I've built a Web Application Firewall using Apache 2.4.27 and mod_security 2.9.2. The WAF is stand alone, and forwards requests through to another web server using mod_rewrite with the [P] proxy directive. Everything works fine EXCEPT file uploads.
I've narrowed the file upload problem down to mod_security's SecRequestBodyAccess directive. When it's enabled, uploads fail. When it's disabled, they work.
I'm using OWASP's rule set, and I've tried various combinations of mod_security directives and OWASP's rules. Nothing seems to affect the uploads except SecRequestBodyAccess.
Problem is, I doubt the security team will allow me to run the WAF without the ability to inspect POST requests (which is the effect of disabling SecRequestBodyAccess).
Does anyone know why SecRequestBodyAccess breaks uploads and/or how I can fix it?
Here are my mod_security directives:
Include owasp-modsecurity-crs/crs-setup.conf
Include owasp-modsecurity-crs/rules/*.conf
SecRuleEngine On
SecRequestBodyLimit 262144000
SecRequestBodyNoFilesLimit 1048576
SecRequestBodyAccess On
SecResponseBodyAccess On
Thanks in advance.
-John