<div dir="ltr">
<p class=""><span class="">OK, unless anyone can prove me wrong I’m going to say this is not an issue and that mod-sec is in fact working.</span></p>
<p class=""><span class="">While I don’t know why the noindex error is proxy’d back to the web host, that’s all that is sent and mod_sec is blocking everything else. I ran a full Nesses web vuln test and while the noindex error was again passed through, there were hundreds of subsequent blocks so mod_sec is working.</span></p><p class=""><br></p></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jun 4, 2015 at 4:04 PM, Mike Ballon <span dir="ltr"><<a href="mailto:mike.ballon@gmail.com" target="_blank">mike.ballon@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><br></div><div>Apache 2.2 running as a reverse-proxy with another Apache 2.2 host and then a DB on the end. This is an AWS setup so the design is basically; load-balancer, pair of reverse proxies, pair of web hosts, database on the backend.</div><div><br></div><div>I'm using a basic user-agent test to ensure at least basic function of mod_sec and there is again, something that even 3 cups of coffee hasn't been able to figure out.</div><div><br></div><div>curl -I -A "Nessus" <a href="http://www.ihaterabbits.com/" target="_blank">http://www.ihaterabbits.com/</a></div><div>Returns "HTTP 200"</div><div><br></div><div><div>curl -I -A "Nessus" <a href="http://www.ihaterabbits.com/foobar" target="_blank">http://www.ihaterabbits.com/foobar</a></div><div>Returns "HTTP 443"</div></div><div><br></div><div>The reverse-proxy logs:</div><div><br></div><div>access_log</div><div>"HEAD / HTTP/1.1" 200 - "-" "Nessus"</div><div>"HEAD /foobar/ HTTP/1.1" 403 - "-" "Nessus"</div><div><br></div><div>error_log</div><div>"ModSecurity: Access denied with code 403 bad_robots</div><div><div>"ModSecurity: Access denied with code 403 bad_robots</div></div><div><br></div><div>The web host logs:</div><div><br></div><div><div>"GET /error/noindex.html HTTP/1.1" 200 3839 </div></div><div>[second curl there is no request sent to the web host]</div><div><br></div><div>-- Why is there a request sent to the web host on the first curl when there is a deny from mod_sec? I tried removing the -Indexes for Options and that didn't change anything. It looks like it's proxying the error and not the request?</div><div><br></div><div>vhost is as follows:</div><div><br></div><div><div><VirtualHost *:80></div><div> ProxyVia On</div><div> <IfModule mod_security2.c></div><div> SecRuleEngine On</div><div> </IfModule></div><div> ProxyPreserveHost On</div><div> ServerName <a href="http://ihaterabbits.com" target="_blank">ihaterabbits.com</a></div><div> ProxyPass / <a href="http://nameofloadbalancer/" target="_blank">http://nameofloadbalancer/</a> retry=0</div><div> ProxyPassReverse / <a href="http://nameofloadbalancer/" target="_blank">http://nameofloadbalancer/</a></div><div></VirtualHost></div></div><div><br></div><div><br></div></div>
</blockquote></div><br></div>