PayPal IPN requests and mod_security

I just spend some part of a week trying to successfully receive PayPal IPN requests. Sent out from the IPN simulator. I got stuck when it (the simulator) kept saying it couldn’t deliver the IPN request: Bad Request. Indeed… bad request!

Hunting down the differences between two servers — the second one receiving the IPN requests just beautifully — I came upon the module “HttpRequest”. I can safely say that had nothing to do with it. But it did let me trigger another thought: this server uses mod_security — good for generating a ton of error messages in the log file, and, apparently, blocking IPN requests.

So I don’t know why I didn’t check it sooner, but when I tailed the apache error logfile for the site, and triggered an IPN request from the simulator, there it was: the request was Access denied!

[Sun Jul 24 22:46:16 2011] [error] [client 12.34.56.78] ModSecurity: Access denied with code 400 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file “/etc/modsecurity2/optional_rules/modsecurity_crs_21_protocol_anomalies.conf”] [line “48”] [id “960009”] [msg “Request Missing a User Agent Header”] [severity “WARNING”] [tag “PROTOCOL_VIOLATION/MISSING_HEADER”] [hostname “suchanicehostname.nl”] [uri “/paypal.php”] [unique_id “TiyEmFGrVioAAD66YgIAAAAC”]

This error message even states the file that you have to hack to overcome this! Which I did. Then, back to triggering an IPN request, trembling fingers…

[Sun Jul 24 22:59:56 2011] [error] [client 12.34.56.78] ModSecurity: Access denied with code 400 (phase 2). Match of “rx ^OPTIONS$” against “REQUEST_METHOD” required. [file “/etc/modsecurity2/optional_rules/modsecurity_crs_21_protocol_anomalies.conf”] [line “41”] [id “960015”] [msg “Request Missing an Accept Header”] [severity “CRITICAL”] [tag “PROTOCOL_VIOLATION/MISSING_HEADER”] [hostname “suchanicehostname.nl”] [uri “/paypal.php”] [unique_id “TiyHzFGrVioAAHT0S90AAAAD”]

Yep, there was another one. However: disabling this solved the issue! As specified in the above section, it came down in commenting out the next two sections in the file “modsecurity_crs_21_protocol_anomalies.conf” (and restarting apache):

#SecRule &REQUEST_HEADERS:Accept “@eq 0” \
#    “chain,phase:2,skip:1,t:none,deny,log,auditlog,status:400,msg:’Request Missing an Accept Header’, severity:’2′,id:’960015′,tag:’PROTOCOL_VIOLATION/MISSING_HEADER'”
#SecRule REQUEST_METHOD “!^OPTIONS$” “t:none”
#SecRule REQUEST_HEADERS:Accept “^$” \
#    “chain,phase:2,t:none,deny,log,auditlog,status:400,msg:’Request Missing an Accept Header’, severity:’2′,id:’960015′,tag:’PROTOCOL_VIOLATION/MISSING_HEADER'”
#SecRule REQUEST_METHOD “!^OPTIONS$” “t:none”

#SecRule &REQUEST_HEADERS:User-Agent “@eq 0” \
#    “skip:1,phase:2,t:none,deny,log,auditlog,status:400,msg:’Request Missing a User Agent Header’,id:’960009′,tag:’PROTOCOL_VIOLATION/MISSING_HEADER’,severity:’4′”
#SecRule REQUEST_HEADERS:User-Agent “^$” \
#    “t:none,deny,log,auditlog,status:400,msg:’Request Missing a User Agent Header’,id:’960009′,tag:’PROTOCOL_VIOLATION/MISSING_HEADER’,severity:’4′”

Apparently, the IPN request does not adhere to the protocol definition. Happy PayPal-IPN-ing!

Comment Pages

There are 1 Comments to "PayPal IPN requests and mod_security"

Write a Comment

You must be logged in to post a comment.