Skip to content

SecResponseBodyAccess Off does not have an effect #1643

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
zoltan-fedor opened this issue Jan 2, 2018 · 3 comments
Closed

SecResponseBodyAccess Off does not have an effect #1643

zoltan-fedor opened this issue Jan 2, 2018 · 3 comments
Assignees
@victorhora
Labels
3.x Related to ModSecurity version 3.x
Milestone
v3.0.3

Comments

@zoltan-fedor
Copy link

Hey,

We had to turn off SecResponseBodyAccess due to the lack of SecDisableBackendCompression flag in libmodsecurity (and/or NGinx connector) (see #1470), but simply setting the SecResponseBodyAccess flag to Off had no effect, we also had to set the SecResponseBodyMimeType to some non-existent type to stop the response body being inspected.

NGinx 1.13.7
ModSeurity 3.0.0

Original setting:

SecResponseBodyAccess On
SecResponseBodyMimeType text/plain text/html text/xml

Setting still inspecting the response body:

SecResponseBodyAccess Off
SecResponseBodyMimeType text/plain text/html text/xml

Settings which finally stoped response body inspection

SecResponseBodyAccess Off
SecResponseBodyMimeType text/nosuchtype
@victorhora victorhora self-assigned this Jan 16, 2018
@chirswind
Copy link

hello there ,I'm using modSecutity for Nginx ,and met the same problem too,seting SecResponseBodyAccess Off &SecResponseBodyMimeType text/nosuchtype does not have an effect to me.

@zimmerle zimmerle added the 3.x Related to ModSecurity version 3.x label Apr 4, 2018
@zimmerle zimmerle added this to the v3.0.3 milestone Apr 4, 2018
@zimmerle
Copy link
Contributor

zimmerle commented May 8, 2018

Somewhat related to owasp-modsecurity/ModSecurity-nginx#84

@zimmerle
Copy link
Contributor

zimmerle commented May 8, 2018

The compression can be disabled on the web server and/or proxy configuration. That is the main reason why the SecDisableBackendCompression is no longer supported on v3.

As of 42a472a the body inception is respecting the configuration flag.

@zimmerle zimmerle closed this as completed May 8, 2018
@victorhora victorhora mentioned this issue Jun 21, 2018
Closed
@zimmerle zimmerle mentioned this issue Dec 24, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@victorhora victorhora

Labels
3.x Related to ModSecurity version 3.x
Projects
None yet
Milestone
v3.0.3
Development

No branches or pull requests
4 participants
@zimmerle @zoltan-fedor @victorhora @chirswind