Xenforo posting error with litespeed, only in some threads

[gas]

Hello,
I installed the trial version of litespeed in my xenforo bulletin board, since I saw so many positive comments about it.
I'm very happy about it, now the server response time dropped from 0.7 sec to less than 0.2 and the average bounce rate (analytics data) reduced by 25%

My only problem is that in some thread (not all of them, but some specific ones) it's not possible to post anymore when litespeed is active.

When anybody tries to add a message, he get the message below.

Any idea?
Thanks!

Forbidden
You don't have permission to access /threads/bl%C3%A0-bl%C3%A0-bl%C3%A0.72306/add-reply on this server.




These are the latest logs:

2014-02-24 11:06:45.120NOTICE[95.240.254.203:59076-0#APVH_musicadigitale.net] Content len: 0, Request line: 'GET /css.php?css=bb_code,bbcm_js,facebook,login_bar,message,message_user_info,panel_scroller,share_page,thread_view,wf_default&style=17&dir=LTR&d=1392857985 HTTP/1.1'
2014-02-24 11:06:45.120INFO[95.240.254.203:59076-0#APVH_musicadigitale.net] Cookie len: 449, __cfduid=d896a9a870557616e96562d569b60f0621387013918557; __utma=165530147.187015419.1387013917.1387013917.1387013917.1; __utmz=165530147.1387013917.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); __atuvc=1%7C50; __utma=116039168.2005220794.1387013920.1387013920.1387013920.1; __utmz=116039168.1387013920.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); xf_session=47a6e3c38cbd4accb4be7abe96859cb9
2014-02-24 11:06:45.131NOTICE[95.240.254.203:63637-0#APVH_musicadigitale.net] Content len: 0, Request line: 'GET /mobiquo/smartbanner/appbanner.css HTTP/1.1'
2014-02-24 11:06:45.131INFO[95.240.254.203:63637-0#APVH_musicadigitale.net] Cookie len: 449, __cfduid=d896a9a870557616e96562d569b60f0621387013918557; __utma=165530147.187015419.1387013917.1387013917.1387013917.1; __utmz=165530147.1387013917.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); __atuvc=1%7C50; __utma=116039168.2005220794.1387013920.1387013920.1387013920.1; __utmz=116039168.1387013920.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); xf_session=47a6e3c38cbd4accb4be7abe96859cb9
2014-02-24 11:06:45.140NOTICE[95.240.254.203:59974-0#APVH_musicadigitale.net] Content len: 0, Request line: 'GET /mobiquo/smartbanner/ads.js HTTP/1.1'
2014-02-24 11:06:45.140INFO[95.240.254.203:59974-0#APVH_musicadigitale.net] Cookie len: 449, __cfduid=d896a9a870557616e96562d569b60f0621387013918557; __utma=165530147.187015419.1387013917.1387013917.1387013917.1; __utmz=165530147.1387013917.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); __atuvc=1%7C50; __utma=116039168.2005220794.1387013920.1387013920.1387013920.1; __utmz=116039168.1387013920.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); xf_session=47a6e3c38cbd4accb4be7abe96859cb9
2014-02-24 11:06:45.158NOTICE[95.240.254.203:52604-0#APVH_musicadigitale.net] Content len: 0, Request line: 'GET /mobiquo/smartbanner/appbanner.js HTTP/1.1'
2014-02-24 11:06:45.158INFO[95.240.254.203:52604-0#APVH_musicadigitale.net] Cookie len: 449, __cfduid=d896a9a870557616e96562d569b60f0621387013918557; __utma=165530147.187015419.1387013917.1387013917.1387013917.1; __utmz=165530147.1387013917.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); __atuvc=1%7C50; __utma=116039168.2005220794.1387013920.1387013920.1387013920.1; __utmz=116039168.1387013920.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); xf_session=47a6e3c38cbd4accb4be7abe96859cb9
2014-02-24 11:06:46.942NOTICE[86.150.43.31:50780-3#_AdminVHost] Content len: 0, Request line: 'GET /service/serviceMgr.php?vl=1&sel_level=I&searchFrom=166850.98&searchSize=20&end.x=23&end.y=8 HTTP/1.1'
2014-02-24 11:06:46.942INFO[86.150.43.31:50780-3#_AdminVHost] Cookie len: 422, __cfduid=d4126d0aec88b4825917f116feec25eac1392885328121; LSWSWEBUI=d6bdb64c91222072738c4003971e4d7a; lsws_uid=NGOdQ9HV2eQ%3D; lsws_pass=1h%2Bfb4BO%2FuQ%3D; _ga=GA1.2.1997549747.1392637828; __utma=165530147.1997549747.1392637828.1393004280.1393238670.9; __utmb=165530147.4.10.1393238670; __utmc=165530147; __utmz=165530147.1393238670.9.2.utmcsr=addthis.com|utmccn=(referral)|utmcmd=referral|utmcct=/analytics/content-detail

 

[mistwang]

check "Request Filter"/mod_security rules. turn it off.

 

[gas]

check "Request Filter"/mod_security rules. turn it off.

Thanks mr wang, I put "request filter" like you can see in the image below. Also after a graceful restart, the problem still appears.


...and since I was not sure, I put everything on NO: the problem is still there.



Thanks for your help

 

[gas]

It worked with

Security Audit Log : $SERVER_ROOT/securityauditlog

Solved!!

 

[NiteWave]

so you tried to put the log under root "/" !
not easy to debug but solved ..

 

[gas]

so you tried to put the log under root "/" !
not easy to debug but solved ..

Nope, after one day it's not working anymore. Same error, same threads of the forums.

Any idea?

 

[mistwang]

Just check error log, for 403 forbidden, if it is generated by web server itself, it always log the reason.

 

[gas]

Just check error log, for 403 forbidden, if it is generated by web server itself, it always log the reason.

Ta chan! Found it! You can see it below here. What should I do?

[87.114.201.191:49425-0#APVH_musicadigitale.net] mod_security rule triggered!
[Wed Feb 26 15:55:26 2014] [error] [client 87.114.201.191] ModSecurity: Access denied with code 403, [Rule: 'MATCHED_VAR' '!@rx ://%{SERVER_NAME}/']
[ID: 340012] [Msg: Atomicorp.com UNSUPPORTED DELAYED Rules: Unauthorized Proxy access attempt]2014-02-26 15:55:26.587 [NOTICE] [87.114.201.191:49425-0#APVH_musicadigitale.net] Content len: 498, Request line: 'POST /threads/bl%C3%A0-bl%C3%A0-bl%C3%A0.72306/add-reply HTTP/1.1'

 

[mistwang]

Just locate that rule in your Apache configuration, and turn it off. Send it to us if you think it is a bug causing false-positive.

 

[gas]

Just locate that rule in your Apache configuration, and turn it off. Send it to us if you think it is a bug causing false-positive.

Ok will do. Can you please explain me how to locate the rule and turn it off? I know..it's the basic question, I'm learning =)

 

[NiteWave]

[Wed Feb 26 15:55:26 2014] [error] [client 87.114.201.191] ModSecurity: Access denied with code 403, [Rule: 'MATCHED_VAR' '!@rx ://%{SERVER_NAME}/']

search
'MATCHED_VAR' '!@rx ://%{SERVER_NAME}/
in mod_security rule file, or disable mod_security rule completely in apache's httpd.conf