flask – In OAuth2, if a client should not share its access token, then how can multiple clients access the same resource?

I’m creating a react SPA with a flask backend with discord oauth 2 login. I want to know the discord user ID of the current user available to flask and use the SPA to display info about the user such as username and profile picture.

If I set up a login page via flask, I can get info about the signed in user by querying the current user discord API.
But how do I get the name and profile picture in the SPA? I could give the access token obtained by flask to the SPA but token sharing is not recommended.

Another approach is the implicit grant flow where the SPA gets the access token and gives it to flask. Flask can then check to see who logged in.
This also involves token sharing among ouath2 clients which is not recommended.

I’m not sure how to get an access token for both flask and the SPA without the user having to sign in multiple times

Client Created Dispute For Renewal Payment


Hi everyone,

I don’t know if you had faced this kind of issue or not, but I required everyone’s suggestions.

A client had purchased web hosting from us around 1 year ago and paid with PayPal also subscribed for auto-renewal.

A few days ago, his service got auto-renewal and after 2 days he started asking for refund and when we told that renewals are not refundable as per our terms, then he created a PayPal dispute.

Does anyone faced the same of issue? Feel free to let me know what you have done then?

Also, if we want to win the dispute, then which kind of proofs we need to share with PayPal?

Thank You.

natan

ssl – ProFTPD – TLS – Client does not support any cipher

I am running Ubuntu Server 20.04 and proftpd 1.36 and have an issue setting up TLS.

I have followed the guide in the config file, but I get a very odd error. That there is no supported cipher. And then the process breaks with a handshake error. The SSL clienthello message includes a lot of ciphers that is recognised, and that is on the machine.

TLS log:

2020-06-29 18:16:30,457 mod_tls/2.7(87378): (stat): SSL sessions attempted: 0
2020-06-29 18:16:30,457 mod_tls/2.7(87378): (stat): SSL sessions established: 0
2020-06-29 18:16:30,457 mod_tls/2.7(87378): (stat): SSL sessions renegotiated: 0
2020-06-29 18:16:30,457 mod_tls/2.7(87378): (stat): SSL sessions resumed: 0
2020-06-29 18:16:30,457 mod_tls/2.7(87378): (stat): SSL sessions in cache: 0
2020-06-29 18:16:30,457 mod_tls/2.7(87378): (stat): SSL session cache hits: 0
2020-06-29 18:16:30,457 mod_tls/2.7(87378): (stat): SSL session cache misses: 0
2020-06-29 18:16:30,457 mod_tls/2.7(87378): (stat): SSL session cache timeouts: 0
2020-06-29 18:16:30,457 mod_tls/2.7(87378): (stat): SSL session cache size exceeded: 0
2020-06-29 18:16:35,242 mod_tls/2.7(87910): TLSOption EnableDiags enabled, setting diagnostics callback
2020-06-29 18:16:35,245 mod_tls/2.7(87910): error initializing OpenSSL context for this session
2020-06-29 18:16:35,247 mod_tls/2.7(87910): TLS/TLS-C requested, starting TLS handshake
2020-06-29 18:16:35,247 mod_tls/2.7(87910): (info) (unknown): before SSL initialization
2020-06-29 18:16:35,247 mod_tls/2.7(87910): (info) accepting: before SSL initialization
2020-06-29 18:16:35,247 mod_tls/2.7(87910): (info) accepting: before SSL initialization
2020-06-29 18:16:35,255 mod_tls/2.7(87910): (msg) received protocol record message (5 bytes)
2020-06-29 18:16:35,255 mod_tls/2.7(87910): (info) accepting: before SSL initialization
2020-06-29 18:16:35,255 mod_tls/2.7(87910): (msg) received TLSv1.3 'ClientHello' Handshake message (368 bytes)
2020-06-29 18:16:35,256 mod_tls/2.7(87910): (msg)
ClientHello:
  client_version = TLS 1.2
  random:
    gmt_unix_time = Thu Oct 20 14:46:18 1904 (not guaranteed to be accurate)
    random_bytes (28 bytes)
      5820ebe66e5afa9ec7d9cfc5d69fd7b97698ba054091bd338c918587
  session_id (0 bytes)
  cipher_suites (58 bytes)
    TLS_AES_256_GCM_SHA384
    TLS_CHACHA20_POLY1305_SHA256
    TLS_AES_128_GCM_SHA256
    (unknown/unsupported)
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    (unknown/unsupported)
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    (unknown/unsupported)
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    (unknown/unsupported)
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    (unknown/unsupported)

    TLS_RSA_WITH_AES_256_CBC_SHA
    (unknown/unsupported)
    TLS_RSA_WITH_AES_128_GCM_SHA256
    TLS_RSA_WITH_AES_128_CBC_SHA
    (unknown/unsupported)
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    (unknown/unsupported)
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    (unknown/unsupported)
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    (unknown/unsupported)
  compression_methods (1 byte)
    None
  extensions (265 bytes)
    extension_type = status_request (5 bytes)
    extension_type = elliptic_curves (22 bytes)
    extension_type = ec_point_formats (2 bytes)
    extension_type = signature_algorithms (34 bytes)
    extension_type = encrypt_then_mac (0 bytes)
    extension_type = extended_master_secret (0 bytes)
    extension_type = session_ticket (0 bytes)
    extension_type = key_share (139 bytes)
    extension_type = supported_versions (9 bytes)
    extension_type = renegotiate (1 byte)
    extension_type = psk_kex_modes (3 bytes)
    extension_type = (unknown/unsupported) (2 bytes)

2020-06-29 18:16:35,256 mod_tls/2.7(87910): (msg) sent protocol record message (5 bytes)
2020-06-29 18:16:35,256 mod_tls/2.7(87910): (msg) sent TLSv1.2 fatal 'handshake_failure' Alert message (2 bytes)
2020-06-29 18:16:35,256 mod_tls/2.7(87910): (info) writing: SSL/TLS alert fatal: handshake failure
2020-06-29 18:16:35,256 mod_tls/2.7(87910): (info) accepting: error
2020-06-29 18:16:35,256 mod_tls/2.7(87910): unable to accept TLS connection: protocol error:
  (1) error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
2020-06-29 18:16:35,256 mod_tls/2.7(87910): unable to accept TLS connection: client does not support any cipher from 'TLSCipherSuite DEFAULT:!ADH:!EXPORT:!DES' (see `openssl ciphers DE>
2020-06-29 18:16:35,256 mod_tls/2.7(87910): TLS/TLS-C negotiation failed on control channel
2020-06-29 18:16:35,256 mod_tls/2.7(87910): (stat): SSL sessions attempted: 1
2020-06-29 18:16:35,256 mod_tls/2.7(87910): (stat): SSL sessions established: 0
2020-06-29 18:16:35,256 mod_tls/2.7(87910): (stat): SSL sessions renegotiated: 0
2020-06-29 18:16:35,256 mod_tls/2.7(87910): (stat): SSL sessions resumed: 0
2020-06-29 18:16:35,256 mod_tls/2.7(87910): (stat): SSL sessions in cache: 0
2020-06-29 18:16:35,256 mod_tls/2.7(87910): (stat): SSL session cache hits: 0
2020-06-29 18:16:35,256 mod_tls/2.7(87910): (stat): SSL session cache misses: 0
2020-06-29 18:16:35,256 mod_tls/2.7(87910): (stat): SSL session cache timeouts: 0
2020-06-29 18:16:35,256 mod_tls/2.7(87910): (stat): SSL session cache size exceeded: 0

Output of openssl

openssl ciphers -v 'DEFAULT:!ADH:!EXPORT:!DES'
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
RSA-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(256) Mac=AEAD
RSA-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=ECDHEPSK Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
PSK-AES256-GCM-SHA384   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(256) Mac=AEAD
PSK-CHACHA20-POLY1305   TLSv1.2 Kx=PSK      Au=PSK  Enc=CHACHA20/POLY1305(256) Mac=AEAD
RSA-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(128) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
PSK-AES128-GCM-SHA256   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(256)  Mac=SHA384
ECDHE-PSK-AES256-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(256)  Mac=SHA1
SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(256)  Mac=SHA1
SRP-AES-256-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(256)  Mac=SHA1
RSA-PSK-AES256-CBC-SHA384 TLSv1 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA384
DHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=DHEPSK   Au=PSK  Enc=AES(256)  Mac=SHA384
RSA-PSK-AES256-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-PSK-AES256-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
PSK-AES256-CBC-SHA384   TLSv1 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA384
PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
ECDHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA256
ECDHE-PSK-AES128-CBC-SHA TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA1
SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(128)  Mac=SHA1
SRP-AES-128-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(128)  Mac=SHA1
RSA-PSK-AES128-CBC-SHA256 TLSv1 Kx=RSAPSK   Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=DHEPSK   Au=PSK  Enc=AES(128)  Mac=SHA256
RSA-PSK-AES128-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-PSK-AES128-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
PSK-AES128-CBC-SHA256   TLSv1 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA256
PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1

As you can see there is plenty of matching ciphers. So why do I get this error??

———– Bonus info———-
I have tried changing the Cipher to a single cipher, to every cipher, still same error.
I have tried changing the protocol, still same error.
Google has not helped me find a solution, all errors seems to be with actual missing certificates, or not related.
proftpd tls config for completions sake:

#
# Proftpd sample configuration for FTPS connections.
#
# Note that FTPS impose some limitations in NAT traversing.
# See http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
# for more information.
#

<IfModule mod_tls.c>
TLSEngine                               on
TLSLog                                  /var/log/proftpd/tls.log
TLSProtocol                             SSLv23
#
# Server SSL certificate. You can generate a self-signed certificate using 
# a command like:
#
# openssl req -x509 -newkey rsa:1024 
#          -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt 
#          -nodes -days 365
#
# The proftpd.key file must be readable by root only. The other file can be
# readable by anyone.
#
# chmod 0600 /etc/ssl/private/proftpd.key 
# chmod 0640 /etc/ssl/private/proftpd.key
# 
TLSRSACertificateFile                   /etc/ssl/certs/proftpd.crt
TLSRSACertificateKeyFile                /etc/ssl/private/proftpd.key
#
# CA the server trusts...
#TLSCACertificateFile            /etc/ssl/certs/CA.pem
# ...or avoid CA cert and be verbose
TLSOptions                      NoCertRequest EnableDiags 
# ... or the same with relaxed session use for some clients (e.g. FireFtp)
#TLSOptions                      NoCertRequest EnableDiags NoSessionReuseRequired
#
#
# Per default drop connection if client tries to start a renegotiate
# This is a fix for CVE-2009-3555 but could break some clients.
#
#TLSOptions                             AllowClientRenegotiations
#
# Authenticate clients that want to use FTP over TLS?
#
#TLSVerifyClient                         off
#
# Are clients required to use FTP over TLS when talking to this server?
#
TLSRequired                             auth
#
# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations.  Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
#
#TLSRenegotiate                          required off
</IfModule>

linux – CentOS 8 – How can I set a client to use a dns server for all domains and one dns for a particular domain?

I’m currently struggle to configure Linux (CentOS 8) in a special way.
The goal should be that my client asks ALWAYS a public DNS Server for everything that is not “example.local”. “example.local” should be resolved by an internal DNS.

How can I do that without using a “Fallback” DNS ???

Does using a VPS hides the client identity in the web?

I know that a VPS provider can track the client connected to a VPS (This Q/A) using RDP(Remote desktop protocol). But my question is about websites accessed from the VPS using a browser. Can they know anything about the main client (IP/Location/Local Time etc.) behind the RDP through the browser http (or https or any) protocols?

enter image description here

port forwarding – AWS EC2 WIN2016OpenVPN server to forward incoming connection to OpenVPN Client

Scenario:

OpenVPN server running on aws ec2 t2.micro Windows Server 2016
MS-SQL server running on Windows Server connected to aws OpenVPN as Client
MS-SQL Server <===TUN0===> aws/OpenVPN

Question:

How can I configure aws instance to forward incoming connection requests coming to it’s interface port 1433 to OpenVPN Client(MS-SQL Server) tun0 interface 1433 port?

sharepoint online – Content editor web part issue in PNP Modernization from classic publishing page to modern client side page

I am using PNP modernization framework (.net) to transform classic SharePoint online publishing pages to modern client side pages.

The classic publishing page contains content editor web part in which HTML markup is written with CSS class names and the CSS file is referenced in the script editor web part that exists in the same page.

As there is no script editor web part in modern site so i am using community script editor to transform the script editor web part. I am also using community script editor web part to transform the content editor web part from the classic publishing page.

I am able to successfully transform the classic page to modern however when i open the transformed client side page in edit mode the sections on the page automatically converts to the text editor web part and the custom CSS classes are lost.

Did someone faced similar issue or can guide me how can i fix this issue ?

This is kind of urgent and quick response will be highly appreciated. Let me know if more details are required.

Many Thanks.

cisco vpn client – Browsing ouside VPN

My company asks to connect thru a VPN client (Cisco), but when I do I lose access to a bunch of sites.

In a solution I found here, installing OpenConnect solved the issue, as it uses the same protocol and I found that browsing is not blocked this way.

I thought that was a win, but checking my speed at speedtest.net I saw that my external IP was still the one VPN assigned and that my speed was very limited compared to my home ISP plan.

At first, I assumed that even though my browsing is not blocked, the trafic is still being routed thru the VPN. But an interesting fact is that if I download a large file while on OpenConnect VPN, the speed is fast, and when I did the same on Cisco VPN is would take an eternity.

What way can I be certain what network i am using while browsing and listening to music streams while connected to OpenConnect VPN? What can explain the difference in speeds?

Bellow is my route print result (edited to mask addresses):

===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
        0.0.0.0            0.0.0.0       192.x.x.x       192.x.x.y     26
        0.0.0.0            0.0.0.0        10.x.x.x       10.x.x.y      2
        10.x.x.x     255.255.255.0         On-link       10.x.x.y    257
        10.x.x.x   255.255.255.255         On-link       10.x.x.x    257
        10.x.x.x   255.255.255.255         On-link       10.x.x.x    257
        127.0.0.0        255.0.0.0         On-link       127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link       127.0.0.1    331
        127.x.x.x  255.255.255.255         On-link       127.0.0.1    331
        169.x.x.x      255.255.0.0         On-link       169.x.x.x    281
        169.x.x.x  255.255.255.255         On-link       169.x.x.x    281
        169.x.x.x  255.255.255.255         On-link       169.x.x.x    281
        172.x.x.x  255.255.255.240         On-link       172.x.x.x   5256
        172.x.x.x  255.255.255.255         On-link       172.x.x.x   5256
        172.x.x.x  255.255.255.255         On-link       172.x.x.x   5256
        177.x.x.x  255.255.255.255       192.x.x.x       192.x.x.x     26
        192.x.x.x    255.255.255.0         On-link       192.x.x.x    281
        192.x.x.x  255.255.255.255         On-link       192.x.x.x    281
        192.x.x.x  255.255.255.255         On-link       192.x.x.x    281
        224.0.0.0        240.0.0.0         On-link       127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link       10.x.x.x    257
        224.0.0.0        240.0.0.0         On-link       169.x.x.x    281
        224.0.0.0        240.0.0.0         On-link       192.x.x.x    281
        224.0.0.0        240.0.0.0         On-link       172.x.x.x   5256
  255.255.255.255  255.255.255.255         On-link       127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link       10.x.x.x    257
  255.255.255.255  255.255.255.255         On-link       169.x.x.x    281
  255.255.255.255  255.255.255.255         On-link       192.x.x.x    281
  255.255.255.255  255.255.255.255         On-link       172.x.x.x   5256
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0       10.x.x.x       1
=========================================================================== ```






apache2 – ModSecurity blocks legitimate client requests

Randomly, the modsecurity blocks legitimate clients requests giving the error 403. Here is para of the modsec_audit.log:

    ---d6e99f36-A--
(21/Jun/2020:07:14:45 +0100) Xu761X8AAAEAADI1YrAAAABQ xxx.xxx.xxx.xxx 60036 xxx.xxx.xxx.xxx 443
--d6e99f36-B--
GET /s/p.json?eyJ0IjoyLjksImYiOnsiZmxpX3BsIjoiYXNwZXJzb3IiLCJmbGlfZyI6LTEsImZsaV9jIjotMSwiZmxpX20iOjAsImZsaV9hIjoyMDE1fSwiY3NyZiI6ImE5MDMwMDkxLTBlZjg$
Host: fneon.eu
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0
Accept: */*
Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://example.com/
Content-Type: application/json,charset=UTF-8
DNT: 1
Connection: keep-alive
Cookie: jwt=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIyYzMwOGQwYTc5NGEyZWU2MjMxYzI2M2EyYWMzNjkwMCIsImV4cCI6MTU5MzY0NDQwMCwiaWF0IjoxNTkyNzE5ODg1$
Pragma: no-cache
Cache-Control: no-cache

--d6e99f36-F--
HTTP/1.1 403 Forbidden
X-FRAME-OPTIONS: DENY
X-Content-Type-Options: nosniff
Content-Length: 199
Keep-Alive: timeout=5, max=89
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--d6e99f36-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>

--d6e99f36-H--
Apache-Error: (file "mod_evasive20.c") (line 259) (level 3) client denied by server configuration: %s
Apache-Handler: proxy-server
Stopwatch: 1592720085355364 815 (- - -)
Stopwatch2: 1592720085355364 815; combined=42, p1=35, p2=0, p3=1, p4=0, p5=5, sr=0, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/).
Server: Apache
Engine-Mode: "ENABLED"

--d6e99f36-Z--

Here is my configuration (only the changes):

/etc/modsecurity/modsecurity.conf

SecRuleEngine On 
SecResponseBodyAccess Off 
SecRequestBodyLimit 5242880 (15Mb)

/etc/apache2/mods-enabled/evasive.conf
<IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageCount        10
    DOSSiteCount        75
    DOSPageInterval     5
    DOSSiteInterval     1
    DOSBlockingPeriod   3000
    DOSWhitelist 127.0.0.1 
    DOSWhitelist xxx.xxx.xxx.xxx 
    DOSWhitelist  xxx.xxx.xxx.xxx 
    DOSWhitelist xxx.xxx.xxx.xxx
    DOSLogDir           "/var/log/mod_evasive"
</IfModule>

/etc/apache2/conf-enabled/security.conf 
ServerTokens Prod 

One way to reproduce the problem is when the client makes this type of request:

https://example.com/s/p.json?eyJ0IjoyLjksImYiOnsiZmxpX3BsIjoiYXNwZXJzb3IiLCJmbGlfZyI6LTEsImZsaV9jIjotMSwiZmxpX20iOjAsImZsaV9hIjoyMDExfSwiY3NyZiI6ImE5MDMwMDkxLTBlZjgtNDcyOC05YjQ1LTU1MWY3M2U5YjQ5MCJ9

…which in my case is a legitimate request.
Can anyone tell me how to solve this problem? Thank you.