Hi, If you are hitting modsec rules, these ought to be logged in a file. Forgotten file name because it's been awhile . The logging of blocking rules must be enabled in the .conf somewhere. At least this was the case years ago.
At least this can rule out modsec. sent from phone, thus brief On 12 Apr 2020, at 5:08 pm, David Mehler <[email protected]> wrote: Hello, I've upgraded my csp policy to v2 setup. My server is now being contrary, ie11 is working just fine, letting me log in to roundcube and deal with email sending. Chrome and Firefox are both hanging at the login screen, with no errors. Whenever I comment out the loading of this file things start working. Is there something in this file that is notably wrong/misconfigured? Also, when using roundcube and modsecurity 2.9.x are there any gochas or things that need to be specially configured? Thanks. Dave. # # httpd-security.conf: # Security hardening settings # # Disable ETag # FileETag None doesn't work in all cases. <IfModule mod_headers.c> Header unset ETag </IfModule> FileETag None # Unset the server Header unset Server # Disable Trace http requests TraceEnable off # Set cookie with HttpOnly and Secure flag Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure # Prevent ClickJacking # Deny outright #Header always set X-Frame-Options DENY # Roundcube needs this for displaying messages in tabs #Header always set X-Frame-Options SAMEORIGIN # Prevent Cross Site Scripting (XSS) #Header set X-XSS-Protection "1; mode=block" # Prevent Mime Types Security risks # Enforce MIME types for script and style elements Header always set X-Content-Type-Options nosniff # Content-Security-Policy #Header always set Content-Security-Policy "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self'; frame-ancestors 'self'" # Enable Content Security Policy (Level 2) Header always set Content-Security-Policy "default-src 'none'; img-src 'self'; style-src 'self'; font-src 'self'; base-uri 'none'; frame-ancestors 'none'; form-action 'none'" # Disable Referrer which isn't needed when you don't use authentication #Header always set Referrer-Policy "no-referrer" Header always set Referrer-Policy "strict-origin" # Cross-domain-policy Header set X-Permitted-Cross-Domain-Policies "none" # Referer policy #Header always set Referrer-Policy "strict-origin" # expect-ct policy Header always set Expect-CT 'enforce, max-age=43200' # Enable HSTS Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS # unset the server powered by header Header unset X-Powered-By Header always unset X-Powered-By # Disable HTTP 1.0 protocol RewriteEngine On RewriteCond %{THE_REQUEST} !HTTP/1.1$ RewriteRule .* - [F] # For mod security #<IfModule security3_module> #Include /usr/local/etc/modsecurity/*.conf # Load the base Owasp rules #Include etc/modsecurity/owasp-modsecurity-crs/rules/*.conf #</IfModule> # mod_evasive #<IfModule mod_evasive20.c> #DOSHashTableSize 3097 #DOSPageCount 2 #DOSSiteCount 50 #DOSPageInterval 1 #DOSSiteInterval 1 #DOSBlockingPeriod 60 #DOSEmailNotify [email protected] #DOSWhitelist 127.0.0.1 #DOSSystemCommand '/sbin/pfctl -t evasive -T add %s' #</IfModule> # Send the CORS header for images when browsers request it. # # https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image # https://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html <IfModule mod_setenvif.c> <IfModule mod_headers.c> <FilesMatch "\.(bmp|cur|gif|ico|jpe?g|png|svgz?|webp)$"> SetEnvIf Origin ":" IS_CORS Header set Access-Control-Allow-Origin "*" env=IS_CORS </FilesMatch> </IfModule> </IfModule> # Allow cross-origin access to web fonts. # # https://developers.google.com/fonts/docs/troubleshooting <IfModule mod_headers.c> <FilesMatch "\.(eot|otf|tt[cf]|woff2?)$"> Header set Access-Control-Allow-Origin "*" </FilesMatch> </IfModule> # Serve resources with the proper media types (f.k.a. MIME types). # # https://www.iana.org/assignments/media-types/media-types.xhtml # https://httpd.apache.org/docs/current/mod/mod_mime.html#addtype <IfModule mod_mime.c> # Data interchange AddType application/atom+xml atom AddType application/json json map topojson AddType application/ld+json jsonld AddType application/rss+xml rss AddType application/geo+json geojson AddType application/rdf+xml rdf AddType application/xml xml # JavaScript # Servers should use text/javascript for JavaScript resources. # https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages AddType text/javascript js mjs # Manifest files AddType application/manifest+json webmanifest AddType application/x-web-app-manifest+json webapp AddType text/cache-manifest appcache # Media files AddType audio/mp4 f4a f4b m4a AddType audio/ogg oga ogg opus AddType image/bmp bmp AddType image/svg+xml svg svgz AddType image/webp webp AddType video/mp4 f4v f4p m4v mp4 AddType video/ogg ogv AddType video/webm webm AddType video/x-flv flv # Serving `.ico` image files with a different media type # prevents Internet Explorer from displaying them as images: # https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee AddType image/x-icon cur ico # WebAssembly AddType application/wasm wasm # Web fonts AddType font/woff woff AddType font/woff2 woff2 AddType application/vnd.ms-fontobject eot AddType font/ttf ttf AddType font/collection ttc AddType font/otf otf # Other AddType application/octet-stream safariextz AddType application/x-bb-appworld bbaw AddType application/x-chrome-extension crx AddType application/x-opera-extension oex AddType application/x-xpinstall xpi AddType text/calendar ics AddType text/markdown markdown md AddType text/vcard vcard vcf AddType text/vnd.rim.location.xloc xloc AddType text/vtt vtt AddType text/x-component htc </IfModule> # Serve all resources labeled as `text/html` or `text/plain` # with the media type `charset` parameter set to `UTF-8`. # # https://httpd.apache.org/docs/current/mod/core.html#adddefaultcharset AddDefaultCharset utf-8 # Serve the following file types with the media type `charset` # parameter set to `UTF-8`. # # https://httpd.apache.org/docs/current/mod/mod_mime.html#addcharset <IfModule mod_mime.c> AddCharset utf-8 .appcache \ .bbaw \ .css \ .htc \ .ics \ .js \ .json \ .manifest \ .map \ .markdown \ .md \ .mjs \ .topojson \ .vtt \ .vcard \ .vcf \ .webmanifest \ .xloc </IfModule> # Block access to directories without a default document. # # You should leave the following uncommented, as you shouldn't allow # anyone to surf through every directory on your server (which may # includes rather private places such as the CMS's directories). <IfModule mod_autoindex.c> Options -Indexes </IfModule> # A web application uses HTTPS and a URL-based session identifier. # The web application might wish to link to HTTPS resources on other # web sites without leaking the user's session identifier in the URL. # # This can be done by setting a `Referrer Policy` which # whitelists trusted sources of content for your website. # # To check your referrer policy, you can use an online service # such as: https://securityheaders.io/. # # https://scotthelme.co.uk/a-new-security-header-referrer-policy/ # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy <IfModule mod_headers.c> # no-referrer-when-downgrade (default) # This should be the user agent's default behavior if no policy is # specified.The origin is sent as referrer to a-priori as-much-secure # destination (HTTPS->HTTPS), but isn't sent to a less secure destination # (HTTPS->HTTP). Header set Referrer-Policy "no-referrer-when-downgrade" "expr=%{CONTENT_TYPE} =~ m#text/html#i" </IfModule> # Compress all output labeled with one of the following media types. # # https://httpd.apache.org/docs/current/mod/mod_filter.html#addoutputfilterbytype <IfModule mod_filter.c> AddOutputFilterByType DEFLATE "application/atom+xml" \ "application/javascript" \ "application/json" \ "application/ld+json" \ "application/manifest+json" \ "application/rdf+xml" \ "application/rss+xml" \ "application/schema+json" \ "application/geo+json" \ "application/vnd.ms-fontobject" \ "application/wasm" \ "application/x-font-ttf" \ "application/x-javascript" \ "application/x-web-app-manifest+json" \ "application/xhtml+xml" \ "application/xml" \ "font/eot" \ "font/opentype" \ "font/otf" \ "image/bmp" \ "image/svg+xml" \ "image/vnd.microsoft.icon" \ "text/cache-manifest" \ "text/calendar" \ "text/css" \ "text/html" \ "text/javascript" \ "text/plain" \ "text/markdown" \ "text/vcard" \ "text/vnd.rim.location.xloc" \ "text/vtt" \ "text/x-component" \ "text/x-cross-domain-policy" \ "text/xml" </IfModule> # Map the following filename extensions to the specified # encoding type in order to make Apache serve the file types # with the appropriate `Content-Encoding` response header # (do note that this will NOT make Apache compress them!). # # If these files types would be served without an appropriate # `Content-Enable` response header, client applications (e.g.: # browsers) wouldn't know that they first need to uncompress # the response, and thus, wouldn't be able to understand the # content. # # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Encoding # https://httpd.apache.org/docs/current/mod/mod_mime.html#addencoding <IfModule mod_mime.c> _______________________________________________ Roundcube Users mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/users _______________________________________________ Roundcube Users mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/users
