Error: header already sent while sending response to client

[524c]

2018/02/11 00:00:59 [alert] 11019#11019: *411 header already sent while sending response to client, client: 177.141.144.175, server: xxxx.com, request: "GET /consultoria/ HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.0-fpm.sock", host: "www.xxxx.com"
2018/02/11 00:01:17 [alert] 11020#11020: *413 header already sent while sending response to client, client: 177.141.144.175, server: xxxx.com, request: "GET /wp-admin/edit.php?post_type=page HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.0-fpm.sock", host: "www.xxxx.com", referrer: "http://www.xxxx.com/wp-admin/index.php"

[root@web1 ~]# nginx -V
nginx version: nginx/1.12.2
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4)
built with OpenSSL 1.0.2g  1 Mar 2016
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

ModSecurity-nginx: v1.0.0
ModSecurity: v3/master

Notes:
I can reproduce this environment in a development and provide access to the developers if needed.

[524c]

Currently I have these rules listed below I am trying to isolate which rule causes the problem:

[root@web1 rules]# ls
crawlers-user-agents.data                    REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf     REQUEST-933-APPLICATION-ATTACK-PHP.conf               RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
iis-errors.data                              REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf  REQUEST-941-APPLICATION-ATTACK-XSS.conf               restricted-files.data
java-code-leakages.data                      REQUEST-905-COMMON-EXCEPTIONS.conf               REQUEST-942-APPLICATION-ATTACK-SQLI.conf              scanners-headers.data
java-errors.data                             REQUEST-910-IP-REPUTATION.conf                   REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf  scanners-urls.data
lfi-os-files.data                            REQUEST-911-METHOD-ENFORCEMENT.conf              REQUEST-949-BLOCKING-EVALUATION.conf                  scanners-user-agents.data
php-config-directives.data                   REQUEST-912-DOS-PROTECTION.conf                  RESPONSE-950-DATA-LEAKAGES.conf                       scripting-user-agents.data
php-errors.data                              REQUEST-913-SCANNER-DETECTION.conf               RESPONSE-951-DATA-LEAKAGES-SQL.conf                   sql-errors.data
php-function-names-933150.data               REQUEST-920-PROTOCOL-ENFORCEMENT.conf            RESPONSE-952-DATA-LEAKAGES-JAVA.conf                  sql-function-names.data
php-function-names-933151.data               REQUEST-921-PROTOCOL-ATTACK.conf                 RESPONSE-953-DATA-LEAKAGES-PHP.conf                   unix-shell.data
php-variables.data                           REQUEST-930-APPLICATION-ATTACK-LFI.conf          RESPONSE-954-DATA-LEAKAGES-IIS.conf                   windows-powershell-commands.data
REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf  REQUEST-931-APPLICATION-ATTACK-RFI.conf          RESPONSE-959-BLOCKING-EVALUATION.conf
REQUEST-901-INITIALIZATION.conf              REQUEST-932-APPLICATION-ATTACK-RCE.conf          RESPONSE-980-CORRELATION.conf

I have now activated only the rules that start with REQUEST* and stopped the double header sending and my site work ok. I will now continue to rule by rule of the ones i turned off and find out what is causing the duplicate header to be sent.

#include owasp-modsecurity-crs/rules/*.conf
include owasp-modsecurity-crs/rules/REQUEST*.conf

[524c]

UDATE: with RESPONSE-952-DATA-LEAKAGES-JAVA.conf and RESPONSE-953-DATA-LEAKAGES-PHP.conf disabled no more double header.

include modsecurity.conf
include owasp-modsecurity-crs/crs-setup.conf
include owasp-modsecurity-crs/rules/REQUEST*.conf
include owasp-modsecurity-crs/rules/RESPONSE-950-DATA-LEAKAGES.conf
include owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf
#include owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
#include owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
include owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
include owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf
include owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

[AirisX]

Hi @Rogerlucas, your problem already described here #41
Try using the patch suggested in PR #84

[524c]

@AirisX thanks!!

[victorhora]

Closing this one in favor of #41.