litespeed ignore an include

[DoM]

Hello,
on one webserver with cPanel we notice following:

inside file /usr/local/apache/conf/modsec2.user.conf we have following content after including gotrules directive:

Include /usr/local/apache/conf/modsec/*.conf

<LocationMatch .*>
SecRuleRemoveById 391213
</LocationMatch>

On more than 50 servers it works.

Just on one server this directive is ignored and rule always matched.


We have SAME IDENTICAL configuration of litespeed, apache, cPanel.

I do not understand how it's possible.

We tried also to remove completely litespeed and reinstall it but no way.

Also we notice on this server that with command ps axuwwf instead of see regular processlist like this with a SHORT PATH:

nobody 838399 0.3 0.6 220056 99900 ? Sl 01:08 0:35 \_ litespeed (lshttpd)
nobody 838400 3.3 0.6 243656 113000 ? Sl 01:08 4:57 \_ litespeed (lshttpd)
xxxxxxx 880947 11.1 0.2 410544 33820 ? S 03:36 0:03 \_ lsphp5
xxxxxxx 880976 13.0 0.4 353352 70480 ? S 03:36 0:01 \_ lsphp5me/xxxxxxx/public_html/xxxxxxx/index.php

We see always FULL PATH of lsphp5:

nobody 473560 0.5 0.5 214592 89464 ? Sl 03:32 0:01 \_ litespeed (lshttpd)
nobody 473561 2.1 0.5 222196 92232 ? Sl 03:32 0:06 \_ litespeed (lshttpd)
xxxxxxx 473572 0.0 0.1 298404 18192 ? S 03:32 0:00 \_ /usr/local/lsws/fcgi-bin/lsphp5:/home/xxxxxxx/public_html/xxxx/xxxx.php

This happen ONLY on this server on more than 50 that i repeat have same configuration.

We checked configuration automatically with our scripts and manually but no difference at all.

Waiting for your reply

Regards

 

[NiteWave]

is the LSAPI version different?

can check it by
/usr/local/lsws/fcgi-bin/lsphp5 -i |head

 

[DoM]

No same: Server API => LiteSpeed V6.1

Waiting for your reply

Regards

 

[DoM]

Do you know what it could be or where i can check about ?


Waiting for your reply

Best regards

 

[NiteWave]

yes, really puzzled per your description. have you done the force-reinstall, to ensure the problem one running latest 4.2.2 ?

 

[DoM]

Yes did it but nothing change.

Waiting for your reply

Regards

 

[DoM]

Any news ?

I also notice on ALL servers with litespeed last version ( downloaded it today ) following error message:

2013-05-17 15:14:02.495 ERROR [ModSecurity] unknown server variable while parsing: Location
2013-05-17 15:14:02.495 ERROR [ModSecurity] unknown server variable while parsing: Location
2013-05-17 15:14:02.495 ERROR [ModSecurity] unknown server variable while parsing: Location
2013-05-17 15:14:02.495 ERROR [ModSecurity] unknown server variable while parsing: Location
2013-05-17 15:14:02.495 ERROR [ModSecurity] unknown server variable while parsing: Location
2013-05-17 15:14:02.495 ERROR [ModSecurity] unknown server variable while parsing: Location
2013-05-17 15:14:02.496 ERROR [ModSecurity] unknown server variable while parsing: Location
2013-05-17 15:14:02.496 ERROR [ModSecurity] unknown server variable while parsing: Location
2013-05-17 15:14:02.535 ERROR [ModSecurity] unknown server variable while parsing: WWW-Authenticate
2013-05-17 15:14:02.702 ERROR [ModSecurity] unknown server variable while parsing: FILES_TMPNAMES

As you can see Location directive does not work anymore.

In previous version no problem at all.


Waiting for your reply


Regards

 

[mistwang]

Please grep your mod_security rule for "Location", it is in a "SecRule ...", not in <Location ...> directive.
Please give us an example, so we can analyze.

 

[DoM]

On file modsec2.user.conf in cPanel we added following rules:


<LocationMatch .*>
SecRule REMOTE_ADDR "@pmFromFile /xxx/xxx/whitelist" "nolog,phase:1,allow,id:1000001"
</LocationMatch>

<LocationMatch .*>
# BUG - Login CMS cookie expired
SecRuleRemoveById 391213
</LocationMatch>

This is an example about.

Same problem on version 4.2.3

On FIRST version of release 4.2.2 ( not last one ), this error wss not present.

Waiting for your reply

Regards

 

[NiteWave]

please refer:
http://www.litespeedtech.com/support/forum/showthread.php?t=7145

new build of 4.2.3 has resolved an similar issue. do force-reinstall 4.2.3, see if your site ok now.