Applicable to:
- Plesk for Linux
Symptoms
-
When ModSecurity with OWASP rule-set is enabled in Plesk at Tools & Settings > Web Application Firewall (ModSecurity), a website becomes inaccessible:
-
for users with a 503 error or the following error message in a web-browser:
PLESK_INFO: Service Unavailable. The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
-
for search engine bots with the 403 Forbidden error. The following error message appears in domain's error logfile
/var/www/vhosts/system/example.com/logs/access_log
:CONFIG_TEXT: "GET /robots.txt HTTP/1.0" 403 1034 "-" "-"
-
-
The following error message appears on the domain's Logs page and in the error logfile
/var/www/vhosts/system/example.com/logs/error_log
:Note: id and tag values may vary.
CONFIG_TEXT: Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/conf/modsecurity.d/rules/modsecurity_crs-plesk/modsecurity_crs_21_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Cause
The OWASP rule-set is known as a very restrictive rule-set: It requires additional tuning for production use.
In the example above, the following OWASP ModSecurity rule blocks website from users and search engine bots:
- Tag
OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT
with ID 960015
Resolution
As a workaround, disable rules that break website operability:
-
In Plesk, go to Tools & Settings > Web Application Firewall (ModSecurity) > Switch off security rules.
-
Switch off rules using one of the following ways:
-
By rule tags. Add rule tags from the error message from Active to Deactivated as shown on the following picture (Click to enlarge) and apply the changes.
-
By rule IDs. Add IDs from the error message to the Security rule IDs field as shown on the following picture (Click to enlarge) and apply the changes.
-
Comments
0 comments
Please sign in to leave a comment.