-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Errors involving Nextcloud and Failure to Change Request Size Limit #2873
Comments
Changing size limits in |
Hello @UM-Li , Re: "ModSecurity version: 3.3.0 (libapache2-mod-security2 package)" Your version of ModSecurity is probably v2.9.x. Given that you mention you are using OWASP CRS, I suspect you are confusing the version of that ruleset (i.e. that the ruleset is version 3.3.0) with the version of the ModSecurity engine. As to your issue: I just checked in my own test deployment and, a lower SecRequestBodyLimit in modsecurity.conf was successfully overridden by a higher value that was directly within a <VirtualHost...> element. However, if the override was within a <LocationMatch...> element within that <VirtualHost...> element, then the override did not occur. If I recall correctly (and I'm going by memory, since I cannot find a reference to it), there is a slightly obscure conflict between when LocationMatch directives are executed by Apache and when ModSecurity needs the configuration value to have been filled in. For your use case, one way to handle this could be to use a phase:1 rule with the |
Thanks for looking into this @martinhsv. Yes I was confused about the versions. ModSecurity is v2.9.3, and the CRS is v3.3.0. Following your advice I wrote this exception rule:
I see in the wiki there must be an |
Hi @UM-Li , When writing custom rules for your own deployment, you can use any integer that you like -- as long as it is not a duplicate of any other rules loaded by that same ModSecurity instance. Startup will fail if there is a duplicate. However, it can be advantageous to take the published ranges into account. For example avoiding custom rules using ids in the range 200000-299999 will turn out to have been useful if you decide in the future to start using rules published by Comodo. For my own custom rules I usually select an id that is 5 digits or less, per the first bullet point in the |
Thanks @martinhsv, the rule has taken effect with an ID assigned. The request body still seems large with the file supposedly excluded, and I have to set a large
I wonder:
|
The entire list of ctl: actions is listed in the manual: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29#ctl The distinction provided by |
Thanks again for the explanation! |
OS: Debian 11 (bullseye)
ModSecurity version: 3.3.0 (
libapache2-mod-security2
package)Apache version: 2.4.54
Rule sets:
Hi, I'm new to ModSecurity so please bear with me. I have a Nextcloud instance on my site at
/nextcloud
, and am trying to upload a 150 MiB .zip file via the Nextcloud client. For now small files can be uploaded, but this archive fails due to request body size limit. I made two attemps to let the file pass through:(Apache2 was restarted between every change of the .conf files below.)
1. Adding LocationMatch rules in virtual host definition
In
000-default-le-ssl.conf
:This location-matching regex should be correct since SecRuleRemoveById rules in the same block had taken effect. But apparently the size limit was not changed by this, as I kept getting such errors in
modsec_audit.log
:The "configured limit" was still 13107200 as defined in
/etc/modsecurity/modsecurity.conf
.2. Directly changing
modsecurity.conf
I also tried directly changing the size limits in
modsecurity.conf
:But the upload failed again, and the log file got flooded by garbled text. It seems the .zip file was piped raw into the log.
I'm not sure how to continue. I would like ModSecurity allow large file upload in this particular directory (
/nextcloud
). Preferrably by setting a direcory-specific exception, since other parts of the site are OK with the more restrictive default limit. What is the best practice to achieve this?The text was updated successfully, but these errors were encountered: