I had the problem that since I had activated ModSecurity, my Nextcloud instance no longer worked.

A lot of searching on the internet did not find a solution. Also the deactivation of various rules in Mod Security was only of moderate success.

Until I finally found the right solution.

One must in the file

/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/crs-setup.conf

re-enable an uncommented paragraph. This is specifically to make WebDAV run with ModSecurity.

Turns off:

HTTP methods that a client is allowed to use.

Default: GET HEAD POST OPTIONS

Example: for RESTful APIs, add the following methods: PUT PATCH DELETE

**# Example: for WebDAV, add the following methods: CHECKOUT COPY DELETE LOCK

MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK**

Uncomment this rule to change the default.

#SecAction \

"id:900200,\

phase:1,\

nolog,\

pass,\

t:none,\

setvar:‘tx.allowed_methods=GET HEAD POST OPTIONS’"

to:

SecAction
“id:900200,
phase:1,
nolog,
pass,
t:none,
setvar:‘tx.allowed_methods=GET HEAD POST OPTIONS CHECKOUT COPY DELETE LOCK MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK REPORT SEARCH’”

and it will work.

I found it there: mod_security Anpassungen für Nextcloud LBM Services - Web-Development