Skip to content

Rule Exclusion: Nginx Cache Purge Preload Plugin for Wordpress: "ERROR COMMAND: Cannot start Nginx cache Preloading for https://www.mcmo.is! Please check your DNS, connectivity, proxy/firewall settings, and Exclude syntax." #4128

New issue
New issue
Closed
Closed
Rule Exclusion: Nginx Cache Purge Preload Plugin for Wordpress: "ERROR COMMAND: Cannot start Nginx cache Preloading for https://www.mcmo.is! Please check your DNS, connectivity, proxy/firewall settings, and Exclude syntax."#4128
Labels
➕ False Positive
@Danrancan

Description

@Danrancan
Danrancan
opened on May 13, 2025

Description

I am running the "Nginx Cache Purge Preload" Plugin for Wordpress. When I navigate to WP-ADMIN --> Settings --> FastCGI Cache Purge and Preload, I get the following Error message in Wordpress:

ERROR COMMAND: Cannot start Nginx cache Preloading for https://www.mcmo.is! Please check your DNS, connectivity, proxy/firewall settings, and Exclude syntax.

The plugin cannot preload the cache with Modsecurity Activated.

How to reproduce the misbehavior (-> curl call)

I don't know how to use a curl call. But if you install the plugin in wordpress, and try to preload the cache, you will see this warning.

Logs

Here is a tail of my audit log when I click the preload cache button in the plugin:

==> /var/log/modsec_audit.log <==
---7v8gXtCR---A--
[13/May/2025:01:25:20 -0500] 174711752043.686979 127.0.0.1 39642 127.0.0.1 443
---7v8gXtCR---B--
GET / HTTP/1.1
Host: www.mcmo.is
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36"
Accept: */*
Accept-Encoding: identity

---7v8gXtCR---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a

---7v8gXtCR---F--
HTTP/1.1 403
Server: nginx
Date: Tue, 13 May 2025 06:25:20 GMT
Content-Length: 548
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline'
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---7v8gXtCR---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i),.*?[\"'\)0-9`-f][\"'`](?:[\"'`].*?[\"'`]|(?:\r?\n)?\z|[^\"'`]+)|[^0-9A-Z_a-z]select.+[^0-9A-Z_a-z]*?from|(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[\s\v] (27 characters omitted)' against variable `REQUEST_HEADERS:User-Agent' (Value: `"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.1 (17 characters omitted)' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "831"] [id "942200"] [rev ""] [msg "Detects MySQL comment-/space-obfuscated injections and backtick termination"] [data "Matched Data: , like Gecko) Chrome/92.0.4515.159 Safari/537.36\x22 found within REQUEST_HEADERS:User-Agent: \x22Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4 (22 characters omitted)"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "127.0.0.1"] [uri "/"] [unique_id "174711752043.686979"] [ref "o68,49v86,117t:urlDecodeUni"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "127.0.0.1"] [uri "/"] [unique_id "174711752043.686979"] [ref ""]

---7v8gXtCR---J--

---7v8gXtCR---K--

---7v8gXtCR---Z--

---e3gJyIBt---A--
[13/May/2025:01:25:31 -0500] 174711753171.493188 127.0.0.1 48474 127.0.0.1 443
---e3gJyIBt---B--
GET / HTTP/1.1
Host: www.mcmo.is
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36"
Accept: */*
Accept-Encoding: identity

---e3gJyIBt---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a

---e3gJyIBt---F--
HTTP/1.1 403
Server: nginx
Date: Tue, 13 May 2025 06:25:31 GMT
Content-Length: 548
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline'
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---e3gJyIBt---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i),.*?[\"'\)0-9`-f][\"'`](?:[\"'`].*?[\"'`]|(?:\r?\n)?\z|[^\"'`]+)|[^0-9A-Z_a-z]select.+[^0-9A-Z_a-z]*?from|(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[\s\v] (27 characters omitted)' against variable `REQUEST_HEADERS:User-Agent' (Value: `"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.1 (17 characters omitted)' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "831"] [id "942200"] [rev ""] [msg "Detects MySQL comment-/space-obfuscated injections and backtick termination"] [data "Matched Data: , like Gecko) Chrome/92.0.4515.159 Safari/537.36\x22 found within REQUEST_HEADERS:User-Agent: \x22Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4 (22 characters omitted)"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "127.0.0.1"] [uri "/"] [unique_id "174711753171.493188"] [ref "o68,49v86,117t:urlDecodeUni"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "127.0.0.1"] [uri "/"] [unique_id "174711753171.493188"] [ref ""]

---e3gJyIBt---J--

---e3gJyIBt---K--

---e3gJyIBt---Z--

---IaL226hF---A--
[13/May/2025:01:25:36 -0500] 174711753643.407149 127.0.0.1 45494 127.0.0.1 443
---IaL226hF---B--
GET / HTTP/1.1
Host: www.mcmo.is
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36"
Accept: */*
Accept-Encoding: identity

---IaL226hF---E--
<html>\x0d\x0a<head><title>403 Forbidden</title></head>\x0d\x0a<body>\x0d\x0a<center><h1>403 Forbidden</h1></center>\x0d\x0a<hr><center>nginx</center>\x0d\x0a</body>\x0d\x0a</html>\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a<!-- a padding to disable MSIE and Chrome friendly error page -->\x0d\x0a

---IaL226hF---F--
HTTP/1.1 403
Server: nginx
Date: Tue, 13 May 2025 06:25:36 GMT
Content-Length: 548
Content-Type: text/html
X-Content-Type-Options: nosniff
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src * data: 'unsafe-eval' 'unsafe-inline'
Referrer-Policy: no-referrer-when-downgrade
x-frame-options: SAMEORIGIN

---IaL226hF---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i),.*?[\"'\)0-9`-f][\"'`](?:[\"'`].*?[\"'`]|(?:\r?\n)?\z|[^\"'`]+)|[^0-9A-Z_a-z]select.+[^0-9A-Z_a-z]*?from|(?:alter|(?:(?:cre|trunc|upd)at|renam)e|d(?:e(?:lete|sc)|rop)|(?:inser|selec)t|load)[\s\v] (27 characters omitted)' against variable `REQUEST_HEADERS:User-Agent' (Value: `"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.1 (17 characters omitted)' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "831"] [id "942200"] [rev ""] [msg "Detects MySQL comment-/space-obfuscated injections and backtick termination"] [data "Matched Data: , like Gecko) Chrome/92.0.4515.159 Safari/537.36\x22 found within REQUEST_HEADERS:User-Agent: \x22Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4 (22 characters omitted)"] [severity "2"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS"] [tag "capec/1000/152/248/66"] [tag "PCI/6.5.2"] [tag "paranoia-level/2"] [hostname "127.0.0.1"] [uri "/"] [unique_id "174711753643.407149"] [ref "o68,49v86,117t:urlDecodeUni"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsec/crs4.0/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "127.0.0.1"] [uri "/"] [unique_id "174711753643.407149"] [ref ""]

---IaL226hF---J--

---IaL226hF---K--

---IaL226hF---Z--

My Question

Can someone please help me with rule exclusions for this plugin? I am still a noob when it comes to writing RE's, and need help with them because the site is https://www.mcmo.is is a live site.

Thanks for any provided examples. Your help is highly appreciated!

Your Environment

  • CRS version (e.g., v3.3.4): CRS 4.0
  • Paranoia level setting (e.g. PL1) : PL2
  • ModSecurity version (e.g., 2.9.6): I'm not sure how to find the version, but most likely the latest, or second latest.
  • Web Server and version or cloud provider / CDN: Nginx 1.27.5 Mainline
  • Operating System and version: Ubuntu Server 24.04 for Raspberry Pi (aarch64)

Confirmation

[X] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.

Metadata

Metadata

Assignees

No one assigned

    Labels

    ➕ False Positive

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions