Closed
Description
Configuration 1: nginx/1.11.5, libmodsecurity: head of v3/master, modsecurity-nginx: head of master
Configuration 2: apache/2.4.18, ModSecurity 2.9.0
Both configurations have been set up to proxy all requests to the http://nginx.org site, with modsecurity turned on with default configuration, and OWASP CRS v3.0.0 configured in the default "anomaly scoring" mode.
For the same request,
curl -i http://localhost//keys/nginx_signing.key
ModSecurity 2.9 blocks the request, libmodsecurity does not block.
Debug log excerpts are here:
https://gist.github.com/defanator/cdec2cbe3a7eaf5952246700b96e8c9a