ModSec: X-Forwarded-For: Rule processing failed

Operating System & Version
centos 7.8
cPanel & WHM Version
11.90.0.5

servtastic

Member
Sep 3, 2020
19
1
3
USA
cPanel Access Level
Root Administrator
Hi All,

I have a modsecurity rule that continues to throw a processing error against REQUEST_HEADERS:X-Forwarded-For - no matter how I tweak it.

What's weird is this exact same rule works correctly against REMOTE_ADDR

My guess is something about the X-Forwarded is not loading / showing correctly for ModSec (maybe apache config? Apache/2.4.46 (cPanel) )

Rule is:
SecRule REQUEST_HEADERS:X-Forwarded-For "@ipMatchFromFile blacklist-ips.txt" "id:4100003, phase:1, log, drop, status:411, msg:' *** blacklist Custom IPs X-Forwarded-For'"

Error is:
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 85.115.60.201] ModSecurity: Rule processing failed (id=4100003, msg= *** blacklist Custom IPs X-Forwarded-For). [hostname "[redacted].com"] [uri "/"] [unique_id "X1EKKw8RDek5sznInPGFjAAAABU"]

After the first error there is a cascade of rule processing errors for all the other rules after the failure (if that matters).

The forwarded line from the mod_sec audit log is:
X-Forwarded-For: 94.23.238.218, 85.115.60.201

Any suggestions for what I might be missing here?

Thanks!

Steve
 

fuzzylogic

Well-Known Member
Nov 8, 2014
154
93
78
cPanel Access Level
Root Administrator
I'm guessing, but your rule in Phase 1 (Request headers) on match it issues the Drop command...
drop

Description: Initiates an immediate close of the TCP connection by sending a FIN packet.
Your rule then attempts to write a response header "status:411" which cannot occur until Phase 3 (Response headers)

If you want your rule to execute in Phase 1 (Request headers) remove "status:411".
If you want it to work as is change its operating Phase to Phase 3 (Response headers). (kind of defeats the purpose of resource protection)
If you want it to operate in Phase 1 (Request headers) and log the 411 status change the disruption to deny

These are untested by me so may be incorrect.
 
  • Like
Reactions: cPanelLauren

servtastic

Member
Sep 3, 2020
19
1
3
USA
cPanel Access Level
Root Administrator
All good suggestions but still no luck.

Further information:
If the X-Forwarded-For only contains a single Ip address, the rule does not error
If the X-Forwarded-For contains 2 ip addresses, separated by a comma - that's when the rule failure occurs.

Example: ukraine via soflayer in NL:
X-Forwarded-For: 193.106.30.99, 169.46.84.217
Result: ModSecurity: Rule processing failed

Same IP via mojobroadband.co
X-Forwarded-For: 193.106.30.99, 208.86.120.136
Result: ModSecurity: Rule processing failed

Different error - same issue :(

Same IP set and rule do not fail on REMOTE_ADDR, only X-Forwarded-For with more than one IP

Steve