Took a look at my mod_security logs tonight. Apparently, if you use Google's Reader to my rss feed, then actually try to go to my website via the link in the RSS.. trying to do all this when you are behind a Bluecoat Proxy server on your internal network...
"!^(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-
9][0-9]?)|)|unknown)$" at HEADER("X-FORWARDED-FOR")
You get blocked. The bluecoat proxy forwards your "X-forwarded for" header to the Google Reader, then, finally when you click on the link to come to my website, Google forwards your internal IP.
Which mod_security didn't like:
"!^(((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-
9][0-9]?)|)|unknown)$" at HEADER("X-FORWARDED-FOR")
It doesn't like you. I commented out the rule, so everything should be fine now.
Comments
Ofer Shezaf
ModSecurity Core Rule Set Project Leader