SecResponseBodyAccess Off does not have an effect

[zoltan-fedor]

Hey,

We had to turn off SecResponseBodyAccess due to the lack of SecDisableBackendCompression flag in libmodsecurity (and/or NGinx connector) (see #1470), but simply setting the SecResponseBodyAccess flag to Off had no effect, we also had to set the SecResponseBodyMimeType to some non-existent type to stop the response body being inspected.

NGinx 1.13.7
ModSeurity 3.0.0

Original setting:

SecResponseBodyAccess On
SecResponseBodyMimeType text/plain text/html text/xml

Setting still inspecting the response body:

SecResponseBodyAccess Off
SecResponseBodyMimeType text/plain text/html text/xml

Settings which finally stoped response body inspection

SecResponseBodyAccess Off
SecResponseBodyMimeType text/nosuchtype

[chirswind]

hello there ,I'm using modSecutity for Nginx ,and met the same problem too,seting SecResponseBodyAccess Off &SecResponseBodyMimeType text/nosuchtype does not have an effect to me.

[zimmerle]

Somewhat related to owasp-modsecurity/ModSecurity-nginx#84

[zimmerle]

The compression can be disabled on the web server and/or proxy configuration. That is the main reason why the SecDisableBackendCompression is no longer supported on v3.

As of 42a472a the body inception is respecting the configuration flag.