maybe someone with experience or basic knowledge that knows what they're doing (unlike me :)) can help....
Currently, I have Ubuntu 20.04 installation with OpenLitespeed and Cyberpanel.
I've installed Plausible Analytics via docker container on pa.domain1.com and noticed that when I visit the address pa.domain1.com/domain2.com (basically the URL or the domain2 I'm tracking) it gives me a mod_sec log entry:
ModSecurity: Warning. Matched "Operator `Within' with parameter `.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .ln (150 characters omitted)' against variable `TX:EXTENSION' (Value: `.com/' ) [file "/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1015"] [id "920440"] [rev ""] [msg "URL file extension is restricted by policy"] [data ".com"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "pa.domain1.com"] [uri "/domain2.com"] [unique_id "16959174363.819657"] [ref "o11,4o12,3v5,15o71,5t:urlDecodeUni,t:lowercase"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "pa.domain1.com"] [uri "/domain2.com"] [unique_id "16959174363.819657"] [ref ""]
And from that log I concluded that the rules 9 & 18 (REQUEST-920-PROTOCOL-ENFORCEMENT.conf & REQUEST-949-BLOCKING-EVALUATION.conf) are being tripped up, which I get. There is a different domain after the / and that does seem very dubious at first, but that is correct.
Hence, I've deactived rule 9 & 18. Now, I can then access the URL pa.domain1.com/domain2.com.
However, I don't want to leave these 2 rules deactivated as a whole, just create an exception. Luckily, for me as complete Linux noob, I can add a mod_sec rule in Cyberpanel and hit save.
But I do not know what and how that rules is supposed to look like to create that rule. Ideally, it would be also be flexible enough where I don't have to add another rule for pa.domain1.com/domain3.com, pa.domain1.com/domain4.com etc. Can anyone let me know the rule that would whitelist my scenario?*
Bonus points:
Some what related (I think). In my plausible.env file, it requires port 127.0.0.1:8000:8000. Currently, I have that port open (IN & OUT) in CSF. Otherwise, I cannot access the analytics site at pa.domain1.com. This did not seem to work. And from what I read one shouldn't leave ports wide open if not absolutely necessary. As this application runs via 127.0.0.1 shouldn't that be able to run without those ports open to the world?
