flexjoly
Verified User
Hi,
Last week we installed a new server with the latest centos7/directadmin/CB2 with nginx-apache en php7.2.
https, ssl, ipv6 everything works nice, except http\2.
Modsecurity gives an 406 error because it wants http\2.
We have format/reinstalled the server, but the error keeps coming back.
We really dont know what is wrong or how to fix it.
Error in log:
Access log from nginx/apache
Why does it not say 'get http/2' in the logs?
Directadmin.conf
Custombuild options:
How can we fix this?
Else we have to disable modsecurity....
Thanks in advance, Lydia
Last week we installed a new server with the latest centos7/directadmin/CB2 with nginx-apache en php7.2.
https, ssl, ipv6 everything works nice, except http\2.
Modsecurity gives an 406 error because it wants http\2.
We have format/reinstalled the server, but the error keeps coming back.
We really dont know what is wrong or how to fix it.
Error in log:
Code:
2017/12/06 23:41:37 [error] 15247#0: [client 178.84.29.178] ModSecurity: Access denied with code 406 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2"] [msg "Host header is a numeric IP address"] [data "37.97.216.114"] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"] [hostname ""] [uri "/squirrelmail/src/login.php"] [unique_id "AVAcAcAcAcJqAcQ0AsAcAcAc"]
Access log from nginx/apache
Code:
178.84.29.178 - - [06/Dec/2017:23:41:37 +0100] "GET /squirrelmail/src/login.php HTTP/1.1" 406 574 "http://37.97.216.114/squirrelmail/src/redirect.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36 OPR/49.0.2725.47"
178.84.29.178 - - [06/Dec/2017:23:11:41 +0100] "GET / HTTP/1.0" 200 2764 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36 OPR/49.0.2725.47"
Why does it not say 'get http/2' in the logs?
Directadmin.conf
Code:
SSL=1
addip=/usr/local/directadmin/scripts/addip
admin_helper=admin.site-helper.com
admindir=./data/admin
apache_public_html=0
apache_ver=2.0
apachecert=/etc/httpd/conf/ssl.crt/server.crt
apacheconf=/etc/httpd/conf/extra/directadmin-vhosts.conf
apacheips=/etc/httpd/conf/ips.conf
apachekey=/etc/httpd/conf/ssl.key/server.key
apachelogdir=/var/log/httpd/domains
apachemimetypes=/etc/mime.types
brute_force_log_scanner=1
brute_force_scan_apache_logs=0
brute_force_time_limit=12000
brutecount=10
bruteforce=1
cacert=/usr/local/directadmin/conf/cacert.pem
cakey=/usr/local/directadmin/conf/cakey.pem
check_partitions=2
check_subdomain_owner=0
clear_blacklist_ip_time=0
clear_brute_log_entry_time=4
clear_brute_log_time=24
cloud_cache=0
demodocsroot=./data/skins/enhanced
docsroot=./data/skins/enhanced
dovecot=1
emailspoolvirtual=/var/spool/virtual
emailvirtual=/etc/virtual
enforce_difficult_passwords=1
ethernet_dev=eth0
exempt_local_block=1
frontpage_on=0
ftpconfig=/etc/proftpd.conf
ftppasswd=/etc/proftpd.passwd
ftpvhosts=/etc/proftpd.vhosts.conf
ip_brutecount=100
ipv6=1
license=/usr/local/directadmin/conf/license.key
litespeed=0
log_rotate_size=5
logdir=/var/log/directadmin
logger=/usr/local/directadmin/logger
loghostname=0
login_history=10
logs_to_keep=9
lost_password=0
max_per_email_send_limit=-1
max_username_length=10
maxfilesize=10485760
mysqlconf=/usr/local/directadmin/conf/mysql.conf
namedconfig=/etc/named.conf
nameddir=/var/named
nginx=0
nginx_proxy=1
ns1=ns0.transip.nl
ns2=ns1.transip.net
numservers=5
owsadm=/usr/local/frontpage/version5.0/bin/owsadm.exe
partition_usage_threshold=95
port=2222
pureftp=1
purge_spam_days=0
quota_partition=/
removeip=/usr/local/directadmin/scripts/removeip
reseller_helper=reseller.site-helper.com
secure_access_group=access
servername=vps1.rhinestone77.nl
serverpath=/usr/local/directadmin
session_minutes=60
skinsdir=./data/skins
sshdconfig=/etc/ssh/sshd_config
ssl_cipher=HIGH:!aNULL:!MD5
taskqueue=/usr/local/directadmin/data/task.queue
templates=/usr/local/directadmin/data/templates
ticketsdir=/usr/local/directadmin/data/tickets
timeout=60
tmpdir=../../../home/tmp
unified_ftp_password_file=1
user_brutecount=100
user_can_set_email_limit=0
user_helper=www.site-helper.com
userdata=./data/users
user_can_select_skin=1
fm_file_permissions=644
fm_dir_permissons=755
global_httpd_tokens=/usr/local/directadmin/data/admin/global_httpd_tokens.conf
letsencrypt=1
enable_ssl_sni=1
default_private_html_link=1
dkim=1
dns_tlsa=1
http2=1
awstats=1
webalizer=1
hide_brute_force_notifications=1
add_userdb_quota=1
Custombuild options:
Code:
Executing /usr/local/directadmin/plugins/custombuild/admin/build options.
Apache: 2.4.29
Nginx (reverse proxy): 1.13.6
mod_ruid2: no
ModSecurity: 2.9.0
ModSecurity Rule Set: owasp
htscanner: no
Dovecot: 2.2.33.2
Dovecot configuration: yes
AWstats: 7.6
Exim: 4.89.1
exim.conf update: yes, release 4.5
BlockCracking: yes
Easy Spam Fighter: yes
SpamAssassin: 3.4.1
SpamAssassin rule updates: daily
ClamAV: 0.99.2
MariaDB: 10.2.11
MySQL backup: yes
MySQL backup directory: /usr/local/directadmin/custombuild/mysql_backups
MySQL compress backups: no
PHP (default): 7.2 as php-fpm
phpMyAdmin: 4.7.6-all-languages
ProFTPD: no
Pure-FTPd: 1.0.47
RoundCube webmail: 1.3.3
Replace "php.ini" with '/usr/local/directadmin/custombuild/build all' and '/usr/local/directadmin/custombuild/build php_ini': yes
Replace "php.ini" using type: production
Cron for notifications and (or) updates: yes
Cron frequency: daily
Auto notifications: yes
Auto notifications email address: [email protected]
Auto updates: yes
Run "clean" every time: yes
Run "clean_old_webapps" every time: yes
Run "clean_old_tarballs" every time: yes
Show texts in bold: yes
SquirrelMail: 1.4.23-20170731_0200
Zend Guard Loader: no
ionCube loader: no
Suhosin: no
Apache: 2.4.29
Nginx (reverse proxy): 1.13.6
mod_ruid2: no
ModSecurity: 2.9.0
ModSecurity Rule Set: owasp
htscanner: no
Dovecot: 2.2.33.2
Dovecot configuration: yes
AWstats: 7.6
Exim: 4.89.1
exim.conf update: yes, release 4.5
BlockCracking: yes
Easy Spam Fighter: yes
SpamAssassin: 3.4.1
SpamAssassin rule updates: daily
ClamAV: 0.99.2
MariaDB: 10.2.11
MySQL backup: yes
MySQL backup directory: /usr/local/directadmin/custombuild/mysql_backups
MySQL compress backups: no
PHP (default): 7.2 as php-fpm
phpMyAdmin: 4.7.6-all-languages
ProFTPD: no
Pure-FTPd: 1.0.47
RoundCube webmail: 1.3.3
Replace "php.ini" with '/usr/local/directadmin/custombuild/build all' and '/usr/local/directadmin/custombuild/build php_ini': yes
Replace "php.ini" using type: production
Cron for notifications and (or) updates: yes
Cron frequency: daily
Auto notifications: yes
Auto notifications email address: [email protected]
Auto updates: yes
Run "clean" every time: yes
Run "clean_old_webapps" every time: yes
Run "clean_old_tarballs" every time: yes
Show texts in bold: yes
SquirrelMail: 1.4.23-20170731_0200
Zend Guard Loader: no
ionCube loader: no
Suhosin: no
How can we fix this?
Else we have to disable modsecurity....
Thanks in advance, Lydia