A website is not accessible for users and search engine bots when OWASP ModSecurity rule-set is enabled in Plesk

Symptoms

• When ModSecurity with OWASP rule-set is enabled in Plesk at Tools & Settings > Web Application Firewall (ModSecurity), a website becomes inaccessible:

  • for users with a 503 error or the following error message in a web-browser:

    PLESK_INFO: Service Unavailable. The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

  • for search engine bots with the 403 Forbidden error. The following error message appears in domain's error logfile /var/www/vhosts/system/example.com/logs/access_log:

    CONFIG_TEXT: "GET /robots.txt HTTP/1.0" 403 1034 "-" "-"

• The following error message appears on the domain's Logs page and in the error logfile /var/www/vhosts/system/example.com/logs/error_log:

  Note: id and tag values may vary.

  CONFIG_TEXT: Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/conf/modsecurity.d/rules/modsecurity_crs-plesk/modsecurity_crs_21_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "1"] [msg "Request Missing an Accept Header"] [severity "NOTICE"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]

Cause

The OWASP rule-set is known as a very restrictive rule-set: It requires additional tuning for production use.

In the example above, the following OWASP ModSecurity rule blocks website from users and search engine bots:

• Tag OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT with ID 960015

Resolution

As a workaround, disable rules that break website operability:

1. In Plesk, go to Tools & Settings > Web Application Firewall (ModSecurity) > Switch off security rules.

2. Switch off rules using one of the following ways:

   • By rule tags. Add rule tags from the error message from Active to Deactivated as shown on the following picture (Click to enlarge) and apply the changes.

     
     
     
     

   • By rule IDs. Add IDs from the error message to the Security rule IDs field as shown on the following picture (Click to enlarge) and apply the changes.