profile profile

Dreamhost broke my ActivityPub C2S with changes to Apache mod_security rules today. They have fixed it now, and not explained exactly what was wrong. I debugged it sufficiently from the server error logs to decide it was probably their fault and not mine (my code hadn't changed and I couldn't reproduce it locally. The logs said things like:

ModSecurity: Warning. Pattern match "[\\\
\\\
]" at REQUEST_FILENAME. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-921-PROTOCOL-ATTACK.conf"] [line "219"] [id "921190"] [msg "HTTP Splitting (CR/LF in request filename detected)"] [data "Matched Data: user-agent found within REQUEST_FILENAME: /.

\\x0a
\\x0a \\x0a

and

ModSecurity: Warning. Operator GE matched 7 at TX:inbound_anomaly_score. [file "/dh/apache2/template/etc/mod_sec3_CRS/RESPONSE-980-CORRELATION.conf"] [line "87"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=5,SESS=0): individual paranoia level scores: 10, 0, 0, 0"] [ver "OWASP_CRS/3.3.0"] [tag "event-correlation"]

and

ModSecurity: Rule 3525d796f28 [id "932110"][file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "256"] - Execution error - PCRE limits exceeded (-8): (null).

and

ModSecurity: Warning. Match of "within %{tx.allowed_request_content_type}" against "TX:content_type" required. [file "/dh/apache2/template/etc/mod_sec3_CRS/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "970"] [id "920420"] [msg "Request content type is not allowed by policy"] [data "|application/ld+json|"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"]

which are not settings I've had to mess with before, so I'm glad I pay other people to deal with this for me.

I'm just dropping this all here in case other people have similar problems and are searching.. (I don't think POSTing forms between origins is that niche, but doing it with JSON-LD payloads might be, and it might come up more as more people realise the diverse-clients-generic-servers decentralised social web dream...

🏷 hacking sloph DreamHost apache mod_security servers

Post created with https://apps.rhiaro.co.uk/no-ceremonies-are-necessary