So I logged in, and it looks like you uninstalled everything so I'm still not clear on what you did, you may have proxied to apache itself were you have apache configured to use its own own embedded WAF or maybe something else. It sounds like the former was your problem. So could you elabortate a little more about exactly what you had setup, and we can help you.
Going forward, if you are running traffic thru the T-WAF (or anything else for that matter, any proxy) and back to apache you need to install mod_rpaf in apache:https://www.atomicorp.com/wiki/index.ph ... the_WAF.3F
If you put something in front of the T-WAF, you'd have to do the same thing.
If you are using the T-WAF in front of apache, then you need to disable embedded mode for apache. Its not necessary.
In your post you said you did this:
embedded * * * * 80
embedded * * * * 443
local proxy - / - - 8080
So looking at your apache logs I see requests from 197.221.19.x for port 8080 going to apache. Were you proxying things back to apache?
Heres an example I found:
[19/May/2012:10:58:03 +0200] T7dgm8XdE@IAAHlkQN4AAAAC 22.214.171.124 35995 126.96.36.199 8080 <- thats the destination port and you have the T-WAF setup to proxy it
POST /some_url.html HTTP/1.0
Or did you have nginx proxying to apache? Keep in mind that if you put a proxy in front of apache, and modsecurity is in embedeed mode that you will see the local IP address as the source. So you need to disable embedded mode if you put the T-WAF in front of apache, or if you put something else in front of apache and you want to use the WAF in embedded mode you need to install mod_rpaf.https://www.atomicorp.com/wiki/index.ph ... the_WAF.3F
In any event, could you explain again what you setup? I'm not clear what was listening on what port, what was proxying, what was forwarding to what, etc. Right now it looks like this was as simple as embededed mode being enabled, and you had not installed mod_rpaf. Please let me know.