Modsecurity hit internal 127.0.0.1

[leonep]

HI,
I am wondering what are this hit from 127.0.0.1 from modsecurity.
I have a lot of triggering event about

920340: Request Containing Content, but Missing Content-Type header
933150: PHP Injection Attack: High-Risk PHP Function Name Found
930130: Restricted File Access Attempt
920170: GET or HEAD Request with Body Content.
920420: Request content type is not allowed by policy
930100: Path Traversal Attack (/../)

in apache logs i can't see file or user account triggering event. this is an example:

[Mon Jan 24 09:26:48.782424 2022] [:error] [pid 1690141:tid 47157052811008]
[client 127.0.0.1:54586] [client 127.0.0.1]
ModSecurity: Warning. Matched phrase "/.env" at REQUEST_FILENAME.
[file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"]
[line "49"] [id "930130"] [rev "1"] [msg "Restricted File Access Attempt"]
[data "Matched Data: /.env found within REQUEST_FILENAME: /.env"] [severity "CRITICAL"]
[ver "OWASP_CRS/3.0.0"] [maturity "7"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"]
[tag "platform-multi"] [tag "attack-lfi"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"]
[tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "xx.xx.xx.xx"] [uri "/.env"]
[unique_id "Ye5iyO_W8qvYLc0i0kihTgAAAZM"]


What can I do to investigate better?
thanks for help

 

[cPRex]

Hey there! I have the exact same entries on my machine, although my "client" field has the source IP address instead of localhost. Do you have any proxy tools installed on that machine that could cause Apache to not receive the correct client IP?

 

[leonep]

yes i have nginx proxy but i setup it with mod_remoteip
may be something wrong ?
i will check
thanks

 

[cPRex]

If you don't see anything obvious with the configuration feel free to submit a support ticket to our team and we can take a look!

 

[cPRex]

Does this help your particular situation? How to enable mod_remoteip