Server Fault Asked by williamsdb on December 20, 2021
I have modSecurity installed and working on a server with multiple hosts and I want to disable some rules for one host only. This is what is what I put in the virtual host file:
<IfModule mod_security2.c>
SecRuleEngine On
SecRuleRemoveById 981173
</IfModule>
This didn’t work so I changed to this:
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>
This also didn’t work and the rules are still being applied to this site. Currently my only option is turn turn modSecurity off completely but that’s obviously not what I want.
This is the mod_security.conf file:
LoadModule security2_module modules/mod_security2.so
<IfModule !mod_unique_id.c>
LoadModule unique_id_module modules/mod_unique_id.so
</IfModule>
<IfModule mod_security2.c>
# Default recommended configuration
SecRuleEngine Off
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "text/xml"
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction Reject
SecRule REQBODY_ERROR "!@eq 0"
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0"
"id:'200002',phase:2,t:none,log,deny,status:400,msg:'Multipart request body
failed strict validation:
PE %{REQBODY_PROCESSOR_ERROR},
BQ %{MULTIPART_BOUNDARY_QUOTED},
BW %{MULTIPART_BOUNDARY_WHITESPACE},
DB %{MULTIPART_DATA_BEFORE},
DA %{MULTIPART_DATA_AFTER},
HF %{MULTIPART_HEADER_FOLDING},
LF %{MULTIPART_LF_LINE},
SM %{MULTIPART_MISSING_SEMICOLON},
IQ %{MULTIPART_INVALID_QUOTING},
IP %{MULTIPART_INVALID_PART},
IH %{MULTIPART_INVALID_HEADER_FOLDING},
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0"
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
SecRule TX:/^MSC_/ "!@streq 0"
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
SecResponseBodyAccess Off
SecDebugLog /var/log/httpd/modsec_debug.log
SecDebugLogLevel 0
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/httpd/modsec_audit.log
SecArgumentSeparator &
SecCookieFormat 0
SecTmpDir /var/lib/mod_security
SecDataDir /var/lib/mod_security
# ModSecurity Core Rules Set and Local configuration
Include modsecurity.d/*.conf
Include modsecurity.d/activated_rules/*.conf
Include modsecurity.d/local_rules/*.conf
# Include modsecurity-crs/modsecurity_crs_10_config.conf
# Include modsecurity-crs/base_rules/*.conf
</IfModule>
And this is the full virtual host file:
<VirtualHost *:443>
ServerName domain.com
DocumentRoot "/var/www/domain"
DirectoryIndex index.php
ErrorLog /var/log/httpd/domain.com-error_log
CustomLog /var/log/httpd/domain.com-access_log combined
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH
EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
SSLCertificateFile /etc/letsencrypt/live/www.domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.domain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.domain.com/chain.pem
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
<IfModule mod_security2.c>
SecRuleEngine On
SecRuleRemoveById 981173
</IfModule>
<Directory "/var/www/domain">
AllowOverride All
Allow from All
</Directory>
</VirtualHost>
Any suggestions how I can get this to work?
If you are defining your ModSecurity rules after you vhost is loaded then that will likely override your vhost setting.
This is best handled with a new rule to explicitly turn off ModSecurity based on the server name requested:
SecRule SERVER_NAME "domain.com$"
"phase:1,id:1000,nolog,
ctl:ruleRemoveById=981173,
ctl:ruleRemoveById=1234,
ctl:ruleRemoveById=1235"
For multiple domains can change the regexpr expression, for example:
SecRule SERVER_NAME "(domain.com|domain2.com|domain3.com)$"
"phase:1,id:1000,nolog,
ctl:ruleRemoveById=981173,
ctl:ruleRemoveById=1234,
ctl:ruleRemoveById=1235"
Or perhaps:
SecRule SERVER_NAME "(domain|domain2|domain3).com$"
"phase:1,id:1000,nolog,
ctl:ruleRemoveById=981173,
ctl:ruleRemoveById=1234,
ctl:ruleRemoveById=1235"
Or just have separate rules. Note each rule will require a unique id.
That way Mod Security will process that rule an dynamically turn off the rules you list for that host. This rule should be defined after the config which turns the rule engine on but before any other rules are defined. This could be just before your "SecRequestBodyAccess On" access line based on your config.
The alternative is to only define the rules in each vhost config separately, but think above is easier.
Answered by Barry Pollard on December 20, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP