header already sent while sending response to client

[AnoopAlias]

I think issue #14 is not fixed

I am getting this error

# nginx -V
nginx version: nginx/1.11.12
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC) 
built with LibreSSL 2.5.1
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/etc/nginx/modules --with-pcre=./pcre-8.40 --with-pcre-jit --with-zlib=./zlib-1.2.11 --with-openssl=./libressl-2.5.1 --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error_log --http-log-path=/var/log/nginx/access_log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nobody --group=nobody --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --add-dynamic-module=naxsi-http2/naxsi_src --with-file-aio --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-compat --with-http_v2_module --with-http_geoip_module=dynamic --add-dynamic-module=ngx_pagespeed-release-1.11.33.4-beta --add-dynamic-module=/usr/local/rvm/gems/ruby-2.3.1/gems/passenger-5.1.2/src/nginx_module --add-dynamic-module=ngx_brotli --add-dynamic-module=echo-nginx-module-0.60 --add-dynamic-module=headers-more-nginx-module-0.32 --add-dynamic-module=ngx_http_redis-0.3.8 --add-dynamic-module=redis2-nginx-module --add-dynamic-module=srcache-nginx-module-0.31 --add-dynamic-module=ngx_devel_kit-0.3.0 --add-dynamic-module=set-misc-nginx-module-0.31 --add-dynamic-module=ModSecurity-nginx --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic' --with-ld-opt=-Wl,-E

I was trying to do a ab benchmark which is flooding audit log with

---8Tko7yAx---F--
X-Page-Speed: 1.11.33.4-0
Expires: Fri, 31 Mar 2017 14:10:46 GMT
Vary: Accept-Encoding
Cache-Control: max-age=0, no-cache
Cache-Control: max-age=0, no-cache
Connection: keep-alive
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 31 Mar 2017 14:10:46 GMT
Date: Fri, 31 Mar 2017 14:10:46 GMT
Server: XtendWeb-nginx
Server: XtendWeb-nginx

---8Tko7yAx---H--
ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against variable `TX' (Value: `0' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf"] [line "80"] [id "912100"] [rev ""] [msg ""] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [ref ""]
ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against variable `TX' (Value: `0' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf"] [line "119"] [id "910130"] [rev ""] [msg ""] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [ref ""]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?:<(?:TITLE>Index of.*?<H|title>Index of.*?<h)1>Index of|>\[To Parent Directory\]<\/[Aa]><br>)' against variable `RESPONSE_BODY' (Value: `<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">\x0a<html>\x0a <head>\x0a  <title>Index of /< (565 characters omitted)' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf"] [line "22"] [id "950130"] [rev "2"] [msg "Directory Listing"] [data "Matched Data: <title>Index of /</title>\x0a </head>\x0a <body>\x0a<h1>Index of found within RESPONSE_BODY: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">\x0a<html>\x0a <head>\x0a  <title>Index of /</title>\x0a </head>\x0a <body>\x0a<h1>Index of /</h1>\x0a  <table>\x0a   <tr><th valign="top">&nbsp;</th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>\x0a   <tr><th colspan="5"><hr></th></tr>\x0a<tr><td valign="top">&nbsp;</td><td><a href="cgi-bin/">cgi-bin/</a>               </td><td align="right">2017-03-31 11:50  </td><td align="right">  - </td><td>&nbsp;</td></tr>\x0a   <tr><th colspan="5"><hr></th></tr>\x0a</table>\x0a</body></html>\x0a"] [severity "3"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-disclosure"] [tag "OWASP_CRS/LEAKAGE/INFO_DIRECTORY_LISTING"] [tag "WASCTC/WASC-13"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.6"] [ref "o73,55v92,623"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `%{tx.outbound_anomaly_score_threshold}' against variable `TX:OUTBOUND_ANOMALY_SCORE' (Value: `4' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf"] [line "164"] [id "959100"] [rev ""] [msg "Outbound Anomaly Score Exceeded (Total Score: 4)"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [ref ""]
ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against variable `TX' (Value: `0' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf"] [line "74"] [id "912110"] [rev ""] [msg ""] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [ref ""]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `%{tx.outbound_anomaly_score_threshold}' against variable `TX:OUTBOUND_ANOMALY_SCORE' (Value: `4' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "69"] [id "980140"] [rev ""] [msg "Outbound Anomaly Score Exceeded (score 4): Directory Listing'"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [ref ""]

---8Tko7yAx---I--

And the nginx error log is filled with

2017/03/31 14:12:20 [alert] 2518#2518: *30195 header already sent while sending to client, client: xx.xx.xx.xx, server: domain.com, request: "GET / HTTP/1.0", upstream: "http://yy.yy.yy.yy:9999/", host: "domain.com"
2017/03/31 14:12:20 [alert] 2518#2518: *30196 header already sent while sending to client, client: xx.xx.xx.xx, server: domain.com, request: "GET / HTTP/1.0", upstream: "http://yy.yy.yy.yy:9999/", host: "domain.com"
2017/03/31 14:12:20 [alert] 2518#2518: *30197 header already sent while sending to client, client: xx.xx.xx.xx, server: domain.com, request: "GET / HTTP/1.0", upstream: "http://yy.yy.yy.yy:9999/", host: "domain.com"
2017/03/31 14:12:20 [alert] 2518#2518: *30198 header already sent while sending to client, client: xx.xx.xx.xx, server: domain.com, request: "GET / HTTP/1.0", upstream: "http://yy.yy.yy.yy:9999/", host: "domain.com"
2017/03/31 14:12:20 [alert] 2518#2518: *30199 header already sent while sending to client, client: xx.xx.xx.xx, server: domain.com, request: "GET / HTTP/1.0", upstream: "http://yy.yy.yy.yy:9999/", host: "domain.com"
2017/03/31 14:12:20 [alert] 2518#2518: *30200 header already sent while sending to client, client: xx.xx.xx.xx, server: domain.com, request: "GET / HTTP/1.0", upstream: "http://yy.yy.yy.yy:9999/", host: "domain.com"
2017/03/31 14:12:20 [alert] 2518#2518: *30201 header already sent while sending to client, client: xx.xx.xx.xx, server: domain.com, request: "GET / HTTP/1.0", upstream: "http://yy.yy.yy.yy:9999/", host: "domain.com"
2017/03/31 14:12:20 [alert] 2518#2518: *30202 header already sent while sending to client, client: xx.xx.xx.xx, server: domain.com, request: "GET / HTTP/1.0", upstream: "http://yy.yy.yy.yy:9999/", host: "domain.com"
2017/03/31 14:12:20 [alert] 2518#2518: *30203 header already sent while sending to client, client: xx.xx.xx.xx, server: domain.com, request: "GET / HTTP/1.0", upstream: "http://yy.yy.yy.yy:9999/", host: "domain.com"
2017/03/31 14:12:20 [alert] 2518#2518: *30204 header already sent while sending to client, client: xx.xx.xx.xx, server: domain.com, request: "GET / HTTP/1.0", upstream: "http://yy.yy.yy.yy:9999/", host: "domain.com"
2017/03/31 14:12:20 [alert] 2518#2518: *30205 header already sent while sending to client, client: xx.xx.xx.xx, server: domain.com, request: "GET / HTTP/1.0", upstream: "http://yy.yy.yy.yy:9999/", host: "domain.com"
2017/03/31 14:12:20 [alert] 2518#2518: *30206 header already sent while sending to client, client: xx.xx.xx.xx, server: domain.com, request: "GET / HTTP/1.0", upstream: "http://yy.yy.yy.yy:9999/", host: "domain.com"
2017/03/31 14:12:20 [alert] 2518#2518: *30207 header already sent while sending to client, client: xx.xx.xx.xx, server: domain.com, request: "GET / HTTP/1.0", upstream: "http://yy.yy.yy.yy:9999/", host: "domain.com"
2017/03/31 14:12:20 [alert] 2518#2518: *30208 header already sent while sending to client, client: xx.xx.xx.xx, server: domain.com, request: "GET / HTTP/1.0", upstream: "http://yy.yy.yy.yy:9999/", host: "domain.com"

[AnoopAlias]

As a follow-up. This error goes away if pagespeed is disabled.

The error is happening with pagespeed loaded

My test was using pagespeed with core filters enabled

https://groups.google.com/forum/#!topic/ngx-pagespeed-discuss/YzMchMNSBbU

says

That error means we're calling ngx_http_send_header() after nginx has
already sent out headers.

[defanator]

Hi @AnoopAlias, based on quoted logs, libmodsecurity is trying to deny request due to some matching in response body. Currently this does not work, and we have corresponding test marked as "TODO" here: https://github.com/SpiderLabs/ModSecurity-nginx/blob/master/tests/modsecurity-response-body.t

[vipul-sharma-code]

Hi,

We are also getting the same problem header already sent while sending response to client.

1447 header already sent while sending response to client, client: 122,x,x,x, server: xyz.co.in,

Due to this getting bad gateway.

nginx -V
nginx version: nginx/1.12.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nginx --group=nginx --with-pcre-jit --with-debug --with-http_ssl_module --with-http_realip_module --add-module=/opt/ModSecurity-nginx/

ModSecurity build version : 030000051

Kindly suggest how we can solve the this issue.

[vipul-sharma-code]

Hi @defanator

Please update.

[AnoopAlias]

@zimmerle - would be great if v3 can work fine with PageSpeed as this module is in widespread use

[dennus]

This problem solved in commit 2dc1f7d

[vipul-sharma-code]

@dennus Thanks, Now i need to recompile the same to get the benefit.

Exp :-

cd modsecurity-2.9.2
./configure --enable-standalone-module
make

[dennus]

@vipulshop this fix aplly to modsecurity 3, not for 2.9,2

[vipul-sharma-code]

@dennus,

Can i follow the below mention link :- for modsecurity 3

https://github.com/SpiderLabs/ModSecurity/wiki/Compilation-recipes#centos-7-minimal

[dennus]

@vipulshop, yes

[vipul-sharma-code]

Dear Dennus,

After using the latest modsecurity still we are getting (header already sent while sending response to client) the below error.

2018/03/22 13:38:33 [alert] 17057#0: *9 header already sent while sending response to client, client: 125.63.93.130, server: test-beta.xyz.com, request: "GET /test/ HTTP/1.1", upstream: "http://192.168.123.81:80/retailer/", host: "test-beta.xyz.com", referrer: "https://test-beta.xyz.com/test/

nginx version: nginx/1.12.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nginx --group=nginx --with-pcre-jit --with-debug --with-http_ssl_module --with-http_realip_module --add-module=/opt/ModSecurity-nginx/

git clone https://github.com/SpiderLabs/ModSecurity
https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.0.2.tar.gz

nginx file

location /test {

    modsecurity on;
    modsecurity_rules_file /etc/nginx/waf-load-config/main.conf;

                if ($request_uri ~* \.(?:ico|css|js|gif|jpe?g|png|swf)$)
            {
                   expires 30d;
            }

            proxy_cache backcache;
            proxy_cache_revalidate on;
            proxy_cache_min_uses 2;
            proxy_ignore_headers X-Accel-Expires;
            proxy_ignore_headers Cache-Control;
            proxy_hide_header Server;
            add_header X-Test-Cache $upstream_cache_status;
            add_header Access-Control-Allow-Origin: https://dxjnuc5ep2kkjhnhbt.cloudfront.net;
            add_header X-Frame-Options "SAMEORIGIN";
            add_header X-XSS-Protection "1; mode=block";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Scheme $scheme;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_redirect off;
            proxy_pass_request_headers on;
            proxy_pass http://test;

      }

Quick response will be really appreciated.

Thanks

[victorhora]

@vipulshop can you try out applying patch #84 and let us know of the results?

Thanks.

[Avamander]

I tested it out, I'm not seeing protocol errors any longer but "403 - forbidden", will keep testing though.

[Avamander]

Okay, for some reason new Chrome is making some requests with HTTP/0.9 (that's why the 403's), but with nginx-1.13.12, modsecurity-v3/master (11 commits behind) and that patch everything seems to work quite fine but I have seen nginx freeze twice (in short succession and I can't reproduce) not sure what that was about.

[vipul-sharma-code]

@Avamander , I had created a new issue where all details are persist and you can easily reproduce the issue.

Kindly go through the below mention link .

#97

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days

[tanvir-retailai]

Is this issue fixed in v3/master ?

[zimmerle]

@tanvir-retailai: no, that is an issue on the connector not on the libModSecurity.

[wusikijeronii]

+1. I also use ModSecurity with PageSpeed. With RESPONSE-952-DATA-LEAKAGES-JAVA.conf and RESPONSE-953-DATA-LEAKAGES-PHP.conf disabled, it works fine (as mentioned in #93)