OK, unless anyone can prove me wrong I’m going to say this is not an issue and that mod-sec is in fact working. While I don’t know why the noindex error is proxy’d back to the web host, that’s all that is sent and mod_sec is blocking everything else. I ran a full Nesses web vuln test and while the noindex error was again passed through, there were hundreds of subsequent blocks so mod_sec is working. On Thu, Jun 4, 2015 at 4:04 PM, Mike Ballon wrote: > > Apache 2.2 running as a reverse-proxy with another Apache 2.2 host and > then a DB on the end. This is an AWS setup so the design is basically; > load-balancer, pair of reverse proxies, pair of web hosts, database on the > backend. > > I'm using a basic user-agent test to ensure at least basic function of > mod_sec and there is again, something that even 3 cups of coffee hasn't > been able to figure out. > > curl -I -A "Nessus" http://www.ihaterabbits.com/ > Returns "HTTP 200" > > curl -I -A "Nessus" http://www.ihaterabbits.com/foobar > Returns "HTTP 443" > > The reverse-proxy logs: > > access_log > "HEAD / HTTP/1.1" 200 - "-" "Nessus" > "HEAD /foobar/ HTTP/1.1" 403 - "-" "Nessus" > > error_log > "ModSecurity: Access denied with code 403 bad_robots > "ModSecurity: Access denied with code 403 bad_robots > > The web host logs: > > "GET /error/noindex.html HTTP/1.1" 200 3839 > [second curl there is no request sent to the web host] > > -- Why is there a request sent to the web host on the first curl when > there is a deny from mod_sec? I tried removing the -Indexes for Options and > that didn't change anything. It looks like it's proxying the error and not > the request? > > vhost is as follows: > > > ProxyVia On > > SecRuleEngine On > > ProxyPreserveHost On > ServerName ihaterabbits.com > ProxyPass / http://nameofloadbalancer/ retry=0 > ProxyPassReverse / http://nameofloadbalancer/ > > > >