Error 500 but mod_sec 403 expected nginx 1.16

[cello86]

Hi All,
we are facing and issue on a nginx 1.16.1 with mod_sec v3 and nginx-connecto v1.0. In same case with some reactjs contents we noticed a 500 response, but the mod sec engine gets a 403 response on these contents and we didn't identify the issue. After some other checks we noticed also the error "109093 header already sent while sending response to client" into the logs and we discover the pull request #84 related to this issue.

Could it be that the gzip enabled on nginx side can create this issue?

Thanks,
Marcello

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days

[mtx-z]

@cello86 I have exactly the same issue. Modsec correctly catches and logs the 403, but a 500 "header already sent" is thrown just after, and so the client doesn't get a 403, but a "closed connection" error...
Strange thing is, that a few weeks ago I tested all, and we had the 403. But not anymore. Did you find anything in the end?
Thanks

[cello86]

@mtx-z which version of connector are you using?

[mtx-z]

@cello86 I use OWASP_CRS/3.4.0-dev with nginx 1.20.1. I added a complete logline here #84. Ty!

[cello86]

@mtx-z In your configuration you have:

nginx : 1.20.1
mod_security : 3.0.4?
nginx-modsecurity-connector : 1.0.2?
owasp CRS : 3.4.0

In my scenario I had the nginx-modsecurity-connector 1.0.0 and this created the problem. We update to 1.0.1 and we added a configuration to solve the issue but the latest nginx-modsecurity-connector 1.0.2 can help you to solve the problem.

could you check your nginx-connector version?

[mtx-z]

Well, I'm not sure how to check the connector version.
But I made a git clone from https://github.com/SpiderLabs/ModSecurity-nginx.git last month, so my guess is latest v1.0.2.
In your case, what was the configuration required to solve the issue?

As from my test using curl -v, it seems the body response is still sent even if modsec catches and "deny". But it seems to me that the request is still passed to the PHP upstream, and so I have an "already sent header" error: the one sent by modsec, and the ones from the normal PHP response...

Ty again

[cello86]

I used this config to solve the issue

location ^~ /error {
       modsecurity_rules 'SecRule REQUEST_URI "@beginsWith /" "id:1,pass,phase:2,log,ctl:ruleEngine=DetectionOnly"';
       alias "/usr/local/nginx/error";
       sub_filter_types application/json;
       sub_filter_once off;
       sub_filter 'request_id' '$request_id';
   }

[mtx-z]

@cello86 thanks a lot, I'll give it a try.
Could you explain what this configuration should do, and how it helps fix the issues? I'll try anyway.

Is the location-specific to your error? Meaning you only had the issue on your /error location?

Thanks again, I'll report back.

[cello86]

@mtx-z this config disables the mod_security to provide the error page bypassing the check of mod_sec.