[users@httpd] Configuration issues leading to mod_security alerts?

[Tim Rohrer <ti...@itstechnical.net>]

Hello!

I have a system set up where I use a reverse proxy (Apache/2.4.7 (Ubuntu 14.04LTS)), to reach a content server (Apache/2.2.22 (Ubuntu 12.04LTS)). The content server is providing a Wordpress (latest version) site. Two domains point to the external ip and the proxy server passes them to the content server as either 80 or 443 traffic.  On the backend, a redirection occurs for all 80 traffic to 443 which has 3rd party cert.

The reverse proxy is also providing caching.  The site seems to be working.

I then installed mod_security from the Ubuntu package libapache2-modsecurity, which I understand to be ver 2.7.7-2, downloaded the CRS and turned it on with DetectionOnly.

However, every time the site is accessed, I get a significant number of alerts. And a significant number of these seem related to cache (specifically Cache-Control Response Header Missing), headers (Content-Type Headers missing), and cookies. Some include the tag of “MISCONFIGURATION”.

I’ve been reading how to scrub these for false-positives, but the number of them right now makes me think I may have a configuration screwup, and I want to rule that out before I start turning off rules.

I don’t want to indiscriminately dump logs or config files here but will provide what others think is most valid.

Thanks in advance for any help getting pointed in the right direction.

Tim




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org