OPNWAF / ModSecurity blocks OWA attachments (Exchange SE) – no rule visible in logs

[Zwiebelhacker]

Hello everyone,

we are currently migrating from Sophos UTM9 to OPNsense Business Edition and are using the OPNWAF plugin.

The goal is to publish Outlook Web Application (Exchange Server SE) exclusively via reverse proxy/WAF. In general, access to OWA is already working stable.


Problem:

Uploading or attaching files in emails does not work. The upload area just shows a loading spinner which never completes.

No visible rule in the security log that is blocking the upload (at least not identifiable to me)

If Web Protection is disabled → uploads work immediately
If Web Protection is set to "Detect Only" → uploads still do not work ???
If Web Protection is enabled and all triggered rules are excluded/disabled, it also works



I have already disabled or excluded several triggered rules, including:

941100, 920451, 941160, 920640, 920450, 920420, 920180, 920440, 920650,
941180, 920480, 920340, 954130, 920171, 920540, 949059, 949159, 921130, 934100


Has anyone successfully run OWA behind OPNWAF?

If yes, which rules had to be disabled to make file uploads work?


Thanks in advance for any hints.

Best regards

[Monviech (Cedrik)]

If I would take a guess it might be solvable by tweaking one of the options here, maybe the Regex Match limits or one of the request or response body processing things.

https://docs.opnsense.org/vendor/deciso/opnwaf.html#id1

You can also check the Server Status menu to see why the request might hang, or the Apache http logs if it gets aborted for some reason.

It's definitely weird that it also happens with Detection Only, but I have no short term idea here.

You can also try to set the MPM modules to "Prefork", some users have said it improves Exchange Server operability (Sophos uses the same module)

[Zwiebelhacker]

Hello, thank you for the suggestions.

After increasing the regex limits, I was able to identify additional rules that were blocking the attachment upload.

However, I then reached a point where processing these rules caused the CPU usage to spike to 100% continuously — even though the attachments themselves were only a few KB in size.

At the moment, I have disabled all 941XXX and 942XXX rules. When these OWASP rules are skipped, the issue no longer occurs and attachments work as expected. From a security perspective, I cannot fully assess the impact of this change. However, we do have additional security measures in place, which likely helps keep the overall risk manageable.

Best regards

[Monviech (Cedrik)]

Hello,

thank you for the feedback.

This can help other users who try to run Exchange behind an enabled WAF.

Just keep in mind that rule IDs might change during updates since we update the OWASP ruleset with each major OPNsense version and regenerate the list of rules. Some rules might vanish, or new rules will appear, or existing ones might get more strict.

But that's the nature of a WAF.

If you think that some of your excluded rules should work or are too strict with the exchange server, you could ask here potentially:
https://github.com/coreruleset/coreruleset/

You can find the current ruleset version tag in the changelogs of the opnwaf plugin or in the modsecurity-crs folder on disk