Redirect action does not work properly in IIS

[oniric85]

I'm using IIS 7.5 with ModSecurity 2.8.0.
I've created a simple configuration file with only one rule

SecRule ARGS "foo" "id:99999,pass,redirect:/"

These are the request headers I get when firing the rule:

HTTP/1.1 302 ModSecurity Action
Server: Microsoft-IIS/7.5
X-XSS-Protection: 1; mode=block
X-Frame-Options: sameorigin
Date: Tue, 27 May 2014 15:08:05 GMT
Content-Length: 0

X-XSS-Protection and X-Frame-Options are added by my IIS configuration. Problem is with Location header that is not present so redirect is not working.

[oniric85]

A side note: why is ModSecurity changing HTTP status text? I think it should leave the default one.

[bedirhan]

facing the same problem, any updates?

[mosoccer]

Facing the same issue as well using ModSecurity in Azure Websites - Microsoft Support confirmed issue with ModSecurity as same rules worked fine in Apache.

[ojasp]

Issue still persists in version 2.9.0

[NZUser01]

Easily fixed by the following workaround;

1. Create a Modsecurity rule;
   SecRule REQUEST_URI "robots.txt" "id:400131,phase:1,log,msg:'Redirecting to URL',status:444,deny"

2. Create a rule in IIS Manager.
   Click Sites > website > Error Pages > Right click and go to Add.
   Enter status code of 444 and click on 'Respond with a 302 redirect'. Enter the URL of the error page you wish to display.

3. Create your custom error page on at the URL you provided in the previous step.

4. Restart the application pool of the website.

5. Test!