I will preface this with saying that to my knowledge, this problem started after upgrading to AlmaLinux 8 and/or enabling the nginx reverse proxy.
Feeling that modsec 2 was not working, I followed the modsec 3 guide, found here: https://blog.cpanel.com/how-to-install-and-configure-modsecurity-in-cpanel/
I have two cpanel installations running on AlmaLinux 8, on current cpanel 110.0.5, both with modsec not functioning.
I've been using an obvious sql injection example to test. I can't put it here because your WAF catches it. lol
cpanel 1: I have a dotnet web application, nginx reverse proxies for - I can put the obvious sql injection into the search bar and it is processed by nginx and my webapp as normal. It is processed as a GET request, so this should be exceptionally easy to catch. Nothing in the hit list log on WHM.
I also have a hidden, legacy php application, also using nginx rev proxy, and it doesn't catch it either.
cpanel 2: I have a two newer php applications using nginx rev proxy. Nothing in the hit list log on WHM.
Before I "elevated" to AlmaLinux from CentOS7, i would routinely get notifications of ModSec violations, and the CSF would block the offending IP addresses, many times a day. Now, I get nothing.
I have tried switching from mod_ruid2 to mod_suexec, as this was mentioned as a possible workaround for similar issues, but doing so has not changed anything.
Is the nginx reverse proxy just not supported here? Or is there something else that I need to configure?
Thanks,
Dan
Feeling that modsec 2 was not working, I followed the modsec 3 guide, found here: https://blog.cpanel.com/how-to-install-and-configure-modsecurity-in-cpanel/
I have two cpanel installations running on AlmaLinux 8, on current cpanel 110.0.5, both with modsec not functioning.
I've been using an obvious sql injection example to test. I can't put it here because your WAF catches it. lol
cpanel 1: I have a dotnet web application, nginx reverse proxies for - I can put the obvious sql injection into the search bar and it is processed by nginx and my webapp as normal. It is processed as a GET request, so this should be exceptionally easy to catch. Nothing in the hit list log on WHM.
I also have a hidden, legacy php application, also using nginx rev proxy, and it doesn't catch it either.
cpanel 2: I have a two newer php applications using nginx rev proxy. Nothing in the hit list log on WHM.
Before I "elevated" to AlmaLinux from CentOS7, i would routinely get notifications of ModSec violations, and the CSF would block the offending IP addresses, many times a day. Now, I get nothing.
I have tried switching from mod_ruid2 to mod_suexec, as this was mentioned as a possible workaround for similar issues, but doing so has not changed anything.
Is the nginx reverse proxy just not supported here? Or is there something else that I need to configure?
Thanks,
Dan
Last edited by a moderator:
