Skip to main content

using ModSec 3 with nginx rev proxy

Comments

5 comments

  • cPRex Jurassic Moderator
    Hey there! The first thing I would try would be switching back to ModSecurity 2 and seeing if that catches the test. If so, could you make a ticket with the exact test you're doing so we can file a case with our developers? ModSecurity 3 in cPanel is still Experimental, so it's completely possible there are issues.
    0
  • danfbach
    Hey cPRex, The whole reason that I switched to ModSecurity 3 was because 2 wasn't catching anything either. My Hit lists were empty and I was not getting any notifications, as I previously was. This came up as I was reviewing /var/log/nginx/access_log one day on an unrelated matter and noticed TONS of obviously malicious requests. I blocked the IP address (and about 10 more they used thereafter) but ModSecurity should have easily caught them...this was not a sophisticated attack. I will try reverting one of my servers to version 2, just to be thorough and let you know the results...
    0
  • cPRex Jurassic Moderator
    That's interesting - if anything, we've had more people report the opposite issue, where hits increased after the proxy setup:
    0
  • danfbach
    Okay. So, I reverted to ModSecurity2, first leaving mod_suexec enabled. Works. Then I switched to mod_ruid2. Also working. So, it's working on the reverse proxy for the dotnet app and php apps, as I expected it would. I am wondering if when I elevated the servers to Alma, the elevate script just didn't reinstall `ea-modsec2-rules-owasp-crs-3.3.4-1.1.6.cpanel`...unfortunately, I have no way of determining if that is the case or not, since i upgraded them several months ago now. Anyway, thanks for the suggestions, glad it's working again now. Already have several hundred entries in the hit lists lol
    0
  • cPRex Jurassic Moderator
    I'm also glad it's working! If you run into something similar again and keep track of the steps, I'd be happy to check it out on my end.
    0

Please sign in to leave a comment.