Hi Matej,

> On 29 Nov 2016, at 11:08, Matej Zuzčák <mzuz...@secit.sk> wrote:
> Hello all,
> I have installed Drupal 7 on latest version of Nginx web server which
> was compiled with support of ModSecurity module. I have activated core
> OWASP rule set. But when I active ModSecurity in my virtual host config
> file for my Drupal 7 web I do not login, register or reset password with
> this error in log:
> [error] 11158#0: *1 open() "/var/www/MY_WEBSITE/node" failed (2: No such
> file or directory), client: IP, server: MY_SERVER, request: "POST
> /node?destination=node HTTP/1.1", host: "MY_WEBSITE", referrer:
> "http://MY_WEBSITE/";
> And client gets 404 error page.
> I applied these practices
> https://geekflare.com/modsecurity-owasp-core-rule-set-nginx/ and
> https://www.netnea.com/cms/2016/11/22/securing-drupal-with-modsecurity-and-the-core-rule-set-crs3/
> When I change SecRuleEngine from "On" to "DetectionOnly" result is the
> same, For correct operation I have to "switch off" ModSecurity in
> virtual host config for domain.
> So please have you any advices for solving this problem?

What version of ModSecurity are you using with nginx?

ModSecurity 2.x with its "standalone" mode is somewhat outdated.

Currently there are libmodsecurity (aka ModSecurity 3.x) project [1] and 
special nginx connector module [2]
that should be used instead.

Also it is a good idea to report ModSecurity related issues to the 
corresponding github projects.

[1] https://github.com/SpiderLabs/ModSecurity/tree/v3/master
[2] https://github.com/SpiderLabs/ModSecurity-nginx/tree/master

nginx mailing list

Reply via email to