Libapache2-mod-security2 causes error 403 and prevents access

I have an Ubuntu 18.04 server with Nextcloud installed in an Apache2 (Apache/2.4.29 (Ubuntu)) virtual host. I am using PHP 7.3. In an attempt to harden the server, I installed libapache2-mod-security2. This immediately locked out access to Nextcloud with an error 403. I clearly did not understand modsecurity well enough.

I decided to uninstall it with sudo apt purge libapache2-mod-security2. I moved the /etc/modsecurity to my home directory. Still, I get the error 403.

Googling I found that if you put an .htaccess file in the root of the virtual host with the following it should turn off modsecurity for that host.

<IfModule mod_security.c>
   SecFilterEngine Off
   SecFilterScanPOST Off
</IfModule>

I put this in
/var/www/mydomain.com/.htaccess
/var/www/mydomain.com/html/.htaccess
/var/www/mydomain.com/html/nextcloud/.htaccess

but I had no success.

I also checked the ufw firewall which had the following status:

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     LIMIT       Anywhere                  
5432                       ALLOW       192.168.0.0/24            
Apache Full                ALLOW       Anywhere                  
8069                       ALLOW       Anywhere                  
3000                       ALLOW       Anywhere                  
22/tcp (v6)                LIMIT       Anywhere (v6)             
Apache Full (v6)           ALLOW       Anywhere (v6)             
8069 (v6)                  ALLOW       Anywhere (v6)             
3000 (v6)                  ALLOW       Anywhere (v6)  

the directory up to /var/www/mydomain.com/html is owned by root and the subdirectories underneath that are owned by www-data.

There are only a handful of users on Nextcloud but they like it very much and I am loath to reinstall everything again.

Any ideas?

did you restart apache after removing modsecurity?
did you enable/disable the module via apache (a2enmod)?
if the module is not installed you do not need an .htaccess-file referencing it.
fisrt check the apache-logs for errors if clients cannot connect; if apache tells the clients http-403 it should be reachable. maybe it’s just a permissons or path-error in the vhost.
if there ist nothing in the apache-logs then you need to check your firewall-settings; maybe you can turn on logging there.
GOOD LUCK!

Hi Pete,

I had restarted Apache and even tried rebooting. This didn’t solve the problem. I solved my problem another way.

Your reply jogged my memory that I had forgotten that when installing modsecurity, I made some changes to /etc/apache2/conf-enabled/security.conf. Luckily, I made a backup before I made the changes. I restored the backup and voila! My system was back.

I am going to reread all the documentation on modsecurity and have a real think about it this time. I also am going to take a system snapshot before I modify anything. Lessons learned.