Configuration issues leading to mod_security alerts?


I have a system set up where I use a reverse proxy (Apache/2.4.7 (Ubuntu 14.04LTS)), to reach a content server (Apache/2.2.22 (Ubuntu 12.04LTS)). The content server is providing a Wordpress (latest version) site. Two domains point to the external ip and the proxy server passes them to the content server as either 80 or 443 traffic. On the backend, a redirection occurs for all 80 traffic to 443 which has 3rd party cert.

The reverse proxy is also providing caching. The site seems to be working.

I then installed mod_security from the Ubuntu package libapache2-modsecurity, which I understand to be ver 2.7.7-2, downloaded the CRS and turned it on with DetectionOnly.

However, every time the site is accessed, I get a significant number of alerts. And a significant number of these seem related to cache (specifically Cache-Control Response Header Missing), headers (Content-Type Headers missing), and cookies. Some include the tag of “MISCONFIGURATION”.

I’ve been reading how to scrub these for false-positives, but the number of them right now makes me think I may have a configuration screwup, and I want to rule that out before I start turning off rules.

I don’t want to indiscriminately dump logs or config files here but will provide what others think is most valid.

Thanks in advance for any help getting pointed in the right direction.