POST request is not handled correctly

[miwoow]

Nginx 1.4.1
ModSecurity 2.7.4

server {
listen 80;
server_name www.xxxx.co;

    location / {
        ModSecurityEnabled on;
        ModSecurityConfig modsecurity.conf;
        proxy_pass http://111.111.111.111:80/;
        proxy_set_header Host www.xxxx.co;
        proxy_read_timeout 180s;
    }
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   html;
    }

}

2013/06/07 16:59:34 [debug] 656#0: *4 http init upstream, client timer: 0
2013/06/07 16:59:34 [debug] 656#0: *4 http script copy: ""
2013/06/07 16:59:34 [debug] 656#0: *4 http script copy: ""
2013/06/07 16:59:34 [debug] 656#0: *4 http script copy: "Connection: close^M
"
2013/06/07 16:59:34 [debug] 656#0: *4 http script copy: "Content-Length: "
2013/06/07 16:59:34 [debug] 656#0: *4 http script var: "122"
2013/06/07 16:59:34 [debug] 656#0: *4 http script copy: "^M
"
2013/06/07 16:59:34 [alert] 656#0: *4 no upstream configuration, client: 111.111.111.111, server: blog.xxxx.co, request: "POST /wp-login.php HTTP/1.1", host: "blog.xxxx.co", referrer: "http://blog.xxxx.co/wp-login.php"

It looks like http script engine not parse proxy_*** configure.

[brenosilva]

Hello,

please send me the http post request. I would like to reproduce it. Also send me your modsecurity.conf and modsecurity debug log level 9.

Thanks

[thaeli]

Do you have an upstream block defined? I think this is a vanilla nginx error, not mod_security related. Try this config:

upstream myserver  {
    server 111.111.111.111;
}
server {
listen 80;
server_name www.xxxx.co;
    location / {
        ModSecurityEnabled on;
        ModSecurityConfig modsecurity.conf;
        proxy_pass http://myserver/;
        proxy_set_header Host www.xxxx.co;
        proxy_read_timeout 180s;
    }
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   html;
    }
}

[brenosilva]

Yes. Just did it now. Looks fine.
Please send me more details about your POST then i can try reproduce it.

[thaeli]

Ah, sorry for any confusion. I think the OP in this thread doesn't have an upstream config block, and it is not a ModSecurity error at all but rather a nginx configuration issue. I would suggest that they retest with an upstream block defined ahead of the server block; that should resolve the issue.

On Jun 14, 2013, at 12:16 PM, Breno Silva [email protected] wrote:

Yes. Just did it now. Looks fine.
Please send me more details about your POST then i can try reproduce it.

—
Reply to this email directly or view it on GitHub.

[brenosilva]

Right. So can i close this ticket ?

[thaeli]

I think so, yes.

On Jun 14, 2013, at 12:37 PM, Breno Silva [email protected] wrote:

Right. So can i close this ticket ?

—
Reply to this email directly or view it on GitHub.

[AndyBowes]

I am getting the same issue with the same versions of Nginx & ModSecurity.

I have got an upstream block in my configuration immediately before the server block. The application works as expected when the SecRequestBodyAccess is turned Off but gets the 'no upstream configuration' error if I turn this property on. This seems to indicate that my Nginx configuration is correct and that the problem is being caused only when the request body is being checked by ModSecurity.

[brenosilva]

@chaizhenhua not sure if it could be related to module order loading or an arch issue. Any idea ?
I cannot reproduce the issue.

[AndyBowes]

Could it be related to the options that we are using to build Nginx with the ModSecurity module or to folder permissions assigned to the nginx user?

We are building ModSecurity from the tarball with './configure --enable-standalone-module'

We are then adding this module to nginx with the following configuration params:
configure
--sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock
--error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/access.log
--user=nginx --group=spineii-applications --without-mail_pop3_module --without-mail_imap_module --with-debug
--without-mail_smtp_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module
--without-http_memcached_module --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_gzip_static_module
--add-module=/var/lib/modsecurity/modsecurity-apache_2.7.4/nginx/modsecurity

Hope this helps
Andy

[chaizhenhua]

@miwoow can you remove the tailing '/' in proxy_pass http://111.111.111.111:80/; and test again?

[cutnpaster]

Hi, I 'm running in to this error too. It doesnt matter if proxy_pass is set or if an upstream block is defined. It happens on any POST request if SecRequestBodyAccess is enabled.

Here is a debug capture of the request http://bpaste.net/show/8nFOEuSGjsQL4uwTEGyR/
Here is modsec_debug http://bpaste.net/show/ecFlV2LlbW0RFYBAkgt2/
#140 sounds like a dupe.
Edit: Is #69 related? Or this? https://www.modsecurity.org/tracker/browse/MODSEC-390

For testing, I stripped down modsecurity.conf from the owasp-crs rules.
SecRuleEngine DetectionOnly
SecGeoLookupDb /usr/share/GeoIP/GeoIP.dat
SecDataDir /var/cache/modsecurity
SecRequestBodyAccess On
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecResponseBodyMimeType text/plain text/html text/xml
SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction ProcessPartial
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
SecTmpDir /var/cache/modsecurity
SecDebugLog /var/log/nginx/modsec_debug.log
SecDebugLogLevel 9
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType concurrent
SecAuditLog /var/log/nginx/modsec_audit.log
SecAuditLogStorageDir /var/log/nginx/audit
SecArgumentSeparator &
SecCookieFormat 0
SecComponentSignature "OWASP_CRS/2.2.7"
SecDefaultAction "phase:2,deny,log"

[jinri]

I am getting the same issue with the same versions of Nginx-1.8.1 & ModSecurity.nginx_refactoring.
anyone have idea solved this peoblems?