Issue with Nginx (Engintron) / but not coming from Engintron - problem is mod_secure2)

[nadav123]

Hello again, i know my question little tricky and 3rd party involve, but after a lot of tests, i figure out my problem is not coming actually from Engintron (NGINX)
This after i have 2 identical servers (one in U.S. and one in the EU)

ONE GET THIS PROBLEM:

premison-problem-one-server hosted at ImgBB

Image premison-problem-one-server hosted in ImgBB

ibb.co

I have to identical servers:
server.locksmithunit.es
server.locksmithuni.com

issue accrues only in server.locksmithunit.com
both of the servers identical with identical websites ( websites not the issue here ).

Every time i try to clean the cache i get this pop up in the browser, its kind of rule block or XSS header come from mod_secure.

I delete and install engintron several times on this server, issue sometime stop, but popup comeback after a couple of days,
i suspect something change the premison in the cPanel system or the ModSecure2 Vendor from cPanel.
( this is because on the other server not have this issue )

i know it's connected to 3rd party, but as i said, issue accrue not from Engintron, but effecting Engintron.
i already post in his forum as well:

engintron/engintron

Engintron for cPanel/WHM is the easiest way to integrate Nginx on your cPanel/WHM server. Engintron will improve the performance & web serving capacity of your server, while reducing CPU/RAM lo...

github.com

be happy if someone can help, maybe look on my server premison maybe have some script running change premisons?

 

[cPRex]

Hey hey! I'm not personally familiar with that popup, but I would think examining the browser code would show that is from Engintron. For example, here is another user experiencing a different issue with that plugin, but getting a similar popup on that page:

XSS related issue with nginx engintron running on Apache/cPanel · Issue #1218 · engintron/engintron

One of our servers uses nginx engintron running as a reverse proxy cache (system details below). OS: CentOS Linux release 7.8.2003 (Core) Kernel: Linux dxxxxxxxxx.eu 3.10.0-1127.13.1.el7.x86_64 #1 ...

github.com

It might be best to wait to hear from Engintron directly to see what they have to say. If there are logs for that application on the server-side, checking those would also be a great place to start.

 

[nadav123]

First, thanks again
Second, you didn't actually read the developer answer, he said in the end of the post:
"You can bypass caching for certain domains or even domain paths/subfolders. See the notes in “Custom Rules” and read the docs at engintron.com/docs for additional help. There is no reason to disable Engintron...

The popup you mention (and like the menu on the left that will always expand when a PHP-based cPanel plugin is loaded, is most likely a bug in cPanel's PHP API."

His name is Fotis, i have long past with this guy, the truth, i don't like him so much.
But one thing you can't take from him… the guy is a genius, and he knows what he's talking cPRex. ( from personal experience ).

Now, i notice the issue improving and stopping, when you stop the cPanel mod Vendor inside WHM (CRS):

OWASP® ModSecurity CRS | cPanel & WHM Documentation

The OWASP (Open Web Application Security Project) ModSecurity CRS (Core Rule Set) is a set of rules that Apache®'s ModSecurity® module can use to help protect your server.

docs.cpanel.net

I notice to another thing, is the GIT of Engintron (Fotis)
Offers EA4 Optimization pack in JSON for cPanel / WHM interface:

engintron/Engintron_EA4_2022_v1_EL7.json at master · engintron/engintron

Engintron for cPanel/WHM is the easiest way to integrate Nginx on your cPanel/WHM server. Engintron will improve the performance & web serving capacity of your server, while reducing CPU/RAM lo...

github.com

This guys (Fotis), Never miss, he didn't put inside his EA4 Profile (JSON File).
This file got updated not long time ago, you can see the date in the GitHub link i sent you.

I all the time was suspect on these rules, i actually turn off 10 rules and i use only 22 usually.
BTW—When you're installing cPanel, fresh, this cPanel Vendor rules, not come by default... i believe have reason for that as well.

From my experience, i know mod_secure3 and modsecure2 are optimized for NGINX in general (any NGINX, not only Engintron)
But the ModSecurity Vendor via cPanel maybe not good for Engintron.

For now, i turn it off... (this is the default cPanel / WHM configuration, shipping in the first time to the client).
i didn't get errors or something in these 24 hours.

And Engintron working as charm for now (but it less secure without the ModSecurity™ Vendors.
Be happy someone will look on that maybe can cover engintron with all this set rule ( can be very helpful for cPanel users in general )

 

[cPRex]

So you're saying Engintron works well when the Owasp rules are disabled? Are these not the default "OWASP ModSecurity Core Rule Set V3.0" that is included with cPanel?

 

[nadav123]

So you're saying Engintron works well when the OWASP rules are disabled? Are these not the default “OWASP ModSecurity Core Rule Set V3.0" that is included with cPanel?

You right and not right
I will explain:
This is the OWSP Vendor rules shipped by default, but this is not installed by default bro.
When you buy cPanel (porches it for the first time).
The section look like this for the first time you install WHM/cPanel in the Interface:

You have the section of the Vendor, but it is not installed! ( the screenshot you see, this is the DEFAULT of cPanel)
In the first time you install WHM/cPanel need to install it. ( don't have rules, when you click the vendor its take you to the EA4 interface in WHM and install it for you ):



Now, i porches my cPanel on version 95 something like that…
Was only one option, i see you change it.
And create a BETA connector... (it means the issue is famous, and the developer in cPanel struggling like me...)


To say the truth, cPRex:
Now i am little confused, was an update and new additional packages i never see… ( the NEW packages in the screenshot included the BETA connector, not was when i got my cPanel )

i am afraid maybe cPanel update his own default...
You install one of them by default in the current cPanel version? ( v100.0.11 )? - i asking you cPRex, i sure you know if one of this additional packegs installed by default.

Or it is possible to work without the (ADDITIONAL PACKAGES AND THE OWASP RULES.)

 

[cPRex]

Thanks for that - I see what you mean now.

The additional rules packages do get updated automatically as they become available, since they are distributed as an RPM, and those will update nightly. What I can't guarantee is that every ModSecurity rule works with every package - even standard rules may need to be disabled depending on what software you are using on the system. That's why we have the option do disable certain rules, as outlined here:

How can I disable a ModSecurity rule?

Introduction Sometimes ModSecurity rules have undesired effects and they must be disabled. Procedure When using ModSecurity Vendors, the existing rules cannot be edited, but they can be disab...

support.cpanel.net

It might be best to report this to Engintron to see if they can figure out what rule is causing the issue.

 

[nadav123]

I didn't get you, bro,
ok, let's order the things,

First question:
1. This is still the default? Without cPanel Vendor? (we now in 100.0.11 version, it's a different version from what i got in the start)
2. What you mean when you said “nightly update”, if i didn't install the VENDOR PACK its will install it in the “night update” by himself?

(i believe the “nightly update” you meant, it's the UPCP script)

Second question:
If the default, it's without cPanel VENDOR RULES, and Engintron working PERFECT without this vendor. (WHM/cPanel DEFAULT)
Why complain to the developer of Engintron?

He said, in the link you sent me in the post:
"It's not Engintron, it's a cPanel PHP API bug"

read his post, the guy already know that before long time ago,
he renews his JSON EA4 PROFILE FOR cPanel BEFORE A MOUNT AGO, HE DIDNT INCLUDED ANY MOD_SECURE VENDOR PACKAGE...

For the record:
You have mod_secure2 in the php74 (i think, when i restart APACHE i see modsecure.org, it's look like we have it in the server).

I believe the cPanel Vendor core rules, had issues with NGINX and the RULES in general.
This why you have (in the screenshot i sent you) 2 NEW Versions,
under them have a connector for NGINX.
I believe this issue, It's not only for Engintron.

Engintron works perfect now… so i pretty sure it's the cPanel Vendor.
What is Engintron fault?
Its your Vendor, on default Engintron work amazing.

Third question:
1. In the screenshot i sent you from EA4, you see have 2 packs of mod secure vendor, need to install both? (if i want of course, i will advise with you)
2. The Nginx connector, made by cPanel, fit Engintron too?