- Plesk for Linux
When ModSecurity with OWASP rule-set is enabled in Plesk at Tools & Settings > Web Application Firewall (ModSecurity), a website becomes inaccessible:
for users with a 503 error or the following error message in a web-browser:
PLESK_INFO: Service Unavailable. The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
for search engine bots with the 403 Forbidden error. The following error message appears in domain's error logfile
CONFIG_TEXT: "GET /robots.txt HTTP/1.0" 403 1034 "-" "-"
The following error message appears on the domain's Logs page and in the error logfile
Note: id and tag values may vary.
CONFIG_TEXT: Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/conf/modsecurity.d/rules/modsecurity_crs-plesk/modsecurity_crs_21_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
The OWASP rule-set is known as a very restrictive rule-set: It requires additional tuning for production use.
In the example above, the following OWASP ModSecurity rule blocks website from users and search engine bots:
OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPTwith ID 960015
As a workaround, disable rules that break website operability:
In Plesk, go to Tools & Settings > Web Application Firewall (ModSecurity) > Switch off security rules.
Switch off rules using one of the following ways:
By rule tags. Add rule tags from the error message from Active to Deactivated as shown on the following picture (Click to enlarge) and apply the changes.
By rule IDs. Add IDs from the error message to the Security rule IDs field as shown on the following picture (Click to enlarge) and apply the changes.