Modsecurity 阻止我的合法 POST 请求（403 禁止）

我是 modsecurity 主题的新手，所以我不知道在哪里查找此问题的原因。

我在新的 nginx/1.24.0 服务器上设置了 modsecurity，并使用默认的推荐规则集：coreruleset-3.3.0，从那时起我的 POST XHR 请求就被阻止了。 这是基本的 Laravel/Livewire 表单。

modsecurity 发送和记录的标头如下所示：

POST /livewire/update HTTP/2.0
content-type: application/json
origin: https://example.com
referer: https://example.com/en
pragma: no-cache
accept-encoding: gzip, deflate, br
cookie: XSRF-TOKEN=eyJpdiI6IkJVTXpEK01rYTRYVFI1aGxjOE9T...
content-length: 540
accept-language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
te: trailers
accept: */*
cache-control: no-cache
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
sec-fetch-site: same-origin
sec-fetch-dest: empty
authorization: Basic Y2Z0cmFbjpjmdG9u
host: example.com
sec-fetch-mode: no-cors

和日志报告：

1. “内容长度 HTTP 标头不是数字” - 但对我来说“540”看起来是数字！

ModSecurity: Warning. Matched "Operator `Rx' with parameter `^\d+$' against variable `REQUEST_HEADERS:content-length' (Value: `540' ) 
[file "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] 
[line "127"] 
[id "920160"] 
[msg "Content-Length HTTP header is not numeric"] 
[data "540"] 
[severity "2"] 

2. “非法内容类型标头” - 为什么“application/json”是非法的？

ModSecurity: Warning. Matched "Operator `Rx' with parameter `^[\w/.+-]+(?... against variable `REQUEST_HEADERS:content-type' (Value: `application/json' ) 
[file "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] 
[line "915"] 
[id "920470"] 
[rev ""] 
[msg "Illegal Content-Type header"] 
[data "application/json"] 
[severity "2"] 

3. “无效的 HTTP 请求行”- 什么是无效的：“POST /livewire/update HTTP/2.0”？

ModSecurity: Warning. Matched "Operator `Rx' with parameter `^(?i:(?:[a-... against variable `REQUEST_LINE' (Value: `POST /livewire/update HTTP/2.0' ) 
[file "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] 
[line "47"] 
[id "920100"] 
[msg "Invalid HTTP Request Line"] 
[data "POST /livewire/update HTTP/2.0"]

..然后请求被阻止

ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `13' ) 
[file "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] 
[line "80"] 
[id "949110"] 
[msg "Inbound Anomaly Score Exceeded (Total Score: 13)"] 
[data ""] 
[severity "2"] 

所以我非常惊讶，我不知道我能做些什么，因为这些规则似乎合法，但我也不想违反其中任何一个。

还使用简单的curl查询测试了这种情况：

curl -v -d '{"arg":"foo", "arg2":bar}' -H "content-length: 25" -H "content-type: application/json" -H "x-format-output: txt-matched-rules" "https://example.com/livewire/update"

我也被403屏蔽了：

---EdzD52pk---A--
[22/Jan/2024:12:50:45 +0000] 1705927845 127.0.0.1 57452 127.0.0.1 443
---EdzD52pk---B--
POST /livewire/update HTTP/2.0
host: example.com
user-agent: curl/7.81.0
accept: */*
x-format-output: txt-matched-rules
content-length: 25
content-type: application/json


---EdzD52pk---F--
HTTP/2.0 403
Server: nginx/1.24.0
Date: Mon, 22 Jan 2024 12:50:45 GMT
Content-Length: 153
Content-Type: text/html
Connection: close

---EdzD52pk---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `^\d+$' against variable `REQUEST_HEADERS:content-length' (Value: `25' ) [file "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "127"] [id "920160"] [rev ""] [msg "Content-Length HTTP header is not numeric"] [data "25"] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "127.0.0.1"] [uri "/livewire/update"] [unique_id "1705927845"] [ref "v114,2"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `^[\w/.+-]+(?:\s?;\s?(?:action|boundary|charset|type|start(?:-info)?)\s?=\s?['\"\w.()+,/:=?<>@-]+)*$' against variable `REQUEST_HEADERS:content-type' (Value: `application/json' ) [file "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "915"] [id "920470"] [rev ""] [msg "Illegal Content-Type header"] [data "application/json"] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153"] [tag "PCI/12.1"] [hostname "127.0.0.1"] [uri "/livewire/update"] [unique_id "1705927845"] [ref "v131,16t:lowercase"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `^(?i:(?:[a-z]{3,10}\s+(?:\w{3,7}?://[\w\-\./]*(?::\d+)?)?/[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?|connect (?:\d{1,3}\.){3}\d{1,3}\.?(?::\d+)?|options \*)\s+[\w\./]+|get /[^?#]*(?:\?[^#\s]*)?(?:#[\S]*)?)$' against variable `REQUEST_LINE' (Value: `POST /livewire/update HTTP/2.0' ) [file "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "47"] [id "920100"] [rev ""] [msg "Invalid HTTP Request Line"] [data "POST /livewire/update HTTP/2.0"] [severity "4"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "127.0.0.1"] [uri "/livewire/update"] [unique_id "1705927845"] [ref "v0,30"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `13' ) [file "/etc/nginx/modsec/coreruleset-3.3.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 13)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "127.0.0.1"] [uri "/livewire/update"] [unique_id "1705927845"] [ref ""]