Mod Security latest OWASP rules

[LawsHosting]

Ever since updating the OWASP rules, I've been seeing a lot of rule 920171 hits, but spontaneously:

"Access denied with code 406 (phase 1). Match of \"eq 0\" against \"&REQUEST_HEADERS:Transfer-Encoding\" required. [file \"/etc/modsecurity.d/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\"] [line \"217\"] [id \"920171\"] [msg \"GET or HEAD Request with Transfer-Encoding\"] [data \"1\"] [severity \"CRITICAL\"] [ver \"OWASP_CRS/4.24.1\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"OWASP_CRS/PROTOCOL-ENFORCEMENT\"] [tag \"capec/1000/210/272\"]"

Not sure why it would.... Has anyone seen this too?

Of course, I've now whitelisted the rule. I'm just curious.

Added: I proxy through Cloudflare.

 

[gcooper]

Same situation here—yours is the only post I've found with the same problem.
I'm also very curious to know the explanation.
Did you find something ?
Thanks.

 

[vetoed]

Also started getting these errors and 403 forbidden for clients in result. What was the cause??

 

[LawsHosting]

I've disabled CF's HTTP/2 to Origin, as per ChatGPT's advice......... I'm testing that now.

You can remove the Transfer-Encoding header via CF as well, but that's a last resort. I read that the header is only for HTTP/1.1?