What's Actually Happening

Apache ModSecurity WAF blocks legitimate requests. Users see 403 Forbidden errors for valid traffic.

The Error You'll See

bash
# Apache error log:
[error] [client 192.168.1.1] ModSecurity: Access denied with code 403
(pattern match "SQL Injection" at REQUEST_URI)

Why This Happens

  1. 1.False positive - Rule matches legitimate content
  2. 2.Rule too strict - OWASP CRS rules aggressive
  3. 3.Missing whitelist - Valid path not excluded
  4. 4.Encoding issues - Request encoding triggers rule

Step 1: Check ModSecurity Logs

```bash # View audit log: tail -f /var/log/apache2/modsec_audit.log

# Check error log: grep ModSecurity /var/log/apache2/error.log ```

Step 2: Identify Triggered Rule

bash
# Find rule ID in logs:
# [id "942100"] SQL Injection Attack Detected

Step 3: Disable or Modify Rule

```apache # In Apache config: SecRuleRemoveById 942100

# Or for specific location: <Location /api/> SecRuleRemoveById 942100 </Location> ```

Step 4: Whitelist Request

apache
# Whitelist specific path:
SecRule REQUEST_URI "@beginsWith /api/webhook" "id:1000,phase:1,pass,nolog,ctl:ruleEngine=Off"

ModSecurity Checklist

CheckLocationExpected
Audit logmodsec_audit.logReadable
Rule IDerror logIdentified
WhitelistconfigCorrect

Verify the Fix

bash
curl -I https://example.com/api/
# Output: HTTP/1.1 200 OK
  • [Fix Apache 403 Forbidden](/articles/fix-apache-403-forbidden)
  • [Fix Apache Permission Denied](/articles/fix-apache-permission-denied)