Resolved Apache fails to (re)start with Atomic ModSecurity

[WebHostingAce]

Server operating system version

CentOS Linux 7.9.2009

Plesk version and microupdate number

18.0.56 Update #3

Hi All,

Since last week, Apache stopped working randomly with the error message below in the journalctl -u httpd.service

Starting The Apache HTTP Server...
Thu Nov 02 08:00:58.583389 2023] [so:warn] [pid 1365:tid 139844436576384] AH01574: module unique_id_module is already loaded, skipping
AH00526: Syntax error on line 35 of /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf:
ModSecurity: Found another rule with the same id
httpd.service: main process exited, code=exited, status=1/FAILURE
Failed to start The Apache HTTP Server.

By disabling and re-enabling the ModSecurity fix the issue temporarily.

Does anyone else experience the same issue?

Thank you.

 

[Peter Debik]

There could be a "backup" directory somewhere like /etc/httpd/conf/modsecurity.d/rules/tortix.backup/. If so, simply move it out of the path into some path that is not in an "include" path of the web server configuration.

 

[WebHostingAce]

Thank you Peter.

There is this backup directory /etc/httpd/conf/modsecurity.d/rules/tortix.backup/ in every server but only this server having this issue.

 

[trialotto]

Thank you Peter.

There is this backup directory /etc/httpd/conf/modsecurity.d/rules/tortix.backup/ in every server but only this server having this issue.

@WebHostingAce

Please check line 35 of

/etc/apache2/modsecurity.d/rules/tortix/modsec/tortix_waf.conf

and verify whether it contains

SecAuditLog logs/audit_log


If that is the case, then a referral has been made to a non-existing directory, hence causing Apache to fail to start.

Simple solution, run the command : mkdir /etc/apache2/logs && touch /etc/apache2/logs/audit_log

Please note that any edit of the tortix_waf.conf file will be overwritten.


It is highly recommended that you first inspect the output of Apache, when doing a manual stop/start sequence.

That can give you more indications of where to look at, since the issue can be related to many well-known and not-so-well-known Apache issues.


I hope the above helps a bit.......


Kind regards....

 

[WebHostingAce]

Thank you @trialotto

I checked this.

The issue was showing as,

AH00526: Syntax error on line 35 of /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf:
ModSecurity: Found another rule with the same id

Upon checking the Rule ID in

AH00526: Syntax error on line 35 of /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf:

I did a grep to the whole / to see if this Rule ID was mentioned anywhere else in the server. But did not find any duplicate.

 

[Peter Debik]

Please install Plesk 18.0.57 #2 (update) and check if this fixes it, because that update includes a fix for an Atomic issue.

 

[WebHostingAce]

Thank you @Peter Debik. Currently this sever is running Plesk 18.0.57 #2.

This issue only happened twice on one server out of all my server running Atomic Mod Security.

Only similar post I found is Resolved - ModSecurity (once again)

 

[Peter Debik]

Does this mean that it is now resolved?

 

[WebHostingAce]

We can mark this as resolved for now.