Confirmed this behaviour on multiple versions of Nginx and Mod-Security for Nginx (including 1.5.1 and trunk).
Have tested with various mod-security configs, including last test which was an empty config file, but same problem occurs.
With debug enabled on nginx and mod-security we see the following happening :
2013/10/14 09:13:34 [debug] 2149#0: 1291 http proxy status 302 "302
Found"
2013/10/14 09:13:34 [debug] 2149#0: *1291 http proxy header: "Date: Mon,
14 Oct 2013 08:13:34 GMT"
2013/10/14 09:13:34 [debug] 2149#0: *1291 http proxy header: "Server:
Apache"
2013/10/14 09:13:34 [debug] 2149#0: *1291 http proxy header: "Expires:
Mon, 14 Oct 2013 08:13:34 GMT"
2013/10/14 09:13:34 [debug] 2149#0: *1291 http proxy header:
"Cache-Control: private, no-cache, no-store, proxy-revalidate,
no-transform"
2013/10/14 09:13:34 [debug] 2149#0: *1291 http proxy header: "Pragma:
no-cache"
2013/10/14 09:13:34 [debug] 2149#0: *1291 http proxy header:
"Last-Modified: Mon, 14 Oct 2013 08:13:34 GMT"
2013/10/14 09:13:34 [debug] 2149#0: *1291 http proxy header:
"X-DNS-Prefetch-Control: off"
2013/10/14 09:13:34 [debug] 2149#0: *1291 http proxy header:
"Set-Cookie: roundcube_sessauth=-del-; expires=Mon, 14-Oct-2013 08:12:34
GMT; path=/; httponly"
2013/10/14 09:13:34 [debug] 2149#0: *1291 posix_memalign:
0000000000A80030:4096 @16
2013/10/14 09:13:34 [debug] 2149#0: *1291 http proxy header:
"Set-Cookie: roundcube_sessid=af3b9qt9q15udtlu9pv7jl00p1; path=/;
HttpOnly"
2013/10/14 09:13:34 [debug] 2149#0: *1291 http proxy header:
"Set-Cookie:
roundcube_sessauth=Sa7b59ef7ce29d8007020e51346ac635aa47b0262; path=/;
httponly"
2013/10/14 09:13:34 [debug] 2149#0: *1291 http proxy header: "Location:
./?task=mail"
2013/10/14 09:13:34 [debug] 2149#0: *1291 http proxy header: "Vary:
Accept-Encoding"
2013/10/14 09:13:34 [debug] 2149#0: *1291 http proxy header:
"Content-Encoding: gzip"
2013/10/14 09:13:34 [debug] 2149#0: *1291 http proxy header:
"Content-Length: 20"
2013/10/14 09:13:34 [debug] 2149#0: *1291 http proxy header:
"Connection: close"
2013/10/14 09:13:34 [debug] 2149#0: *1291 http proxy header:
"Content-Type: text/html"
2013/10/14 09:13:34 [debug] 2149#0: *1291 http proxy header done
2013/10/14 09:13:34 [debug] 2149#0: *1291 modSecurity: header filter
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: load headers in:
"Host: REDACTED"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: load headers in:
"User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101
Firefox/24.0"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: load headers in:
"Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: load headers in:
"Accept-Language: en-gb,en;q=0.5"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: load headers in:
"Accept-Encoding: gzip, deflate"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: load headers in:
"Referer: http://REDACTED/?_task=mail"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: load headers in:
"Cookie: mailviewsplitterv=165; mailviewsplitter=433;
composesplitterv1=200; composesplitterv2=741; folderviewsplitter=30
0; composesplitterv=248; prefviewsplitter=266;
roundcube_sessid=but5tqa53t1eka2ro3ufsco5d2;
roundcube_sessauth=S901dd25720a42e648834de4db836db0d7996bb52"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: load headers in:
"Connection: keep-alive"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: load headers in:
"Content-Type: application/x-www-form-urlencoded"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: load headers in:
"Content-Length: 149"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: load headers in
done
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: load headers out:
"Expires: Mon, 14 Oct 2013 08:13:34 GMT"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: load headers out:
"Cache-Control: private, no-cache, no-store, proxy-revalidate,
no-transform"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: load headers out:
"Pragma: no-cache"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: load headers out:
"Last-Modified: Mon, 14 Oct 2013 08:13:34 GMT"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: load headers out:
"X-DNS-Prefetch-Control: off"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: load headers out:
"Set-Cookie: roundcube_sessauth=-del-; expires=Mon, 14-Oct-2013 08:12:34
GMT; path=/; httponly"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: load headers out:
"Set-Cookie: roundcube_sessid=af3b9qt9q15udtlu9pv7jl00p1; path=/;
HttpOnly"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: load headers out:
"Set-Cookie:
roundcube_sessauth=Sa7b59ef7ce29d8007020e51346ac635aa47b0262; path=/;
httponly"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: load headers out:
"Location: ./?_task=mail"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: load headers out:
"Vary: Accept-Encoding"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: load headers out:
"Content-Encoding: gzip"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: load headers out:
"Content-Type: text/html"
2013/10/14 09:13:34 [debug] 2149#0: *1291 posix_memalign:
0000000000A6F140:4096 @16
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: load headers out:
"Content-Length: 20"
2013/10/14 09:13:34 [debug] 2149#0: 1291 ModSecurity: load headers out:
"Location: ./?task=mail"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: load headers out:
"Last-Modified: Mon, 14 Oct 2013 08:13:34 GMT"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: load headers out:
"Connection: keep-alive"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: load headers out:
"Cache-Control: private, no-cache, no-store, proxy-revalidate,
no-transform"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: load headers out
done
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: status -1
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: save headers in:
"Host: REDACTED"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: save headers in:
"User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101
Firefox/24.0"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: save headers in:
"Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: save headers in:
"Accept-Language: en-gb,en;q=0.5"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: save headers in:
"Accept-Encoding: gzip, deflate"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: save headers in:
"Referer: http://REDACTED/?_task=mail"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: save headers in:
"Cookie: mailviewsplitterv=165; mailviewsplitter=433;
composesplitterv1=200; composesplitterv2=741; folderviewsplitter=30
0; composesplitterv=248; prefviewsplitter=266;
roundcube_sessid=but5tqa53t1eka2ro3ufsco5d2;
roundcube_sessauth=S901dd25720a42e648834de4db836db0d7996bb52"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: save headers in:
"Connection: keep-alive"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: save headers in:
"Content-Type: application/x-www-form-urlencoded"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: save headers in:
"Content-Length: 149"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: save headers in
done
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: save headers out:
"Expires: Mon, 14 Oct 2013 08:13:34 GMT"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: save headers out:
"Cache-Control: private, no-cache, no-store, proxy-revalidate,
no-transform"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: save headers out:
"Pragma: no-cache"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: save headers out:
"Last-Modified: Mon, 14 Oct 2013 08:13:34 GMT"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: save headers out:
"X-DNS-Prefetch-Control: off"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: save headers out:
"Set-Cookie:
roundcube_sessauth=Sa7b59ef7ce29d8007020e51346ac635aa47b0262; path=/;
httponly"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: save headers out:
"Location: ./?_task=mail"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: save headers out:
"Vary: Accept-Encoding"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: save headers out:
"Content-Encoding: gzip"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: save headers out:
"Content-Type: text/html"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: save headers out:
"Content-Length: 20"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: save headers out:
"Connection: keep-alive"
2013/10/14 09:13:34 [debug] 2149#0: *1291 ModSecurity: save headers out
done
2013/10/14 09:13:34 [debug] 2149#0: *1291 HTTP/1.1 302 Found
Server: nginx
Date: Mon, 14 Oct 2013 08:13:34 GMT
Content-Type: text/html
Content-Length: 20
Connection: keep-alive
Expires: Mon, 14 Oct 2013 08:13:34 GMT
Cache-Control: private, no-cache, no-store, proxy-revalidate,
no-transform
Last-Modified: Mon, 14 Oct 2013 08:13:34 GMT
Set-Cookie:
roundcube_sessauth=Sa7b59ef7ce29d8007020e51346ac635aa47b0262; path=/;
httponly
Location: ./?_task=mail
Content-Encoding: gzip
I'm reading this as Apache (my upstream proxy) passing the correct headers down to Nginx, Nginx is passing them to Mod-Security, which is returning them with only one Set-Cookie, but I have no rules that would do this and Mod-Security does not log any actions. If I leave Mod-Security compiled in but not enabled I get the correct functionality and all my cookies
I've also found the same issue described on stackoverflow : http://stackoverflow.com/questions/19059610/mod-security-allowing-only-one-set-cookie .
Paul.