ModSecurity 2.9.3 removes headers on nginx

[DeoMortis]

Describe the bug

We included modsecurity into our nginx. If only we set ModSecurityEnabled On all custom response headers are gone. The only that are left are:

• Content-Type
• Transfer-Encoding
• Connection
• Location
• Cache-Control
• Expires
• Date
• Server - this one is an empty string, doesn't occur with ModSecurityConfig Off so i seems being added by it.

Response body is fine.
Request body and headers are delivered correctly to upstream server.

Our services return a bunch of headers like:

• Custom headers like : X-Request-ID, X-XSS-Protection
• CORS headers (Access-Control-Allow-Origin, Access-Control-Expose-Headers etc)
  all of them are gone.

Logs and dumps

Output of:

1. DebugLogs (level 9)

[08/Jan/2019:15:19:36 +0000] [/sid#21ad2c0][rid#221cdb0][/priv-server/entity][4] Initialising transaction (txid AcgcABXHAcAcAcAcUcOcA4AS).
[08/Jan/2019:15:19:36 +0000] [/sid#21ad2c0][rid#221cdb0][/priv-server/entity][4] Transaction context created (dcfg 21adb98).
[08/Jan/2019:15:19:36 +0000] [/sid#21ad2c0][rid#221cdb0][/priv-server/entity][4] Processing disabled, skipping (hook request_early).
[08/Jan/2019:15:19:37 +0000] [/sid#21ad2c0][rid#221cdb0][/priv-server/entity][4] Initialising logging.
[08/Jan/2019:15:19:37 +0000] [/sid#21ad2c0][rid#221cdb0][/priv-server/entity][4] Starting phase LOGGING.
[08/Jan/2019:15:19:37 +0000] [/sid#21ad2c0][rid#221cdb0][/priv-server/entity][9] This phase consists of 0 rule(s).
[08/Jan/2019:15:19:37 +0000] [/sid#21ad2c0][rid#221cdb0][/priv-server/entity][4] Recording persistent data took 0 microseconds.
[08/Jan/2019:15:19:37 +0000] [/sid#21ad2c0][rid#221cdb0][/priv-server/entity][4] Audit log: Ignoring a non-relevant request.

2. AuditLogs - nothing is shown
3. Error logs - nothing is shown
4. If there is a crash, the core dump file. - n/a

To Reproduce

Steps to reproduce the behavior:

1. Have any service that returns any header not from the above list. e.g. X-Custom-Header
2. Configure nginx to proxy_pass to that service with modsecurity enabled (no rules necessary)
3. Call using any client e.g. curl

Expected behavior

Custom response headers should not be removed.

Server (please complete the following information):

• ModSecurity version (and connector): ModSecurity v2.9.3
• WebServer: nginx-1.11.2
• OS (and distro): Centos 7

Rule Set (please complete the following information):

• Running any public or commercial rule set? no rules
• What is the version number? - n/a

Additional context

[LeeShan87]

Hi @DeoMortis,

ModSerurity v2.9 has many memory issues with Nginx. This is one of the main reasons why libmodsecury (v3) was created.

You can compile it, like: https://github.com/SpiderLabs/ModSecurity/wiki/Compilation-recipes-for-v3.x#centos-7-minimal

We are using Nginx 1.13.8 wiht libmodsecury v3.0.0, and we have not notice this issue with it.

(Side note: My experience with Nginx with ModSecury v2.9 is, that sometimes it consumed every resource on a production server. Don't use it like this)

[DeoMortis]

Thanks @LeeShan87
I will give it a try.

[victorhora]

Hi @DeoMortis

As precisely pointed out by @LeeShan87, ModSecurity 2.9.x with Nginx is not recommended. This setup is not supported anymore.

Please move to libModSecurity (aka 3.x) for Nginx. Thanks :)

[DeoMortis]

Hi @victorhora

Thank you for your reply.

I think that site https://www.modsecurity.org/download.html should be updated. The section at the bottom has links for modsecurity for nginx which point to version 2.9.3. This caused my confusion.