Contents
[hide]- 1 Disabling Mod_Security Globally
- 2 Disabling Mod_security per domain
- 3 Disable Mod_security on a global URL
- 4 Disable a Mod_security rule (or rules) for all applications in a single domain
- 5 Disable Mod_security rule for a specific application in a single domain
- 6 Disable Mod_security rule for all domains
- 7 Disable Mod_security rules globally for a specific application
- 8 Disable Mod_security rules by domain, for a specific application, for a list of IPs
- 9 Configuring and Setting up mod_security
[edit] Disabling Mod_Security Globally
Step 1) Disable config file
mv /etc/httpd/conf.d/00_mod_security.conf /etc/httpd/conf.d/00_mod_security.conf.disabled
Step 2) Restart Apache
service httpd restart<br />
[edit] Disabling Mod_security per domain
Step 1) Edit the vhost/vhost_ssl.conf for the domain
vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf<br />
Step 2) Add the following
<IfModule mod_security2.c><br /> SecRuleEngine Off<br /></IfModule><br />
Step 3) Add vhost.conf to domain config
/usr/local/psa/admin/bin/websrvmng -a<br />
Step 4) Restart Apache
service httpd restart<br />
[edit] Disable Mod_security on a global URL
Step 1) Create a global exclude file
vim /etc/httpd/modsecurity.d/00_asl_custom_exclude.conf<br />
Step 2) Add the LocationMatch for the url to exclude. Example: /server.php
<LocationMatch /server.php><br /> <IfModule mod_security2.c><br /> SecRuleEngine Off <br /> </IfModule><br /></LocationMatch><br />
Step 3) Restart apache
service httpd restart<br />
[edit] Disable a Mod_security rule (or rules) for all applications in a single domain
Step 1) Edit the vhost/vhost_ssl.conf for the domain
vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf<br />
Step 2) Add the LocationMatch for the rule to exclude. Example, ruleid 950005
<LocationMatch .*><br /> <IfModule mod_security2.c><br /> SecRuleRemoveById 950005<br /> </IfModule><br /></LocationMatch><br />
If you want to disable multiple rules:
Step 2) Add the LocationMatch for the rule to exclude. Example, ruleids 950005 and 950006
<LocationMatch .*><br /> <IfModule mod_security2.c><br /> SecRuleRemoveById 950005<br /> SecRuleRemoveById 950006<br /> </IfModule><br /></LocationMatch><br />
[edit] Disable Mod_security rule for a specific application in a single domain
Step 1) Edit the vhost/vhost_ssl.conf for the domain
vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf<br />
Step 2) Add the LocationMatch for the rule to exclude. Example, ruleid 950005
<LocationMatch /URL/path/to/application.php><br /> <IfModule mod_security2.c><br /> SecRuleRemoveById 950005<br /> </IfModule><br /></LocationMatch><br />
[edit] Disable Mod_security rule for all domains
Use ASL utility to disable rule by ID. Example: 950005
asl --disable-signature 950005<br />
Note: This requires that Atomic Secured Linux be installed.
If you do not have Atomic Secured Linux you can disable a rule globally manually by adding a rule like this:
<LocationMatch .*><br /> <IfModule mod_security2.c><br /> SecRuleRemoveById 340000<br /> </IfModule><br /></LocationMatch><br />
[edit] Disable Mod_security rules globally for a specific application
Add this to either you vhost.conf file, or if your want to make this global make sure this exclusion is loaded after your rules are loaded. A good place to add this in the 999_asl_user_exclude.conf file. If you don't have this file, just create it. The system is smart enough to know to load it.
<LocationMatch /url/to/your/application><br /> <IfModule mod_security2.c><br /> SecRuleRemoveById 1234567<br /> SecRuleRemoveById 9999999<br /> </IfModule><br /></LocationMatch><br />
Whats important to remember is that the LocationMatch variable must match the URL, not the path on the system.
[edit] Disable Mod_security rules by domain, for a specific application, for a list of IPs
Step 1) Edit the vhost/vhost_ssl.conf for the domain
vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf<br />
Step 2) Add the LocationMatch for the rule to exclude.
<LocationMatch /foo/bar.php><br /> <IfModule mod_security2.c><br /> SecRule REMOTE_ADDR "@pmFromFile /etc/asl/whitelist" "nolog,phase:1,allow"<br /> </IfModule><br /></LocationMatch><br />
Step 3) Add IP to /etc/asl/whitelist
echo "10.11.12.13" >> /etc/asl/whitelist<br />
Or:
If you want to create a special whitelist for just that application:
Step 1) Edit the vhost/vhost_ssl.conf for the domain
vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf<br />
Step 2) Add the LocationMatch for the rule to exclude.
<LocationMatch /foo/bar.php><br /> <IfModule mod_security2.c><br /> SecRule REMOTE_ADDR "@pmFromFile /path/to/your/custom/whitelist_for_this_application" "nolog,phase:1,allow"<br /> </IfModule><br /></LocationMatch><br />
Step 3) Create your custom whitelist and add IP to /etc/asl/whitelist
echo "10.11.12.13" >> /path/to/your/custom/whitelist_for_this_application<br />
Keep in mind these custom lists are *not* managed by ASL, so if you want to add IPs to these lists you will need to do it from the command line.
[edit] Configuring and Setting up mod_security
If you are running ASL you do not need to do this. ASL will setup and manage mod_security for you. The page linked to below is only for non-ASL customers that must setup mod_security manually.
To setup and configured modsecurity, please see the Atomic_ModSecurity_Rules wiki page.
Reference: http://www.atomicorp.com/wiki/index.php/Mod_security