Error/warning when upgrading rules from 1.106/107 to 1.109

Hello,

Updated some servers today to newest ruleset and got warnings like this:

19/01/17 10:50:23 updater[860698] debug is ON, level = 10 19/01/17 10:50:23 updater[860698] create pid file 19/01/17 10:50:23 updater[860698] try to get data from CWAF server 19/01/17 10:50:24 updater[860698] lwp_params: timeout=60 sec, save_to_file flag: 0 19/01/17 10:50:24 updater[860698] normalize content 19/01/17 10:50:24 updater[860698] parse JSON from CWAF server 19/01/17 10:50:24 updater[860698] got answer from CWAF (OK) 19/01/17 10:50:24 updater[860698] save response 19/01/17 10:50:24 updater[860698] lwp_params: timeout=60 sec, save_to_file flag: 1 19/01/17 10:50:25 updater[860698] file has been downloaded successfully: cwaf_rules_ls-1.109.tgz 19/01/17 10:50:25 updater[860698] /var/cpanel/cwaf/tmp/rules.tgz original md5sum - a8a5be62c07fafcfaa9632f8181f3e57 19/01/17 10:50:25 updater[860698] /var/cpanel/cwaf/tmp/rules.tgz local md5sum - a8a5be62c07fafcfaa9632f8181f3e57 19/01/17 10:50:25 updater[860698] file successfully saved (/var/cpanel/cwaf/tmp/rules.tgz) 19/01/17 10:50:25 updater[860698] make backup for previous rules version 19/01/17 10:50:25 updater[860698] prepare to remove directory /var/cpanel/cwaf/tmp/rules/workdir2 19/01/17 10:50:25 updater[860698] remove directory /var/cpanel/cwaf/tmp/rules/workdir2 19/01/17 10:50:25 updater[860698] set work directory (/var/cpanel/cwaf/tmp/rules/workdir2) 19/01/17 10:50:25 updater[860698] extract rules 19/01/17 10:50:25 updater[860698] link userdata to rules 19/01/17 10:50:25 updater[860698] symlink /var/cpanel/cwaf/etc/userdata/userdata_bl_IPs, /var/cpanel/cwaf/tmp/rules/workdir2/rules/userdata_bl_IPs 19/01/17 10:50:25 updater[860698] symlink /var/cpanel/cwaf/etc/userdata/userdata_bl_URLs, /var/cpanel/cwaf/tmp/rules/workdir2/rules/userdata_bl_URLs 19/01/17 10:50:25 updater[860698] symlink /var/cpanel/cwaf/etc/userdata/userdata_bl_agents, /var/cpanel/cwaf/tmp/rules/workdir2/rules/userdata_bl_agents 19/01/17 10:50:25 updater[860698] symlink /var/cpanel/cwaf/etc/userdata/userdata_bl_cookies, /var/cpanel/cwaf/tmp/rules/workdir2/rules/userdata_bl_cookies 19/01/17 10:50:25 updater[860698] symlink /var/cpanel/cwaf/etc/userdata/userdata_bl_domains, /var/cpanel/cwaf/tmp/rules/workdir2/rules/userdata_bl_domains 19/01/17 10:50:25 updater[860698] symlink /var/cpanel/cwaf/etc/userdata/userdata_bl_extensions, /var/cpanel/cwaf/tmp/rules/workdir2/rules/userdata_bl_extensions 19/01/17 10:50:25 updater[860698] symlink /var/cpanel/cwaf/etc/userdata/userdata_bl_headers, /var/cpanel/cwaf/tmp/rules/workdir2/rules/userdata_bl_headers 19/01/17 10:50:25 updater[860698] symlink /var/cpanel/cwaf/etc/userdata/userdata_bl_referers, /var/cpanel/cwaf/tmp/rules/workdir2/rules/userdata_bl_referers 19/01/17 10:50:25 updater[860698] symlink /var/cpanel/cwaf/etc/userdata/userdata_login_pages, /var/cpanel/cwaf/tmp/rules/workdir2/rules/userdata_login_pages 19/01/17 10:50:25 updater[860698] symlink /var/cpanel/cwaf/etc/userdata/userdata_wl_IPs, /var/cpanel/cwaf/tmp/rules/workdir2/rules/userdata_wl_IPs 19/01/17 10:50:25 updater[860698] symlink /var/cpanel/cwaf/etc/userdata/userdata_wl_URLs, /var/cpanel/cwaf/tmp/rules/workdir2/rules/userdata_wl_URLs 19/01/17 10:50:25 updater[860698] symlink /var/cpanel/cwaf/etc/userdata/userdata_wl_agents, /var/cpanel/cwaf/tmp/rules/workdir2/rules/userdata_wl_agents 19/01/17 10:50:25 updater[860698] symlink /var/cpanel/cwaf/etc/userdata/userdata_wl_content_type, /var/cpanel/cwaf/tmp/rules/workdir2/rules/userdata_wl_content_type 19/01/17 10:50:25 updater[860698] symlink /var/cpanel/cwaf/etc/userdata/userdata_wl_domains, /var/cpanel/cwaf/tmp/rules/workdir2/rules/userdata_wl_domains 19/01/17 10:50:25 updater[860698] symlink /var/cpanel/cwaf/etc/userdata/userdata_wl_methods, /var/cpanel/cwaf/tmp/rules/workdir2/rules/userdata_wl_methods 19/01/17 10:50:25 updater[860698] scheme is not changed, no transformation required 19/01/17 10:50:25 updater[860698] updating user exclude lists with new excludes from rules 19/01/17 10:50:26 updater[860698] nothing to update 19/01/17 10:50:26 updater[860698] ERROR: wrong syntax of apache config file 19/01/17 10:50:26 updater[860698] cpanel info: The “/usr/sbin/httpd” command (process 860748) reported error number 1 when it ended. Configuration problem detected on line 225 of file /etc/apache2/conf/httpd.conf: : Syntax error on line 31 of /etc/apache2/conf.d/zzzz_cwaf_security2.conf: Syntax error on line 2 of /var/cpanel/cwaf/etc/cwaf.conf: No matches for the wildcard '*.conf' in '/var/cpanel/cwaf/etc/httpd/domains', failing (use IncludeOptional if required)
--- /etc/apache2/conf/httpd.conf ---
219    Listen [::]:443
220
221    AddType application/x-x509-ca-cert .crt
222    AddType application/x-pkcs7-crl .crl
223</IfModule>
224
225 ===> Include "/etc/apache2/conf.d/*.conf" <===
226
227Include "/etc/apache2/conf.d/includes/account_suspensions.conf"
228Include "/etc/apache2/conf.d/includes/errordocument.conf"
229
230# Administrator locations for safely globally altering all virtualhost configurations
231Include "/etc/apache2/conf.d/includes/pre_virtualhost_global.conf"
--- /etc/apache2/conf/httpd.conf ---

19/01/17 10:50:26 updater[860698] webserver restart failed (try 1)
19/01/17 10:50:26 updater[860698] update failed, restoring previous rules version
19/01/17 10:50:26 updater[860698] set work directory (/var/cpanel/cwaf/tmp/rules/workdir1)
19/01/17 10:50:26 updater[860698] ERROR: wrong syntax of apache config file
19/01/17 10:50:26 updater[860698] cpanel info: The “/usr/sbin/httpd” command (process 860751) reported error number 1 when it ended.
Configuration problem detected on line 225 of file /etc/apache2/conf/httpd.conf: : Syntax error on line 31 of /etc/apache2/conf.d/zzzz_cwaf_security2.conf: Syntax error on line 2 of /var/cpanel/cwaf/etc/cwaf.conf: No matches for the wildcard ‘*.conf’ in ‘/var/cpanel/cwaf/etc/httpd/domains’, failing (use IncludeOptional if required)

--- /etc/apache2/conf/httpd.conf ---
219    Listen [::]:443
220
221    AddType application/x-x509-ca-cert .crt
222    AddType application/x-pkcs7-crl .crl
223</IfModule>
224
225 ===> Include "/etc/apache2/conf.d/*.conf" <===
226
227Include "/etc/apache2/conf.d/includes/account_suspensions.conf"
228Include "/etc/apache2/conf.d/includes/errordocument.conf"
229
230# Administrator locations for safely globally altering all virtualhost configurations
231Include "/etc/apache2/conf.d/includes/pre_virtualhost_global.conf"
--- /etc/apache2/conf/httpd.conf ---

19/01/17 10:50:26 updater[860698] webserver restart failed (try 2)
19/01/17 10:50:26 updater[860698] ERROR: wrong syntax of apache config file
19/01/17 10:50:26 updater[860698] cpanel info: The “/usr/sbin/httpd” command (process 860754) reported error number 1 when it ended.
Configuration problem detected on line 225 of file /etc/apache2/conf/httpd.conf: : Syntax error on line 31 of /etc/apache2/conf.d/zzzz_cwaf_security2.conf: Syntax error on line 2 of /var/cpanel/cwaf/etc/cwaf.conf: No matches for the wildcard ‘*.conf’ in ‘/var/cpanel/cwaf/etc/httpd/domains’, failing (use IncludeOptional if required)

--- /etc/apache2/conf/httpd.conf ---
219    Listen [::]:443
220
221    AddType application/x-x509-ca-cert .crt
222    AddType application/x-pkcs7-crl .crl
223</IfModule>
224
225 ===> Include "/etc/apache2/conf.d/*.conf" <===
226
227Include "/etc/apache2/conf.d/includes/account_suspensions.conf"
228Include "/etc/apache2/conf.d/includes/errordocument.conf"
229
230# Administrator locations for safely globally altering all virtualhost configurations
231Include "/etc/apache2/conf.d/includes/pre_virtualhost_global.conf"
--- /etc/apache2/conf/httpd.conf ---

19/01/17 10:50:26 updater[860698] webserver restart failed (try 3)
19/01/17 10:50:26 updater[860698] update successful
19/01/17 10:50:26 updater[860698] update process finished!

I had to choose “Restore rules” and then it was showing correct current rules version.

Both servers was LiteSpeed. I tested an EA4 (Apache) server and did not get any warnings there.
But it seems like the rules are working fine though on LSWS.

“Include /usr/local/cwaf/etc/httpd/domains/.conf" should be changed with "IncludeOptional /usr/local/cwaf/etc/httpd/domains/.conf” in /var/cpanel/cwaf/etc/cwaf.conf

I got some issues because of this. We tried to move a customer to this server, but SSL was not copied because of this.
In order to get website working we had to comment this line and transfer SSL manually.

Here is our cwaf.conf file now:
Include /var/cpanel/cwaf/rules/.conf
#Include /var/cpanel/cwaf/etc/httpd/domains/
.conf
Include /var/cpanel/cwaf/etc/httpd/global/*.conf
Include /var/cpanel/cwaf/etc/httpd/custom_user.conf

Should all be changed to IncludeOptional ?
And only on LiteSpeed servers? Why did not your update fix this?

#Include /var/cpanel/cwaf/etc/httpd/domains/*.conf

doesn’t allow to use excludes for domains. It doesn’t matter for LiteSpeed, but it works on Apache conf-files basement.
So, if you use Litespeed, it can be commented.

Not quite sure what you mean with that answer?
So we should comment out that line on all LiteSpeed servers manually now because you have updated your agent/rules?

Of course not, it’s a temporary solution. You can just copy correct /var/cpanel/cwaf/etc/cwaf.conf on other servers.

So is this the rules or agent version causing this?
Do you have any ETA for the fix?

Fix is under testing now.
We are going to release new version as soon as possible.

Thanks :slight_smile:

https://forums.comodo.com/free-modsecurity-rules-comodo-web-application-firewall/client-agent-updates-t101235.135.html

Tested on some servers now, but cwaf.conf file didn’t get changed. Still:

cat /var/cpanel/cwaf/etc/cwaf.conf
Include /var/cpanel/cwaf/rules/.conf
Include /var/cpanel/cwaf/etc/httpd/domains/
.conf
Include /var/cpanel/cwaf/etc/httpd/global/*.conf
Include /var/cpanel/cwaf/etc/httpd/custom_user.conf

Include /var/cpanel/cwaf/etc/httpd/domains/*.conf was changed to IncludeOptional to avoid the problem when files in /var/cpanel/cwaf/etc/httpd/domains don’t exist.
We fixed this bug, so there is no need to change cwaf.conf.