: "arc.io"
2021/07/31 15:40:16 [error] 21719#21719: *6129 open() "/var/www/mydomain.com/public/fonts/fa-regular-400.ttf" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /fonts/fa-regular-400.ttf HTTP/1.1", host: "mydomain.com", referrer: "https://mydomain.com/"
2021/07/31 15:40:19 [error] 21719#21719: *6130 open() "/var/www/mydomain.com/public/fonts/fa-regular-400.ttf" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /fonts/fa-regular-400.ttf HTTP/1.1", host: "mydomain.com", referrer: "arc.io"
2021/07/31 15:40:21 [error] 21719#21719: *6104 open() "/var/www/mydomain.com/public/api/discussions" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "POST /api/discussions HTTP/2.0", host: "mydomain.com", referrer: "https://mydomain.com/"
2021/07/31 15:40:35 [error] 21719#21719: *6136 open() "/var/www/mydomain.com/public/d/fonts/fa-regular-400.woff2" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /d/fonts/fa-regular-400.woff2 HTTP/2.0", host: "mydomain.com"
2021/07/31 15:40:40 [error] 21719#21719: *6137 open() "/var/www/mydomain.com/public/d/fonts/fa-regular-400.woff" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /d/fonts/fa-regular-400.woff HTTP/1.1", host: "mydomain.com"
2021/07/31 15:40:41 [error] 21719#21719: *6138 open() "/var/www/mydomain.com/public/d/fonts/fa-regular-400.ttf" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /d/fonts/fa-regular-400.ttf HTTP/2.0", host: "mydomain.com"
2021/07/31 15:40:44 [error] 21719#21719: *6141 open() "/var/www/mydomain.com/public/d/fonts/fa-regular-400.ttf" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /d/fonts/fa-regular-400.ttf HTTP/1.1", host: "mydomain.com", referrer: "arc.io"
2021/07/31 15:40:54 [notice] 21730#21730: ModSecurity-nginx v1.0.2 (rules loaded inline/local/remote: 0/911/0)
2021/07/31 15:40:54 [notice] 21730#21730: signal process started
2021/07/31 15:42:31 [error] 21731#21731: *6167 open() "/var/www/mydomain.com/public/api/discussions" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /api/discussions?include=user%2ClastPostedUser%2Ctags%2Ctags.parent%2CfirstPost%2CfirstPost%2Cposts%2Cposts.user&sort&page%5Boffset%5D=20 HTTP/1.1", host: "mydomain.com", referrer: "https://mydomain.com/"
2021/07/31 15:42:39 [error] 21731#21731: *6147 open() "/var/www/mydomain.com/public/api/discussions" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /api/discussions?include=user%2ClastPostedUser%2Ctags%2Ctags.parent%2CfirstPost%2CfirstPost%2Cposts%2Cposts.user&sort&page%5Boffset%5D=20 HTTP/2.0", host: "mydomain.com", referrer: "https://mydomain.com/"
2021/07/31 15:43:06 [error] 21731#21731: *6173 open() "/var/www/mydomain.com/public/t/fonts/fa-regular-400.woff2" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /t/fonts/fa-regular-400.woff2 HTTP/1.1", host: "mydomain.com", referrer: "https://mydomain.com/t/i-t-software"
2021/07/31 15:43:06 [error] 21731#21731: *6174 open() "/var/www/mydomain.com/public/t/fonts/fa-regular-400.woff" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /t/fonts/fa-regular-400.woff HTTP/2.0", host: "mydomain.com", referrer: "https://mydomain.com/t/i-t-software"
2021/07/31 15:43:07 [error] 21731#21731: *6175 open() "/var/www/mydomain.com/public/t/fonts/fa-regular-400.ttf" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /t/fonts/fa-regular-400.ttf HTTP/1.1", host: "mydomain.com", referrer: "https://mydomain.com/t/i-t-software"
2021/07/31 15:43:10 [error] 21731#21731: *6176 open() "/var/www/mydomain.com/public/t/fonts/fa-regular-400.ttf" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /t/fonts/fa-regular-400.ttf HTTP/1.1", host: "mydomain.com", referrer: "arc.io"
2021/07/31 15:43:23 [error] 21731#21731: *6181 open() "/var/www/mydomain.com/public/api/discussions" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /api/discussions?include=user%2ClastPostedUser%2Ctags%2Ctags.parent%2CfirstPost%2CfirstPost%2Cposts%2Cposts.user&sort&page%5Boffset%5D=20 HTTP/1.1", host: "mydomain.com", referrer: "https://mydomain.com/"
2021/07/31 15:43:35 [error] 21731#21731: *6186 open() "/var/www/mydomain.com/public/api/discussions" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /api/discussions?include=user%2ClastPostedUser%2Ctags%2Ctags.parent%2CfirstPost%2CfirstPost%2Cposts%2Cposts.user&sort&page%5Boffset%5D=20 HTTP/1.1", host: "mydomain.com", referrer: "https://mydomain.com/"
2021/07/31 15:43:49 [error] 21731#21731: *6191 open() "/var/www/mydomain.com/public/api/discussions" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /api/discussions?include=user%2ClastPostedUser%2Ctags%2Ctags.parent%2CfirstPost%2CfirstPost%2Cposts%2Cposts.user&sort&page%5Boffset%5D=0 HTTP/1.1", host: "mydomain.com", referrer: "https://mydomain.com/"
2021/07/31 15:43:50 [error] 21731#21731: *6192 open() "/var/www/mydomain.com/public/api/discussions" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /api/discussions?include=user%2ClastPostedUser%2Ctags%2Ctags.parent%2CfirstPost%2CfirstPost%2Cposts%2Cposts.user&filter%5Btag%5D=i-t-software&sort&page%5Boffset%5D=0 HTTP/1.1", host: "mydomain.com", referrer: "https://mydomain.com/t/i-t-software"
2021/07/31 15:43:57 [error] 21731#21731: *6198 open() "/var/www/mydomain.com/public/api/discussions" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /api/discussions?filter%5Bq%5D=gee&page%5Blimit%5D=3&include=mostRelevantPost HTTP/2.0", host: "mydomain.com", referrer: "https://mydomain.com/categories"
2021/07/31 15:43:57 [error] 21731#21731: *6184 open() "/var/www/mydomain.com/public/api/discussions" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /api/discussions?filter%5Bq%5D=geek&page%5Blimit%5D=3&include=mostRelevantPost HTTP/2.0", host: "mydomain.com", referrer: "https://mydomain.com/categories"
2021/07/31 15:44:00 [error] 21731#21731: *6203 open() "/var/www/mydomain.com/public/api/discussions" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /api/discussions?filter%5Bq%5D=geekfor&page%5Blimit%5D=3&include=mostRelevantPost HTTP/1.1", host: "mydomain.com", referrer: "https://mydomain.com/categories"
2021/07/31 15:44:01 [error] 21731#21731: *6147 open() "/var/www/mydomain.com/public/api/discussions" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /api/discussions?include=user%2ClastPostedUser%2Ctags%2Ctags.parent%2CfirstPost%2CfirstPost%2Cposts%2Cposts.user&filter%5Btag%5D=forum-guide-rules&sort&page%5Boffset%5D=0 HTTP/2.0", host: "mydomain.com", referrer: "https://mydomain.com/t/forum-guide-rules"
2021/07/31 15:44:02 [error] 21731#21731: *6184 open() "/var/www/mydomain.com/public/api/discussions" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /api/discussions?include=user%2ClastPostedUser%2CmostRelevantPost%2CmostRelevantPost.user%2Ctags%2Ctags.parent%2CfirstPost%2CfirstPost%2Cposts%2Cposts.user&filter%5Bq%5D=geekforgeeks&sort&page%5Boffset%5D=0 HTTP/2.0", host: "mydomain.com"
2021/07/31 15:44:02 [error] 21731#21731: *6205 open() "/var/www/mydomain.com/public/api/discussions" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /api/discussions?filter%5Bq%5D=geekforgeeks&page%5Blimit%5D=3&include=mostRelevantPost HTTP/1.1", host: "mydomain.com", referrer: "https://mydomain.com/categories"
2021/07/31 15:44:06 [error] 21731#21731: *6207 open() "/var/www/mydomain.com/public/api/discussions" failed (2: No such file or directory), client: [IP REMOVED], server: mydomain.com, request: "GET /api/discussions?include=user%2ClastPostedUser%2Ctags%2Ctags.parent%2CfirstPost%2CfirstPost%2Cposts%2Cposts.user&sort&page%5Boffset%5D=0 HTTP/1.1", host: "mydomain.com", referrer: "https://mydomain.com/"
2021/07/31 15:44:11 [notice] 21811#21811: ModSecurity-nginx v1.0.2 (rules loaded inline/local/remote: 0/911/0)
2021/07/31 15:44:11 [notice] 21811#21811: signal process started
2021/07/31 15:47:12 [notice] 21820#21820: ModSecurity-nginx v1.0.2 (rules loaded inline/local/remote: 0/911/0)
2021/07/31 15:47:12 [notice] 21820#21820: signal process started
2021/07/31 15:47:23 [error] 21821#21821: *6223 [client [IP REMOVED]] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "[IP REMOVED]"] [uri "/api/discussions"] [unique_id "1627739243"] [ref ""], client: [IP REMOVED], server: mydomain.com, request: "POST /api/discussions HTTP/2.0", host: "mydomain.com", referrer: "https://mydomain.com/"
2021/07/31 15:47:46 [notice] 21827#21827: ModSecurity-nginx v1.0.2 (rules loaded inline/local/remote: 0/911/0)
2021/07/31 15:47:46 [notice] 21827#21827: signal process started
2021/07/31 15:51:16 [notice] 21846#21846: ModSecurity-nginx v1.0.2 (rules loaded inline/local/remote: 0/911/0)
2021/07/31 15:51:16 [notice] 21846#21846: signal process started
2021/07/31 15:55:08 [notice] 21882#21882: ModSecurity-nginx v1.0.2 (rules loaded inline/local/remote: 0/911/0)
2021/07/31 15:55:08 [notice] 21882#21882: signal process started
2021/07/31 15:56:12 [notice] 21901#21901: ModSecurity-nginx v1.0.2 (rules loaded inline/local/remote: 0/911/0)
2021/07/31 15:56:12 [notice] 21901#21901: signal process started
2021/07/31 15:56:56 [notice] 21916#21916: ModSecurity-nginx v1.0.2 (rules loaded inline/local/remote: 0/911/0)
2021/07/31 15:56:56 [notice] 21916#21916: signal process started
2021/07/31 15:57:13 [error] 21917#21917: *6354 [client [IP REMOVED]] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "[IP REMOVED]"] [uri "/api/discussions"] [unique_id "1627739833"] [ref ""], client: [IP REMOVED], server: mydomain.com, request: "POST /api/discussions HTTP/1.1", host: "mydomain.com", referrer: "https://mydomain.com/"
2021/07/31 15:57:34 [notice] 21931#21931: ModSecurity-nginx v1.0.2 (rules loaded inline/local/remote: 0/911/0)
2021/07/31 15:57:34 [notice] 21931#21931: signal process started
2021/07/31 16:04:18 [notice] 22041#22041: ModSecurity-nginx v1.0.2 (rules loaded inline/local/remote: 0/911/0)
2021/07/31 16:04:21 [notice] 22043#22043: ModSecurity-nginx v1.0.2 (rules loaded inline/local/remote: 0/911/0)
2021/07/31 16:04:21 [notice] 22043#22043: signal process started
2021/07/31 16:04:43 [error] 22044#22044: *6499 [client [IP REMOVED]] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "[IP REMOVED]"] [uri "/api/discussions"] [unique_id "1627740283"] [ref ""], client: [IP REMOVED], server: mydomain.com, request: "POST /api/discussions HTTP/2.0", host: "mydomain.com", referrer: "https://mydomain.com/"
2021/07/31 16:04:54 [error] 22044#22044: *6503 [client [IP REMOVED]] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "[IP REMOVED]"] [uri "/api/discussions"] [unique_id "1627740294"] [ref ""], client: [IP REMOVED], server: mydomain.com, request: "POST /api/discussions HTTP/1.1", host: "mydomain.com", referrer: "https://mydomain.com/"
2021/07/31 16:04:58 [error] 22044#22044: *6504 [client [IP REMOVED]] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "[IP REMOVED]"] [uri "/api/discussions"] [unique_id "1627740298"] [ref ""], client: [IP REMOVED], server: mydomain.com, request: "POST /api/discussions HTTP/1.1", host: "mydomain.com", referrer: "https://mydomain.com/"
2021/07/31 16:05:01 [error] 22044#22044: *6503 [client [IP REMOVED]] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "[IP REMOVED]"] [uri "/api/discussions"] [unique_id "1627740301"] [ref ""], client: [IP REMOVED], server: mydomain.com, request: "POST /api/discussions HTTP/1.1", host: "mydomain.com", referrer: "https://mydomain.com/"
2021/07/31 16:05:02 [error] 22044#22044: *6505 [client [IP REMOVED]] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "[IP REMOVED]"] [uri "/api/discussions"] [unique_id "1627740302"] [ref ""], client: [IP REMOVED], server: mydomain.com, request: "POST /api/discussions HTTP/1.1", host: "mydomain.com", referrer: "https://mydomain.com/"
2021/07/31 16:05:03 [error] 22044#22044: *6506 [client [IP REMOVED]] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "[IP REMOVED]"] [uri "/api/discussions"] [unique_id "1627740303"] [ref ""], client: [IP REMOVED], server: mydomain.com, request: "POST /api/discussions HTTP/1.1", host: "mydomain.com", referrer: "https://mydomain.com/"
2021/07/31 16:05:04 [error] 22044#22044: *6507 [client [IP REMOVED]] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "[IP REMOVED]"] [uri "/api/discussions"] [unique_id "1627740304"] [ref ""], client: [IP REMOVED], server: mydomain.com, request: "POST /api/discussions HTTP/1.1", host: "mydomain.com", referrer: "https://mydomain.com/"
2021/07/31 16:05:05 [error] 22044#22044: *6499 [client [IP REMOVED]] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "[IP REMOVED]"] [uri "/api/discussions"] [unique_id "1627740305"] [ref ""], client: [IP REMOVED], server: mydomain.com, request: "POST /api/discussions HTTP/2.0", host: "mydomain.com", referrer: "https://mydomain.com/"
2021/07/31 16:05:06 [error] 22044#22044: *6503 [client [IP REMOVED]] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "[IP REMOVED]"] [uri "/api/discussions"] [unique_id "1627740306"] [ref ""], client: [IP REMOVED], server: mydomain.com, request: "POST /api/discussions HTTP/1.1", host: "mydomain.com", referrer: "https://mydomain.com/"
2021/07/31 16:05:07 [error] 22044#22044: *6499 [client [IP REMOVED]] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "[IP REMOVED]"] [uri "/api/discussions"] [unique_id "1627740307"] [ref ""], client: [IP REMOVED], server: mydomain.com, request: "POST /api/discussions HTTP/2.0", host: "mydomain.com", referrer: "https://mydomain.com/"
2021/07/31 16:05:25 [error] 22044#22044: *6499 [client [IP REMOVED]] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "[IP REMOVED]"] [uri "/api/discussions"] [unique_id "1627740325"] [ref ""], client: [IP REMOVED], server: mydomain.com, request: "POST /api/discussions HTTP/2.0", host: "mydomain.com", referrer: "https://mydomain.com/"
2021/07/31 16:05:36 [error] 22044#22044: *6499 [client [IP REMOVED]] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "[IP REMOVED]"] [uri "/"] [unique_id "1627740336"] [ref ""], client: [IP REMOVED], server: mydomain.com, request: "GET /?id=3%20or%20%27a%27=%27a%27 HTTP/2.0", host: "mydomain.com"
2021/07/31 16:07:51 [notice] 22057#22057: ModSecurity-nginx v1.0.2 (rules loaded inline/local/remote: 0/911/0)
2021/07/31 16:07:51 [notice] 22057#22057: signal process started
2021/07/31 16:17:11 [error] 22058#22058: *6637 open() "/var/www/mydomain.com/public/apple-touch-icon-precomposed.png" failed (2: No such file or directory), client: 240.37.170.248, server: mydomain.com, request: "GET /apple-touch-icon-precomposed.png HTTP/1.1", host: "mydomain.com"
2021/07/31 16:25:14 [error] 22058#22058: *6836 open() "/var/www/mydomain.com/public/fontawesome/css/all.css" failed (2: No such file or directory), client: 249.92.237.153, server: mydomain.com, request: "GET /fontawesome/css/all.css HTTP/1.1", host: "mydomain.com", referrer: "https://mydomain.com/"
2021/07/31 16:25:21 [notice] 22403#22403: ModSecurity-nginx v1.0.2 (rules loaded inline/local/remote: 0/911/0)
2021/07/31 16:25:21 [notice] 22403#22403: signal process started
2021/07/31 16:25:49 [error] 22405#22405: *6896 [client [IP REMOVED]] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "[IP REMOVED]"] [uri "/"] [unique_id "1627741549"] [ref ""], client: [IP REMOVED], server: mydomain.com, request: "GET /?id=3%20or%20%27a%27=%27a%27 HTTP/1.1", host: "mydomain.com"
2021/07/31 16:25:55 [error] 22405#22405: *6900 [client [IP REMOVED]] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "[IP REMOVED]"] [uri "/api/discussions"] [unique_id "1627741555"] [ref ""], client: [IP REMOVED], server: mydomain.com, request: "POST /api/discussions HTTP/1.1", host: "mydomain.com", referrer: "https://mydomain.com/"
2021/07/31 16:26:52 [notice] 22428#22428: ModSecurity-nginx v1.0.2 (rules loaded inline/local/remote: 0/911/0)
2021/07/31 16:26:52 [notice] 22428#22428: signal process started
2021/07/31 16:27:17 [error] 22429#22429: *6960 [client [IP REMOVED]] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "[IP REMOVED]"] [uri "/api/discussions"] [unique_id "1627741637"] [ref ""], client: [IP REMOVED], server: mydomain.com, request: "POST /api/discussions HTTP/2.0", host: "mydomain.com", referrer: "https://mydomain.com/"
Looking through that log it appears that your rewrite rules in Nginx aren't working which might be triggering the error. Could you past your Nginx config for Flarum?
/etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
include /usr/share/nginx/modules/*.conf;
load_module modules/ngx_http_modsecurity_module.so;
events {
worker_connections 768;
# multi_accept on;
}
http {
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
# Pagespeed main settings
pagespeed on;
pagespeed FileCachePath /var/ngx_pagespeed_cache;
# Ensure requests for pagespeed optimized resources go to the pagespeed
# handler and no extraneous headers get set.
location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" { add_header "" ""; }
location ~ "^/ngx_pagespeed_static/" { }
location ~ "^/ngx_pagespeed_beacon" { }
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
server_names_hash_bucket_size 64;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
log_format custom '"$http_x_forwarded_for" $remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" ';
access_log /var/log/nginx/access.log custom;
error_log /var/log/nginx/error.log;
#limit_req_zone $http_x_forwarded_for zone=one:1m rate=30r/m;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
proxy_hide_header X-Powered-By;
add_header X-Frame-Options SAMEORIGIN always;
add_header "X-XSS-Protection" "1; mode=block";
# add_header X-Frame-Options "SAMEORIGIN" always;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
real_ip_header X-Forwarded-For;
# allow localhost;
allow 127.0.0.1;
allow 173.245.48.0/20;
allow 103.21.244.0/22;
allow 103.22.200.0/22;
allow 103.31.4.0/22;
allow 141.101.64.0/18;
allow 108.162.192.0/18;
allow 190.93.240.0/20;
allow 188.114.96.0/20;
allow 197.234.240.0/22;
allow 198.41.128.0/17;
allow 162.158.0.0/15;
allow 172.64.0.0/13;
allow 131.0.72.0/22;
allow 104.16.0.0/13;
allow 104.24.0.0/14;
# real_ip_header CF-Connecting-IP;
# deny all;
include /etc/nginx/conf.d/*.conf;
# include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
domain config
map $http_upgrade $type {
default "web";
websocket "ws";
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
root /var/www/domain.com/public/;
index index.php;
server_name domain.com;
# include /var/www/domain.com/domain/.nginx.conf;
# ssl on;
ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;
if ($host != "domain.com") {
return 403;
}
# location / {
# try_files $uri $uri/ /index.php?$query_string;
# }
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
include /var/www/domain.com/.nginx.conf;
location / {
try_files /nonexistent @$type;
}
location @ws {
proxy_pass http://127.0.0.1:2083;
proxy_read_timeout 60;
proxy_connect_timeout 60;
proxy_redirect off;
# Allow the use of websockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name monitor.domain.com;
location / {
proxy_pass "http://localhost:19999/";
}
if ($host != "monitor.domain.com") {
return 403;
}
ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;
}
I edited the default .nginx.conf from flarum, for br compression, and websockets
# Pass requests that don't refer directly to files in the filesystem to index.php
location @web {
try_files $uri $uri/ /index.php?$query_string;
}
# Uncomment the following lines if you are not using a `public` directory
# to prevent sensitive resources from being exposed.
location ~* ^/(\.git|composer\.(json|lock)|auth\.json|config\.php|flarum|storage|vendor) {
deny all;
return 404;
}
# The following directives are based on best practices from H5BP Nginx Server Configs
# https://github.com/h5bp/server-configs-nginx
# Expire rules for static content
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
add_header Cache-Control "max-age=0";
}
location ~* \.(?:rss|atom)$ {
add_header Cache-Control "max-age=3600";
}
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|mp4|ogg|ogv|webm|htc)$ {
add_header Cache-Control "max-age=60d";
access_log off;
}
location ~* \.(?:css|js)$ {
add_header Cache-Control "max-age=60d";
access_log off;
}
location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ {
add_header Cache-Control "max-age=60d";
access_log off;
}
# Gzip compression
gzip on;
gzip_comp_level 9;
gzip_min_length 20;
gzip_proxied any;
gzip_vary on;
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/jpeg
image/png
image/svg+xml
image/x-icon
text/cache-manifest
text/css
text/javascript
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
#brotli
brotli on;
brotli_comp_level 11;
brotli_static on;
brotli_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/jpeg
image/png
image/svg+xml
image/x-icon
text/cache-manifest
text/css
text/javascript
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
Edit My config might seem messy, you may propose some changes to them 😅
Maybe flarum can get a custom rule set, just like wordpress 🤔
So just to be clear when you disable mod_security Flarum does work? Or it doesn't work properly?
Yes, it works perfectly fine.
Now out of frustration, I removed mod_security completely (cause I broke nginx today while I tried to install brotli)
Unless this becomes a common problem I don't think it makes sense for us to invest time on adding and maintaining a configuration for this nginx mod.
As a DevOps this is probably best delegated to you.
Bug Report
Current Behavior
When mod_security is enabled in nginx, trying to post gives error In console, domain.com/api/disscussions returns 403
Steps to Reproduce
Expected Behavior A clear and concise description of what you expected to happen. It should Post
Environment
Possible Solution
One way is to disable mod_security for /api URI. I tried that, but still failed. I doubt, if I did this correctly, I don't see this documented anywhere. Mod security has custom exclusions for wordpress. It would be great, if we can have one for flarum