Incompatible with `Range` header

[aliask]

Problem

I've run into an issue while using this middleware to protect a Jellyfin instance.

Requests to the /Videos/:media_id/stream.mp4 endpoint use the Range HTTP header to request chunks of video data piece-by-piece.

Initially, with Range: bytes=0-, the request is checked correctly and the WAF functions as expected.

However, when a request containing an offset (e.g. mid-way through a video) is relayed to the WAF container, Apache will respond with 416 Requested Range Not Satisfiable if the offset is larger than the whoami response.

The 4XX error is then returned directly to the client and the stream breaks.

Steps to reproduce

• Traefik: traefik:v3.2
• Plugin: github.com/acouvreur/traefik-modsecurity-plugin:v1.3.0
• ModSecurity: owasp/modsecurity-crs:4.9.0-apache-202412120712
• Backend: containous/whoami:latest

$ docker run --network traefik_proxy curlimages/curl -vs http://waf:8080/test -H 'Range: bytes=10240-'
*   Trying 192.168.128.24:8080...
* Connected to waf (192.168.128.24) port 8080
> GET /test HTTP/1.1
> Host: waf:8080
> User-Agent: curl/8.4.0
> Accept: */*
> Range: bytes=10240-
> 
< HTTP/1.1 416 Requested Range Not Satisfiable
< Date: Mon, 23 Dec 2024 09:45:25 GMT
< Server: Apache
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=iso-8859-1
< 
[... cut ...]

Notes

As a hack to get it working, I've added the following section to my RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf config file:

# Remove Range header because it doesn't work with `whoami`
RequestHeader unset Range

This strips the header after it has been processed by ModSecurity, but before it gets sent to whoami, so you still get the protection of the WAF:

$ docker run --network traefik_proxy curlimages/curl -Is http://waf:8080/test -H 'Range: ../etc/passwd'
HTTP/1.1 403 Forbidden

... without the broken behaviour:

$ docker run --network traefik_proxy curlimages/curl -Is http://waf:8080/test -H 'Range: bytes=10240-'
HTTP/1.1 200 OK

[aliask]

Switching the backend container to traefik/whoami fixes this issue, as it appears to ignore the Range header entirely.

[patmagee]

Just wanted to report that we were not able to get this working using the above workarounds, additionally setting the RequestHeader unset Range prevented the modsec container from starting. That is an apache directive and not a modsec directive

The error we are getting is slightly different then what you were received

HTTP/1.1 416 Requested range not satisfiable
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Content-Length: 314
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 06 Oct 2025 20:59:52 GMT
Server: Apache
Via: 1.1 google

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>416 Requested Range Not Satisfiable</title>
</head><body>
<h1>Requested Range Not Satisfiable</h1>
<p>None of the range-specifier values in the Range
request-header field overlap the current extent
of the selected resource.</p>
</body></html>

The current workaround we tried and worked was dynamically adding the RequestHeader unset Range to the apache httpd conf at runtime. I do wonder if this is something that would be fixed by using the nginx modsec container (we did not try this)

We use kubernetes and added the following to the deployment yaml:

    spec:
      containers:
        - name: modsecurity
          image: {{ .Values.image.modSecurity }}
          args:
            - /bin/sh
            - -c
            - |
              echo 'RequestHeader unset Range' >> /usr/local/apache2/conf/httpd.conf
              exec httpd-foreground

[patmagee]

@aliask I just confiremd that this is not an issue with the nginx modsecurity container, only the apache one

[aliask]

Yep, I've also checked now, and it looks fine with the nginx image with no other workaround required. If people run into this problem, that's probably the easiest solution.

That said, for users that have to use the apache variant for some reason, the rule workaround still works for me. In my compose file I added a volume mount for the rule file to the waf container:

  waf:
    image: owasp/modsecurity-crs:4.2.0-apache-202405220605
    volumes:
      - "./workaround.conf:/opt/owasp-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf:Z"
    environment:
      - PARANOIA=1
      - ANOMALY_INBOUND=10
      - ANOMALY_OUTBOUND=5
      - BACKEND=http://dummy

And create a local workaround.conf file:

# Remove Range header because it doesn't work with `whoami`
RequestHeader unset Range

I still think this is a bug in the specific setup required for Traefik + this plugin + WAF + dummy backend - there are a lot of pieces to the puzzle but I don't understand everything 100% to know what the right solution is.