This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF Webserverprotection Problem

Hi there,

since two days i have a problem with my webserver. The log:

 

2018:12:27-07:50:26 2leavar2 httpd[3699]: Starting
2018:12:27-07:50:26 2leavar2 httpd[3703]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroG] does not exist
2018:12:27-07:50:26 2leavar2 httpd[3703]: Syntax OK
2018:12:27-07:50:27 2leavar2 httpd[3726]: AH00112: Warning: DocumentRoot [/var/www/REF_RevFroG] does not exist
2018:12:27-07:50:28 2leavar2 httpd[3728]: [proxy_protocol:notice] [pid 3728:tid 4147246784] ProxyProtocol: disabled on 127.0.0.1:4080
2018:12:27-07:50:28 2leavar2 httpd[3728]: [security2:notice] [pid 3728:tid 4147246784] ModSecurity for Apache/2.7.4 (http://www.modsecurity.org/) configured.
2018:12:27-07:50:29 2leavar2 httpd[3733]: [proxy_protocol:notice] [pid 3733:tid 4147246784] ProxyProtocol: disabled on 127.0.0.1:4080
2018:12:27-07:50:29 2leavar2 httpd[3733]: [mpm_worker:notice] [pid 3733:tid 4147246784] AH00292: Apache/2.4.10 (Unix) OpenSSL/1.0.2j-fips configured -- resuming normal operations
2018:12:27-07:50:29 2leavar2 httpd[3733]: [core:notice] [pid 3733:tid 4147246784] AH00094: Command line: '/usr/apache/bin/httpd'
2018:12:27-07:50:29 2leavar2 httpd[3915]: Started
2018:12:27-07:51:18 2leavar2 httpd[3921]: [proxy:error] [pid 3921:tid 4129651568] (111)Connection refused: AH00957: HTTPS: attempt to connect to 192.168.50.15:443 (192.168.50.15) failed
2018:12:27-07:51:18 2leavar2 httpd[3921]: [proxy:error] [pid 3921:tid 4129651568] AH00959: ap_proxy_connect_backend disabling worker for (192.168.50.15) for 60s
2018:12:27-07:51:18 2leavar2 httpd[3921]: [proxy_http:error] [pid 3921:tid 4129651568] [client XX.XX.XX.XX:60258] AH01114: HTTP: failed to make connection to backend: 192.168.50.15

 

When u try to connect by dns you get the following message:
 
 
 
 
This problem i get with active or inactive firewall profile.
 
Do you have any ideas to solve this issue?


This thread was automatically locked due to age.
Parents
  • ...and sometime a get this error message:

     

     

    log:

     

    2018:12:27-08:07:50 2leavar2 httpd[7490]: Restarted
    2018:12:27-08:08:01 2leavar2 httpd[7605]: [proxy:error] [pid 7605:tid 4130110320] (111)Connection refused: AH00957: HTTPS: attempt to connect to 192.168.50.15:443 (192.168.50.15) failed
    2018:12:27-08:08:01 2leavar2 httpd[7605]: [proxy:error] [pid 7605:tid 4130110320] AH00959: ap_proxy_connect_backend disabling worker for (192.168.50.15) for 60s
    2018:12:27-08:08:01 2leavar2 httpd[7605]: [proxy_http:error] [pid 7605:tid 4130110320] [client XX.XX.XX.XX:60986] AH01114: HTTP: failed to make connection to backend: 192.168.50.15
    2018:12:27-08:08:01 2leavar2 httpd[7605]: [security2:error] [pid 7605:tid 4130110320] [client XX.XX.XX.XX] ModSecurity: Warning. Pattern match "^5\\\\d{2}$" at RESPONSE_STATUS. [file "/usr/apache/conf/waf/modsecurity_crs_outbound.conf"] [line "53"] [id "970901"] [rev "2"] [msg "The application is not available"] [data "Matched Data: 503 found within RESPONSE_STATUS: 503"] [severity "ERROR"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "WASCTC/WASC-13"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.6"] [hostname "HOST"] [uri "/status.php"] [unique_id "XCR6UVOHjqsAAB21ObgAAAAA"]
    2018:12:27-08:08:01 2leavar2 httpd[7605]: [security2:error] [pid 7605:tid 4130110320] [client XX.XX.XX.XX] ModSecurity: Access denied with code 403 (phase 4). Pattern match "(.*)" at TX:0. [file "/usr/apache/conf/waf/modsecurity_crs_outbound_blocking.conf"] [line "24"] [id "981200"] [msg "Outbound Anomaly Score Exceeded (score 4): Last Matched Message: The application is not available"] [data "Last Matched Data: 503"] [hostname "HOST"] [uri "/status.php"] [unique_id "XCR6UVOHjqsAAB21ObgAAAAA"]
Reply
  • ...and sometime a get this error message:

     

     

    log:

     

    2018:12:27-08:07:50 2leavar2 httpd[7490]: Restarted
    2018:12:27-08:08:01 2leavar2 httpd[7605]: [proxy:error] [pid 7605:tid 4130110320] (111)Connection refused: AH00957: HTTPS: attempt to connect to 192.168.50.15:443 (192.168.50.15) failed
    2018:12:27-08:08:01 2leavar2 httpd[7605]: [proxy:error] [pid 7605:tid 4130110320] AH00959: ap_proxy_connect_backend disabling worker for (192.168.50.15) for 60s
    2018:12:27-08:08:01 2leavar2 httpd[7605]: [proxy_http:error] [pid 7605:tid 4130110320] [client XX.XX.XX.XX:60986] AH01114: HTTP: failed to make connection to backend: 192.168.50.15
    2018:12:27-08:08:01 2leavar2 httpd[7605]: [security2:error] [pid 7605:tid 4130110320] [client XX.XX.XX.XX] ModSecurity: Warning. Pattern match "^5\\\\d{2}$" at RESPONSE_STATUS. [file "/usr/apache/conf/waf/modsecurity_crs_outbound.conf"] [line "53"] [id "970901"] [rev "2"] [msg "The application is not available"] [data "Matched Data: 503 found within RESPONSE_STATUS: 503"] [severity "ERROR"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] [tag "WASCTC/WASC-13"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.6"] [hostname "HOST"] [uri "/status.php"] [unique_id "XCR6UVOHjqsAAB21ObgAAAAA"]
    2018:12:27-08:08:01 2leavar2 httpd[7605]: [security2:error] [pid 7605:tid 4130110320] [client XX.XX.XX.XX] ModSecurity: Access denied with code 403 (phase 4). Pattern match "(.*)" at TX:0. [file "/usr/apache/conf/waf/modsecurity_crs_outbound_blocking.conf"] [line "24"] [id "981200"] [msg "Outbound Anomaly Score Exceeded (score 4): Last Matched Message: The application is not available"] [data "Last Matched Data: 503"] [hostname "HOST"] [uri "/status.php"] [unique_id "XCR6UVOHjqsAAB21ObgAAAAA"]
Children
  • "Connection refused:" and "The application is not available" mean that the backend server at 192.168.50.15 does not want to talk to UTM.  It sounds like the server is up but giving a negative response.

    Possibilities that come to mind:

    • Backend server's Webserver is not running
    • Backend server's webserver is running, but the website for the requested host name is stopped, deleted, or non-existent
    • Backend server or webserver have been modified, and its enabled ciphersuites are now completely different from any of UTM's enabled ciphersuites 
  • Thanks for your ideas...

    Sometimes it works for minutes, but sometimes it stucks...