Apache 2.2 running as a reverse-proxy with another Apache 2.2 host and then a DB on the end. This is an AWS setup so the design is basically; load-balancer, pair of reverse proxies, pair of web hosts, database on the backend.

I'm using a basic user-agent test to ensure at least basic function of mod_sec and there is again, something that even 3 cups of coffee hasn't been able to figure out.

curl -I -A "Nessus" http://www.ihaterabbits.com/
Returns "HTTP 200"

curl -I -A "Nessus" http://www.ihaterabbits.com/foobar
Returns "HTTP 443"

The reverse-proxy logs:

access_log
"HEAD / HTTP/1.1" 200 - "-" "Nessus"
"HEAD /foobar/ HTTP/1.1" 403 - "-" "Nessus"

error_log
"ModSecurity: Access denied with code 403 bad_robots
"ModSecurity: Access denied with code 403 bad_robots

The web host logs:

"GET /error/noindex.html HTTP/1.1" 200 3839 
[second curl there is no request sent to the web host]

-- Why is there a request sent to the web host on the first curl when there is a deny from mod_sec? I tried removing the -Indexes for Options and that didn't change anything. It looks like it's proxying the error and not the request?

vhost is as follows:

<VirtualHost *:80>
  ProxyVia On
  <IfModule mod_security2.c>
  SecRuleEngine On
  </IfModule>
  ProxyPreserveHost On
  ServerName ihaterabbits.com
  ProxyPass / http://nameofloadbalancer/ retry=0
  ProxyPassReverse / http://nameofloadbalancer/
</VirtualHost>