tons of monit alerts after setting DenyAllButCloudflare in apache

Connection failed Service apache

    Date:        Sat, 11 Mar 2023 02:49:17
    Action:      restart
    Host:        sv1.example.test
    Description: failed protocol test [HTTP] at [127.0.0.1]:80/monit.html [TCP/IP] -- HTTP

+error: Server returned status 403

/var/log/httpd/error_log

[Sat Mar 11 02:47:16.349055 2023] [suexec:notice] [pid 579182:tid 139766462419136] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat Mar 11 02:47:16.349081 2023] [:notice] [pid 579182:tid 139766462419136] ModSecurity for Apache/2.9.6 (http://www.modsecurity.org/) configured.
[Sat Mar 11 02:47:16.349088 2023] [:notice] [pid 579182:tid 139766462419136] ModSecurity: APR compiled version="1.7.0"; loaded version="1.7.2"
[Sat Mar 11 02:47:16.349115 2023] [:warn] [pid 579182:tid 139766462419136] ModSecurity: Loaded APR do not match with compiled!
[Sat Mar 11 02:47:16.349124 2023] [:notice] [pid 579182:tid 139766462419136] ModSecurity: PCRE compiled version="8.42 "; loaded version="8.42 2018-03-20"
[Sat Mar 11 02:47:16.349139 2023] [:notice] [pid 579182:tid 139766462419136] ModSecurity: LUA compiled version="Lua 5.3"
[Sat Mar 11 02:47:16.349145 2023] [:notice] [pid 579182:tid 139766462419136] ModSecurity: LIBXML compiled version="2.9.7"
[Sat Mar 11 02:47:16.349150 2023] [:notice] [pid 579182:tid 139766462419136] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.

[Sat Mar 11 02:47:16.605510 2023] [mpm_event:notice] [pid 579200:tid 139766462419136] AH00489: Apache/2.4.56 (apnscp) OpenSSL/1.1.1k Phusion_Passenger/5.1.12 configured -- resuming normal operations
[Sat Mar 11 02:47:16.605560 2023] [core:notice] [pid 579200:tid 139766462419136] AH00094: Command line: '/usr/sbin/httpd -T -D BROTLI -D STRICT -f /etc/httpd/conf/httpd.conf'
[Sat Mar 11 02:49:18.384529 2023] [mpm_event:notice] [pid 579200:tid 139766462419136] AH00491: caught SIGTERM, shutting down

[Sat Mar 11 02:49:18.951567 2023] [suexec:notice] [pid 579504:tid 139686521688256] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat Mar 11 02:49:18.951593 2023] [:notice] [pid 579504:tid 139686521688256] ModSecurity for Apache/2.9.6 (http://www.modsecurity.org/) configured.
[Sat Mar 11 02:49:18.951620 2023] [:notice] [pid 579504:tid 139686521688256] ModSecurity: APR compiled version="1.7.0"; loaded version="1.7.2"
[Sat Mar 11 02:49:18.951627 2023] [:warn] [pid 579504:tid 139686521688256] ModSecurity: Loaded APR do not match with compiled!
[Sat Mar 11 02:49:18.951633 2023] [:notice] [pid 579504:tid 139686521688256] ModSecurity: PCRE compiled version="8.42 "; loaded version="8.42 2018-03-20"
[Sat Mar 11 02:49:18.951661 2023] [:notice] [pid 579504:tid 139686521688256] ModSecurity: LUA compiled version="Lua 5.3"
[Sat Mar 11 02:49:18.951667 2023] [:notice] [pid 579504:tid 139686521688256] ModSecurity: LIBXML compiled version="2.9.7"
[Sat Mar 11 02:49:18.951671 2023] [:notice] [pid 579504:tid 139686521688256] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.

[Sat Mar 11 02:49:19.224629 2023] [mpm_event:notice] [pid 579522:tid 139686521688256] AH00489: Apache/2.4.56 (apnscp) OpenSSL/1.1.1k Phusion_Passenger/5.1.12 configured -- resuming normal operations
[Sat Mar 11 02:49:19.224686 2023] [core:notice] [pid 579522:tid 139686521688256] AH00094: Command line: '/usr/sbin/httpd -T -D BROTLI -D STRICT -f /etc/httpd/conf/httpd.conf

DenyAllButCloudflare requires presence of the CF-Connecting-IP header otherwise it shortcircuits the request with a 403. Since Monit only checks the server HTTP container, you can disable that requirement on just that vhost.

In /etc/httpd/conf/httpd-custom.conf, change:

<VirtualHost _default_:80>
        ServerName x.y
        RewriteEngine On
        RewriteOptions Inherit
</VirtualHost>

to:

<VirtualHost _default_:80>
        ServerName x.y
        DenyAllButCloudflare off
        RewriteEngine On
        RewriteOptions Inherit
</VirtualHost>

Then run htrebuild. Normal protection will apply on all other vhosts as well as the HTTPS variation of the server vhost container.

1 Like