NGINX ModSecurity Fixes and Ratelimit Tuning by runleveldev · Pull Request #213 · mieweb/opensource-server

runleveldev · 2026-02-25T19:10:00Z

Fixing modsec_audit.log isn't reopened on logrotate #212 by separating standard NGINX logs which can rotate normally, and ModSecurity logs which need copytruncate due to a known issue
Allowing HTTP/3 protocol and application/x-protobuf Content-Type through the WAF fixing Intermittent 403 Errors When Accessing Page #211 and Bug: External NGINX Reverse Proxy (1.26.3) returns 405 Not Allowed on POST requests to nested containers #214
Fix [Bug]: Nginx blocks PUT and DELETE requests #215 by allowing the PUT PATCH and DELETE HTTP verbs
Change ratelimit to only block on failed requests to fix [Bug]: Rate limit exceeded #209
Fix [Bug]: Container names allowed with illegal characters #216 by adding checks around container hostname before reaching the create job
Fix 405 on ModSecurity blocks on non-GET requests by rewriting error_page handling to use internal proxy rewrites

…und via internal proxy

runleveldev linked an issue Feb 25, 2026 that may be closed by this pull request

modsec_audit.log isn't reopened on logrotate #212

Closed

fix: copytruncate modsec_audit.log to workaround reopen bug #212

27e196e

runleveldev force-pushed the rgingras/modsec-fixes branch from 9af48ea to 27e196e Compare February 25, 2026 19:46

runleveldev added 2 commits February 25, 2026 15:31

feat: initial crs-setup.conf commit, stock from debian 13

90b3433

fix: allow HTTP/3 per #211

98f1dd3

runleveldev force-pushed the rgingras/modsec-fixes branch from 974918f to fc7cc5f Compare February 25, 2026 20:58

fix: allow application/x-protobuf per #214

1148616

runleveldev force-pushed the rgingras/modsec-fixes branch from fc7cc5f to 1148616 Compare February 25, 2026 20:59

This was linked to issues Feb 25, 2026

Intermittent 403 Errors When Accessing Page #211

Closed

Bug: External NGINX Reverse Proxy (1.26.3) returns 405 Not Allowed on POST requests to nested containers #214

Closed

runleveldev added 2 commits February 26, 2026 09:24

fix: tune ratelimiting to apply only to illegitimate users per #209

bf26343

fix: allow RESTful HTTP verbs per #215

bc79a8c

runleveldev changed the title ~~NGINX ModSecurity Fixes and Tuning~~ NGINX ModSecurity Fixes and Ratelimit Tuning Feb 26, 2026

fix: enforce hostname validity per #216

1b6d545

runleveldev force-pushed the rgingras/modsec-fixes branch 2 times, most recently from a2ebee1 to a4d82b5 Compare February 27, 2026 19:09

fix: nginx refuses to serve static files to non-GET requests, workaro…

c4ae4ed

…und via internal proxy

runleveldev force-pushed the rgingras/modsec-fixes branch from a4d82b5 to c4ae4ed Compare February 27, 2026 19:13

mie-jcrandal approved these changes Feb 27, 2026

View reviewed changes

mie-jcrandal merged commit 19bef88 into main Feb 27, 2026
3 checks passed

mie-jcrandal deleted the rgingras/modsec-fixes branch February 27, 2026 21:22

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

NGINX ModSecurity Fixes and Ratelimit Tuning#213

NGINX ModSecurity Fixes and Ratelimit Tuning#213
mie-jcrandal merged 8 commits intomainfrom
rgingras/modsec-fixes

runleveldev commented Feb 25, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

runleveldev commented Feb 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

runleveldev commented Feb 25, 2026 •

edited

Loading