tried that…(placed a simple index.html in public_html directory whilst also removing htaccess) it does not seem to be the problem. it appears that this error is firing BEFORE Apache has a chance to serve up the appropriate Virtual Host to respond to this request.
check out the following error in apache log posted above…
Cannot serve directory
ModSecurity: Warning. Pattern match “+$” at REQUEST_HEADERS:Host. [file “/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf”] [line “793”] [id “920350”] [rev “2”] [msg “Host header is a numeric IP address”] [data “12.34.56.78:443”] [severity “WARNING”] [ver “OWASP_CRS/3.0.0”] [maturity “9”] [accuracy “9”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-protocol”] [tag “OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST”] [tag “WASCTC/WASC-21”] [tag “OWASP_TOP_10/A7”] [tag “PCI/6.5.10”] [hostname “12.34.56.78”]
i found a post on stack about this and one comment says…
In the event of a deny or “block” rule, ModSecurity will look for the SecDefaultAction
directive in the modsecurity_crs_10_setup.conf
file. For OWASP_CRS 3.0.0-rc1, this directive changed from
SecDefaultAction "phase:1,deny,log"
SecDefaultAction "phase:2,deny,log"
to
SecDefaultAction "phase:1,log,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'"
SecDefaultAction "phase:2,log,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'"
This is what is causing the re-direct, the rule says block, so it looks for the default action, and the default action is to redirect to the HOST… Which in this case is just the IP already being specified… And there is the redirect loop…
so the question now, in virtualmin how do i fix this? (i did not make this change…the website that is not working has been functioning normally on the webmin system for more than 1 year and now all of a sudden this!)
you guys have to realise, none of this happened until after the webmin 6.09-2 update…whether you choose to believe me or not, the virtual server in question i havent played with in more than 6 months (i have had no reason to bother going anywhere near it).
Also, in webmin, i have run every other update for the last year and these problems i am experiencing have never happened before.
Another stack post says the following…
If you have multiple virtual hosts / sites on the same server then you should either block any direct request for the server’s IP address or serve some other “default” (noindex) web page
I have set virtualmin to do exactly that…Virtualmin>Server Configuration>Website Options>> default website for ipaddress = yes
So if i have set virtualmin to do the above, why isnt it working?