Again this goes in modsecurity_crs_15_customrules.conf
<LocationMatch “^/mydbadmin234/”>
SecRuleEngine Off
</LocationMatch>
I have just seen a post on the ModSecurity Mailing List where Yersinia Spiros has made a comment regarding this rule. He disagrees with switching off ModSecurity. I will try to clarify that I only recommend this for use in a single user environment. I use it on my personal install that accesses a developement database. The directory name is cryptic. The directory is not linked to from any site at all. There is a .htaccess password required to enter this directory and after that you still need to login to the server. This I feel is strong enough for a single user install of phpMyAdmin.
However if you are looking for a ruleset for ModSecurity on a shared environment such as a plesk install, Then Yersinia is absolutely correct and you shouldn’t use this method.
Here is a limited ruleset that will allow you to use the manual SQL tab. I will run some other tests later to find if anything else in phpMyAdmin is broken by ModSecurity.
<LocationMatch “/phpMyAdmin/sql.php”>
SecRuleRemoveById 959004
SecRuleRemoveById 959005
SecRuleRemoveById 959906
</LocationMatch>
The downside to this rule is it switches off SQL Injection Attack protection, but I suppose as this particular part of phpMyAdmin is there just to execute SQL commands….
SecRuleEngine Off must work . Have you tried to put SecRuleEngine inside Directory:
<Directory /var/www/site/PHPMyAdmin>
SecRuleEngine Off
</Directory>
instead of LocationMatch ?
Referece: http://www.gray.me.uk/linux-administration-and-management/modsecurity-and-phpmyadmin