OK, unless anyone can prove me wrong I’m going to say this is not an issue and that mod-sec is in fact working.
While I don’t know why the noindex error is proxy’d back to the web host, that’s all that is sent and mod_sec is blocking everything else. I ran a full Nesses web vuln test and while the noindex error was again passed through, there were hundreds of subsequent blocks so mod_sec is working.
Apache 2.2 running as a reverse-proxy with another Apache 2.2 host and then a DB on the end. This is an AWS setup so the design is basically; load-balancer, pair of reverse proxies, pair of web hosts, database on the backend.I'm using a basic user-agent test to ensure at least basic function of mod_sec and there is again, something that even 3 cups of coffee hasn't been able to figure out.curl -I -A "Nessus" http://www.ihaterabbits.com/Returns "HTTP 200"curl -I -A "Nessus" http://www.ihaterabbits.com/foobarReturns "HTTP 443"The reverse-proxy logs:access_log"HEAD / HTTP/1.1" 200 - "-" "Nessus""HEAD /foobar/ HTTP/1.1" 403 - "-" "Nessus"error_log"ModSecurity: Access denied with code 403 bad_robots"ModSecurity: Access denied with code 403 bad_robotsThe web host logs:"GET /error/noindex.html HTTP/1.1" 200 3839[second curl there is no request sent to the web host]-- Why is there a request sent to the web host on the first curl when there is a deny from mod_sec? I tried removing the -Indexes for Options and that didn't change anything. It looks like it's proxying the error and not the request?vhost is as follows:<VirtualHost *:80>ProxyVia On<IfModule mod_security2.c>SecRuleEngine On</IfModule>ProxyPreserveHost OnServerName ihaterabbits.comProxyPass / http://nameofloadbalancer/ retry=0ProxyPassReverse / http://nameofloadbalancer/</VirtualHost>