- Plesk for Linux
- Plesk for Windows
When ModSecurity with OWASP rule-set is enabled in Plesk at Tools & Settings > Web Application Firewall (ModSecurity), a website becomes inaccessible:
for users with a 503 error or the following error message in a web-browser:
PLESK_INFO: Service Unavailable. The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
for search engine bots with the 403 Forbidden error. The following error message appears in domain's error logfile
CONFIG_TEXT: "GET /robots.txt HTTP/1.0" 403 1034 "-" "-"
Some content may be missing (like images or some scripts not working properly) or domain's functionality may not work properly.
Unable to delete plugin inside Wordpress dashboard:
CONFIG_TEXT: <!DOCTYPE html> 403 Forbidden html
Server Error 403 Forbidden You do not have permission to access this document
The following error message appears on the domain's Logs page at Plesk > Domains > example.com > Logs and in the error logfile
Note: id and tag values may vary.
CONFIG_TEXT: Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/conf/modsecurity.d/rules/modsecurity_crs-plesk/modsecurity_crs_21_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
The OWASP rule-set is known as a very restrictive rule-set: It requires additional tuning for production use.
In the example above, the following OWASP ModSecurity rule blocks website from users and search engine bots:
OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPTwith ID 960015
As a workaround, either disable rules that break website operability or switch to another ruleset
In Plesk, go to Tools & Settings > Web Application Firewall (ModSecurity) > Switch off security rules section.
Switch off rules using one of the following ways:
By rule tags. Add rule tags from the error message from Active to Deactivated as shown on the following picture (Click to enlarge) and apply the changes.
By rule IDs. Add IDs from the error message to the Security rule IDs field as shown on the following picture (Click to enlarge) and apply the changes.