Blog |Follow Nick on Twitter| About
 

For a long while now, one of my oldest posts (nagios ping tool) returned a 403 error and I couldn't work out why... a recent post about curl also fell foul of the same issue so I've been forced to work out why ;)

The main challenge that I faced was that I could not find any errors in my logs, apache's error_logs were empty, varnish is not catching the error page and my mod_security debuglog didn't show anything. Now there is clearly a 2do here, I need to look into my logging issues because the issue was mod_security!

modsecurity_crs_40_generic_attacks as a list of system rules which will deny access to commands, on my system ping & traceroute are indeed commands! Looking thru _crs_40 I can see that rule ID 950907 blocks curl, therefore I can create a simple location match to permit access to that page.

<LocationMatch "^/3659/my-lifestream-php-curl-ca-certificate-issues">
    SecRuleRemoveById 950907
</LocationMatch>

Traceroute and Ping are IDs 958837 & 958893 respectively. Going forward I could simply remove those IDs globally, but to be honest I don't want to, I feel comfort with the restriction they begin... I will just have to be more careful with the titles I use on pages.

rgds,

Nick

 
Nick Bettison ©