Comments (16)
Original reporter: ivanr
from modsecurity.
gunfus: I dissabled mod-security and now mod_jk seems to be working again. I was able to reach the 'manager' application installed in tomcat
from modsecurity.
ivanr: It would be great if you could perform a couple of more tests, by putting ModSecurity back in but progressively disabling features. The hope is that we would narrow it down to a feature that causes the problem. Here are some ideas:
- Remove all rules
- Disable response body access (SecResponseBody Off)
- Disable request body access (SecRequestBody Off)
If this is a low-traffic installation then please have the debug log at level 9 for the entire time, and attach it here afterwards for developers' access only.
Thanks!
from modsecurity.
brectanus: Duplicated this on my box. Attached a pcap showing the WWW-Authentication header coming back from tomcat, but not from httpd.
I will start analysing now.
Forgot this last time:
Ubuntu (debian) httpd 2.2.8 + mod_jk 1.2.25 + tomcat 5.5 + ModSecurity 2.5.6 + CRS 1.6.1
from modsecurity.
brectanus: The WWW-Authentication header is not written to the httpd output if all the following hold true:
- ModSecurity module is loaded.
- SecResponseBodyAccess is On.
- SecResponseBodyMimeType contains text/html
Under the above conditions, ModSecurity reads the response correctly, but never receives an EOS bucket (only a FLUSH) from mod_jk. Because of this, ModSecurity does not see that we completed receiving the response body and phase 4 (RESPONSE_BODY) is not run.
The complete response looks something like this when ModSecurity is looking at it:
HTTP/1.x 401 Unauthorized
Cache-Control: no-cache
Pragma: No-cache
Expires: Wed, 31 Dec 1969 16:00:00 PST
WWW-Authenticate: Basic realm="Tomcat Manager Application"
Content-Length: 948
HTTP Status 401 -
type Status report
message
description This request requires HTTP authentication ().
Apache Tomcat/5.5
However, below is what is sent to the client (a compiled in httpd response):
HTTP/1.x 401 Unauthorized
Date: Mon, 08 Sep 2008 21:45:33 GMT
Server: Apache
Content-Length: 381
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Unauthorized
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.
Something ModSecurity is doing when adding its output filter is causing httpd to send the default response which does not contain the WWW-Authenticate header.
I modified ModSecurity so that a FLUSH is treated just like an EOS (for testing only). In this case ModSecurity sees the end of the response (ie the FLUSH which seems should be an EOS), phase 4 is run and all is ok (client gets the correct response).
I am not yet sure who is at fault here, but it surrounds this EOS vs FLUSH issue.
As a workaround, disabling response body access (SecResponseBody Off or ctl:responseBodyAccess=off) will prevent the issue, but at the cost of no outbound inspection.
Editied to clean up the extra newlines.
from modsecurity.
ivanr: WORKAROUND: By the way, we are running this application (JIRA) on a Tomcat behind Apache. We're not experiencing any problems because we deployed with mod_proxy connecting the two. So, in addition to turning response inspection off, sites can switch to mod_proxy instead of mod_jk to work around this issue until it is resolved.
from modsecurity.
ivanr: My guess is that, because we do not see the EOS bucket, we never send anything through. As far as I am aware response headers are sent just before first data is about to be sent. So Apache is probably seeing the status code (401) but realises there's no content coming and it responds with its default.
from modsecurity.
brectanus: I sent a note to tomcat-dev mailing list, but no response. I'll probably file a bug to see if that gets further.
http://mail-archives.apache.org/mod_mbox/tomcat-dev/200809.mbox/[email protected]
It seems to be a mod_jk issue, but we at least need a workaround (maybe some way to test that we have received the full response w/o relying on EOS bucket). Assigning this to 2.5.7.
from modsecurity.
brectanus: Added a patch to work around this issue by interpreting a FLUSH bucket as an EOS if all of the following is true:
- "jakarta-servlet" is the handler.
- This is the last bucket, which is a FLUSH.
- The number of bytes in the C-L header has been received.
I also filed a bug with Apache to see if I can get some clarification from them:
https://issues.apache.org/bugzilla/show_bug.cgi?id=45812
from modsecurity.
brectanus: The above fix is included in changeset 1205.
from modsecurity.
brectanus: A fix should be coming into tomcat SVN soon which I will test.
However, even if this is fixed in a later version of mod_jk, perhaps we still need to work around this type of problem. Ivan, do you see any issues with removing the handler check from my patch and making this a more generic workaround (so only 2 and 3 from the requirements above)?
from modsecurity.
ivanr: I don't think that it's a good idea to have workarounds, in ModSecurity, for problems in other packages.
from modsecurity.
brectanus: This is a mod_jk bug that is fixed in the SVN version. You will need to patch your version of mod_jk or upgrade when the official fix comes out. In the mean time, you can use one of the suggested workarounds.
from modsecurity.
gunfus: Thanks for working on this issue guys.
from modsecurity.
brectanus: The mod_jk issue has been fixed upstream:
http://svn.apache.org/viewvc?view=rev&revision=695816
from modsecurity.
Dear. I still have the same problem. I have a form in php with basic authentication. In the logs, appearance that entered the rule id: 921130. My content is limited, I do not know how to solve. Every help is welcome.
from modsecurity.
Related Issues (20)
- [modsecurity.conf-recommended] align processing on request & response for json HOT 4
- Not working with Nginx + HTTP/3 HOT 1
- Discussion of the new XML processing feature HOT 32
- 350001 rule blocks the Facebook Sharing Debugger bot HOT 1
- No error log if noauditlog is set HOT 4
- [BUG] multiMatch lead to unexpected match HOT 1
- Detect user agent and execute action HOT 1
- Bazel build on Windows HOT 4
- [FEATURE] Add a new `t:removeSQLComments` transformation HOT 2
- Mod3 ./configuration show missing HOT 2
- configure: error: PCRE2 was explicitly referenced but it was not found in v3.0.12 HOT 3
- Discussion about 'hostname' field in log HOT 9
- after scan coreruleset-main.zip by Microsoft defender for business version. HOT 2
- libModSecurity3: all triggered rule IDs sometimes won't be logged with anomaly scoring HOT 3
- Review and document multi-threading support and limitations HOT 4
- Hub f u HOT 1
- He
- The HOT 1
- rx: regex error 'MATCH_LIMIT' for pattern HOT 1
- When used in conjunction with nginx, requests to the root route are always loaded twice. HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from modsecurity.