in

Apache mod_security blocking rewrite http to https (and www to non-www)


httpd-vhosts.conf

<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot "c:/wamp64/www/mysite"
Alias /.well-known c:/wamp64/www/mysite/.well-known
RewriteEngine On
RewriteRule ^ https://example.com [L,R=301]
</VirtualHost>

httpd-ssl.conf

<VirtualHost *:443>
ServerName example.com

SSLEngine on
SSLCertificateFile "C:/wamp64/cert/example.com-chain.pem"
SSLCertificateKeyFile "C:/wamp64/cert/example.com-key.pem"
    DocumentRoot "c:/wamp64/www/mysite"
    <Directory  "c:/wamp64/www/mysite/">
        Options  +Includes +FollowSymLinks +MultiViews
        AllowOverride All
        Order Deny,Allow
        Allow from all
        Require all granted
RewriteEngine On
RewriteCond %{HTTPS} off 
RewriteRule ^ https://%1%{REQUEST_URI} [L,NE,R=301]
    </Directory>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set Expect-CT "enforce, max-age=300, report-uri='https://example.com/'"
Header set Access-Control-Allow-Origin "*"
Header set X-Frame-Options: "SAMEORIGIN"
Header set X-Content-Type-Options: "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy "no-referrer"

</VirtualHost>

#

<VirtualHost *:443>
ServerName www.example.com

SSLEngine on
SSLCertificateFile "C:/wamp64/cert/www.example.com-chain.pem"
SSLCertificateKeyFile "C:/wamp64/cert/www.example.com-key.pem"
    DocumentRoot "c:/wamp64/www/mysite"
    <Directory  "c:/wamp64/www/mysite/">
        Options  +Includes +FollowSymLinks +MultiViews
        AllowOverride All
        Order Deny,Allow
        Allow from all
        Require all granted
    </Directory>
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set Expect-CT "enforce, max-age=300, report-uri='https://example.com/'"
Header set Access-Control-Allow-Origin "*"
Header set X-Frame-Options: "SAMEORIGIN"
Header set X-Content-Type-Options: "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy "no-referrer"

RewriteEngine On
RewriteRule ^ https://example.com [L,R=301]
</VirtualHost>

Without mod_security2 everything works without problems.
When mod_security2 is on redirects are blocked (403).
When I add to httpd.conf

SecRuleRemoveById 959100

Redirects works again.
Please help, as I know it is not safe to remove this rule.
Thank you



Source: https://stackoverflow.com/questions/70551655/apache-mod-security-blocking-rewrite-http-to-https-and-www-to-non-www

A small library for using Common Ninja’s plugins in React projects

Fake news detector filters – Smart filter project allow to classify the quality of information and web pages