Gzip encoded data

[nullmem]

Ok so I was getting:

---deISzRSW---B--
GET /wp-content/uploads/2012/03/satan%E2%80%99s-malicious-agenda-300x200.jpg HTTP/1.1
Content-Length: 0
X-Forwarded-For: 51.255.81.66
CF-IPCountry: FR
Host: www.danielsblog.org
CF-Origin-IP: 174.138.119.56
Accept-Encoding: gzip
X-Forwarded-Proto: https
CF-Origin-Https: on
User-Agent: Toweya.com bot; report abuse to abuse@toweya.net
Connection: Keep-Alive
CF-RAY: 3734527bd93168f6-CDG
Accept: /
CF-Visitor: {"scheme":"https"}

(binary data here)

After reading through docs I find the directive I need:

SecDisableBackendCompression On

.....but it don't work....Nginx won't start with it in my modsecurity.conf file:

2017/06/23 03:52:08 [emerg] 5146#5146: "modsecurity_rules_file" directive Rules error. File: /etc/nginx/snippets/modsecurity.conf. Line: 9. Column: 32. Invalid input: SecDisableBackendCompression On in /etc/nginx/conf.d/allcapa.org.conf:21

[nullmem]

I disabled mod_deflate on my backend server and still getting binary data and header of

GET /wp-content/uploads/2012/03/satan%E2%80%99s-malicious-agenda-300x200.jpg HTTP/1.1
Content-Length: 0
X-Forwarded-For: 193.70.45.213
CF-IPCountry: FR
Host: www.danielsblog.org
CF-Origin-IP: 174.138.119.56
Accept-Encoding: gzip
X-Forwarded-Proto: https
CF-Origin-Https: on
User-Agent: Toweya.com bot; report abuse to abuse@toweya.net
Connection: Keep-Alive
CF-RAY: 3734a9cf5d7869be-CDG
Accept: /
CF-Visitor: {"scheme":"https"}
CF-WAN-ID: rg-72eb7a9df15c775786489ce7b862c78f.port2408.net:2408
CF-Connecting-IP: 193.70.45.213

just cant figure out 1. where its getting zipped, and 2. why I cant turn it off with the directive.

[victorhora]

Hi @nullmem,

I'm guessing you are using the nginx-connector with libModSecurity (aka v3), right?

If that's so, I'm afraid SecDisableBackendCompression is currently a missing feature for libModSecurity. I'll create an issue on ModSecurity Github for proper tracking of this missing feature.

[nullmem]

Yes, and thank you. as a temporary workaround, I was able to disable gzip on both Nginx and my backend server. This isn't really a big deal because this server is behind CloudFlare and they gzip everything anyway.

[victorhora]

Thanks for the feedback @nullmem, good to know you have a workaround :)

I've updated the reference manual to reflect the current missing feature and created an issue on ModSecurity's Github for proper tracking: owasp-modsecurity/ModSecurity#1470

So I will close this one here.

Thanks!