Apache Mod_Security (WAF) problems.

Resolved BooMeranGz
(@boomerangz)

2 months, 3 weeks ago
Hi,

On my dedicated server, we have the Apache ModSecurity WAF enabled.

Often, when I need to save an ASE change, I must first disable ModSecurity, otherwise the changes won’t be saved.

We’ve disabled some WAF rules, but that behavior hasn’t changed.

A very common case is when I put ASE into “maintenance mode.” It will only work if I disable ModSecurity a few minutes beforehand.

Is there a way to fix this?

Thank you.
- This topic was modified 2 months, 3 weeks ago by BooMeranGz.

Viewing 11 replies - 1 through 11 (of 11 total)

Plugin Author Bowo
(@qriouslad)

2 months, 2 weeks ago

@boomerangz thanks for reporting this. It’s likely because ASE”s POST payload when saving changes is considerably large, and is sounding an alarm with ModSecurity. I’m considering moving out some modules’ settings out of the ASE settings page to remedy this. For example, the Admin Menu Organizer module settings can be moved out to a separate “Settings >> Admin Menu” page.

If you are aware of a specific ModSecurity that is checking for the size of a POST payload, and can disable that or make the limit larger (larger than 250KB), that might fix the issue for you.

Thread Starter BooMeranGz
(@boomerangz)

2 months, 2 weeks ago

Hi @qriouslad, thanks for your response.

I’ll bring this up with the sysadmin so they can see what rules might allow for a higher bit rate.
I’ll come back to this thread if I hear any progress.
(I just remembered that this same thing happened to me once when I tried to save work with Elementor)

Saludos.

Plugin Author Bowo
(@qriouslad)

2 months, 2 weeks ago

@boomerangz thank you. I look forward to hear what you or your sysadmin finds.

Thread Starter BooMeranGz
(@boomerangz)

2 months, 2 weeks ago

Hi @qriouslad,

Sysadmin response:
“I have increased the max request body limit in modsecurity, SecRequestBodyLimit.”

Also, he told me that you should consider modifying the plugin; it’s not a good idea to change certain modsecurity security settings.

Regards.

Plugin Author Bowo
(@qriouslad)

2 months, 2 weeks ago

@boomerangz thanks for reporting back Very well noted. I’ve been considering moving out one or more module settings into a separate admin page to reduce the size of the POST payload of the ASE settings page. One good candidate for that is the Admin Menu Organizer module.

Plugin Author Bowo
(@qriouslad)

2 months, 2 weeks ago

p.s. I’ve added this to the list of known issues: https://www.wpase.com/documentation/known-issues/

Thread Starter BooMeranGz
(@boomerangz)

2 months, 2 weeks ago

Thanks for taking note, we will wait for news…

Regards.

Plugin Author Bowo
(@qriouslad)

2 months, 1 week ago

@boomerangz in the next release, v7.8.5, the Admin Menu Organizer settings (the menu sortables section) will be moved out of the ASE settings page into a dedicated “Admin Menu” page/item under the Settings menu. This should significantly reduce the size of the POST payload.

Feel free to ask your sysadmin to dial back the value of SecRequestBodyLimit in ModSecurity to see if you’re able to save ASE settings just fine in v7.8.5.

Thread Starter BooMeranGz
(@boomerangz)

2 months, 1 week ago

Hi @qriouslad,

Thanks for letting me know.
Immediately after installing the 7.8.5 update, I’ll tell the sysadmin so they can return the ModSecurity settings to their defaults.
Once all this is done, I’ll run the tests and come back here to let you know the results.

Best regards.

Thread Starter BooMeranGz
(@boomerangz)

2 months ago

Hi @qriouslad

I’m back to let you know that mod_security has been reset to its default (lower) values in Apache.
I ran several tests to save ASE settings, and they all worked!
You can close this thread.

Thank you very much for your help and work.

Plugin Author Bowo
(@qriouslad)

2 months ago

@boomerangz thanks for reporting back! Glad to hear problem has been fixed.

Viewing 11 replies - 1 through 11 (of 11 total)

You must be logged in to reply to this topic.