ModSecurity errors related to REQUEST_METHOD HTTP/1.1 and GET

Fredrik Johansson asked:

I asked my host to switch on the log file, and it have increasing a lot since then. Its have been increasing with 700 mb for the last week.
It’s filled with error messages related to Mod Security.

Most of them look like this:

[Thu Jun 20 16:49:01 2013] [error] [client 157.55.33.88] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/httpd/conf.d/modsecurity-crs/base_rules/modsecurity_crs_30_http_policy.conf"] [line "30"] [id "960032"] [msg "Method is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "www.url.se"] [uri "/page-pr-2317.html"] [unique_id "UcMWXcCoEXsAAE4QF8QAAAAh"]

[Thu Jun 20 16:49:01 2013] [error] [client 157.55.33.88] ModSecurity: Warning. Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file "/etc/httpd/conf.d/modsecurity-crs/base_rules/modsecurity_crs_30_http_policy.conf"] [line "77"] [id "960034"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/1.1"] [severity "CRITICAL"] [tag "POLICY/PROTOCOL_NOT_ALLOWED"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.10"] [hostname "www.url.se"] [uri "/page-pr-2317.html"] [unique_id "UcMWXcCoEXsAAE4QF8QAAAAh"]

[Thu Jun 20 16:49:02 2013] [error] [client 95.211.116.112] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/httpd/conf.d/modsecurity-crs/base_rules/modsecurity_crs_30_http_policy.conf"] [line "30"] [id "960032"] [msg "Method is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "www.url.se"] [uri "/images/image.jpg"] [unique_id "UcMWXsCoEXsAACkYfrAAAAAN"]

[Thu Jun 20 16:49:02 2013] [error] [client 95.211.116.112] ModSecurity: Warning. Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file "/etc/httpd/conf.d/modsecurity-crs/base_rules/modsecurity_crs_30_http_policy.conf"] [line "77"] [id "960034"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/1.1"] [severity "CRITICAL"] [tag "POLICY/PROTOCOL_NOT_ALLOWED"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.10"] [hostname "www.url.se"] [uri "/images/image.jpg"] [unique_id "UcMWXsCoEXsAACkYfrAAAAAN"]

[Tue Jun 25 20:18:18 2013] [error] [client 85.224.51.23] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/httpd/conf.d/modsecurity-crs/base_rules/modsecurity_crs_30_http_policy.conf"] [line "30"] [id "960032"] [msg "Method is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "www.url.se"] [uri "/images/image2.gif"] [unique_id "Ucne6sCoEXsAAHXDKMwAAAA9"]

[Tue Jun 25 20:17:58 2013] [error] [client 81.234.144.108] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/httpd/conf.d/modsecurity-crs/base_rules/modsecurity_crs_30_http_policy.conf"] [line "30"] [id "960032"] [msg "Method is not allowed by policy"] [data "POST"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "www.url.se"] [uri "/page2-p-500.html"] [unique_id "Ucne1sCoEXkAAE@LBx8AAABK"]

I asked my host and they told me that some of the error massage might depend on the visitor use old browsers that don’t have the protocol HTTP/1.1.

They also told me that the settings in mod_security should allow GET, HEAD, POST and OPTIONS, but for some reason it gives error message for this anyway. They haven’t told me why, and it doesn’t look like that are going to investigate it.
I saw that one of the IP belongs to Bingbot.

I don’t know much about mod_security so I need some in guidance. I found a similar question at Broken URLs after enabling mod_security

But since Im on a shared host I can’t change any settings. I can only turn on and of mod_security.

So can anyone tell me what might cause these error massages?

Should i turn of mod_security?


I answered:

It’s not allowing GET and HTTP/1.1? Sounds like it’s horribly misconfigured and you should turn it off until you can get it configured correctly.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.