Description
Describe the bug
When matrix clients contact my reverse-proxy apache2, they can not send messages. These are blocked by mod-security.
Logs and dumps
Output of:
[Sat Mar 02 17:57:16.032830 2019] [:error] [pid 6747] [client 8.15.22.21:51244] [client 8.15.22.21] ModSecurity: Access denied with code 403 (phase 2). Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/share/modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "49"] [id "911100"] [rev "2"] [msg "Method is not allowed by policy"] [data "PUT"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "matrix.mydomain.de"] [uri "/_matrix/client/r0/rooms/!DdZaxZDJTknUzAcJXW:matrix.mydomain.de/typing/@myUser:matrix.mydomain.de"] [unique_id "XHq17LnPagcAABpbEhwAAAAH"]
To Reproduce
Steps to reproduce the behavior:
Sorry, i do not know what exactly is sent by the matrix clients.
I set up matrix synapse homeserver to run on my machine and use apache2 as reverse proxy.
Expected behavior
I would expect that the default ruleset is defined to allow this kind of communication
Server (please complete the following information):
ii modsecurity-crs 3.0.0-3 all OWASP ModSecurity Core Rule Set
ii libapache2-mod-security2 2.9.1-2 amd64 Tighten web applications security for Apache
ii apache2 2.4.25-3+deb9u6 amd64 Apache HTTP Server