Mod_security not logging, even at debug 9 and Audit on

[MeowMeowVenom]

I am running a forum, based on flarum. When I turn on mod security, it seems to be blocking /api/, which in return stops me from posting in the forum. When I try to check logs for this, all appear to be blank. My Mod sec conf is as follows.

https://pastebin.com/RxptAPpA

Issue in flarum -- https://github.com/flarum/core/issues/2994

[martinhsv]

Hi @Rejected-Peice ,

Do you ever see output in the debug log? For example, if you send a request to something other than this particular use case?

If not, does /var/log/mod_sec_debug.log get created when you start ngnix with ModSecurity?

Are you getting output in ModSecurity's audit log?

[MeowMeowVenom]

A file got created, but nothing gets written to it.

PS - I currently removed mod-security cause it was causing way too many issues.

[martinhsv]

I'm still a little unclear on what your overall situation is. Were all requests to that nginx+ModSecurity deployment resulting in lack of writing to ModSecurity debug log? Or just a subset of requests (attempts to post to a particular api)? Based on the thread at the other location, it sounds like the latter.

Also, in the flarum thread, it sounds like you are seeing the following in the nginx log when you hit the use case you are reporting about.

2021/07/31 16:05:06 [error] 22044#22044: *6503 [client [IP REMOVED]] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "[IP REMOVED]"] [uri "/api/discussions"] [unique_id "1627740306"] [ref ""], client: [IP REMOVED], server: mydomain.com, request: "POST /api/discussions HTTP/1.1", host: "mydomain.com", referrer: "https://mydomain.com/"

So you are using coreruleset (CRS).

It looks like you have set their rules to use anomaly scoring mode. You might gain more insight into what is happening by using "Self-contained mode" instead. Since you are getting output in the nginx log, you should hopefully then see which substantive rule is being triggered rather than the 949110 score-check rule.

Also per your comment elsewhere:

One way is to disable mod_security for /api URI. I tried that, but still failed. I doubt, if I did this correctly, I don't see this documented anywhere.

You can turn off ModSecurity for a particular URI with a phase:1 rule that uses the action 'ctl:ruleEngine=Off'. Depending on what is happening exactly, this might be too late, in which case the other option is to do it in your nginx configuration with something similar to:

location /uri {
    modsecurity off;
}

Also: Which version of ModSecurity are you using? And which version of the ModSecurity-nginx connector?

[MeowMeowVenom]

The site was returning 403 for some crucial URIs. I did do what you said in the last, but no changes.

My issues are:

1. Mod security blocking /api , I tried making a location block and setting modsec to off, but nothing changed (and yes, I reloaded Nginx)
2. To investigate this, I went to check logs, to realise that there was nothing being written there.

Presently, I have removed mod security. I will be setting up a test environment and proceeding further with this issue.

I was using Latest version of modSec and Nginx-Connector (Sorry about not being specific about version numbers, cause I removed them from my live site)

[MeowMeowVenom]

After clean reinstall of everything, it finally works! But for some reason, I had to reboot sometimes for the mod_sec rules to apply (mainly for using location block)

[martinhsv]

Since it was working as expected after clean reinstall, I'm going to go ahead and close this.