TransWikia.com

SecRuleEngine Off not working on a single domain in virtual host

Server Fault Asked by williamsdb on December 20, 2021

I have modSecurity installed and working on a server with multiple hosts and I want to disable some rules for one host only. This is what is what I put in the virtual host file:

 <IfModule mod_security2.c>
    SecRuleEngine On
    SecRuleRemoveById 981173
 </IfModule>

This didn’t work so I changed to this:

 <IfModule mod_security2.c>
    SecRuleEngine Off
 </IfModule>

This also didn’t work and the rules are still being applied to this site. Currently my only option is turn turn modSecurity off completely but that’s obviously not what I want.

This is the mod_security.conf file:

LoadModule security2_module modules/mod_security2.so

<IfModule !mod_unique_id.c>
    LoadModule unique_id_module modules/mod_unique_id.so
</IfModule>
<IfModule mod_security2.c>
    # Default recommended configuration
    SecRuleEngine Off
    SecRequestBodyAccess On
    SecRule REQUEST_HEADERS:Content-Type "text/xml" 
         "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
    SecRequestBodyLimit 13107200
    SecRequestBodyNoFilesLimit 131072
    SecRequestBodyInMemoryLimit 131072
    SecRequestBodyLimitAction Reject
    SecRule REQBODY_ERROR "!@eq 0" 
    "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
    SecRule MULTIPART_STRICT_ERROR "!@eq 0" 
    "id:'200002',phase:2,t:none,log,deny,status:400,msg:'Multipart request body 
    failed strict validation: 
    PE %{REQBODY_PROCESSOR_ERROR}, 
    BQ %{MULTIPART_BOUNDARY_QUOTED}, 
    BW %{MULTIPART_BOUNDARY_WHITESPACE}, 
    DB %{MULTIPART_DATA_BEFORE}, 
    DA %{MULTIPART_DATA_AFTER}, 
    HF %{MULTIPART_HEADER_FOLDING}, 
    LF %{MULTIPART_LF_LINE}, 
    SM %{MULTIPART_MISSING_SEMICOLON}, 
    IQ %{MULTIPART_INVALID_QUOTING}, 
    IP %{MULTIPART_INVALID_PART}, 
    IH %{MULTIPART_INVALID_HEADER_FOLDING}, 
    FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

    SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" 
    "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"

    SecPcreMatchLimit 1000
    SecPcreMatchLimitRecursion 1000

    SecRule TX:/^MSC_/ "!@streq 0" 
            "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

    SecResponseBodyAccess Off
    SecDebugLog /var/log/httpd/modsec_debug.log
    SecDebugLogLevel 0
    SecAuditEngine RelevantOnly
    SecAuditLogRelevantStatus "^(?:5|4(?!04))"
    SecAuditLogParts ABIJDEFHZ
    SecAuditLogType Serial
    SecAuditLog /var/log/httpd/modsec_audit.log
    SecArgumentSeparator &
    SecCookieFormat 0
    SecTmpDir /var/lib/mod_security
    SecDataDir /var/lib/mod_security

    # ModSecurity Core Rules Set and Local configuration
       Include modsecurity.d/*.conf
       Include modsecurity.d/activated_rules/*.conf
       Include modsecurity.d/local_rules/*.conf
#       Include modsecurity-crs/modsecurity_crs_10_config.conf
#       Include modsecurity-crs/base_rules/*.conf

</IfModule>

And this is the full virtual host file:

<VirtualHost *:443>
  ServerName domain.com

  DocumentRoot "/var/www/domain"
  DirectoryIndex index.php
  ErrorLog /var/log/httpd/domain.com-error_log
  CustomLog /var/log/httpd/domain.com-access_log combined

  SSLEngine on
  SSLProtocol all -SSLv2 -SSLv3
  SSLHonorCipherOrder on
  SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH
 EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
  SSLCertificateFile /etc/letsencrypt/live/www.domain.com/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/www.domain.com/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/www.domain.com/chain.pem

  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

 <IfModule mod_security2.c>
    SecRuleEngine On
    SecRuleRemoveById 981173
 </IfModule>

  <Directory "/var/www/domain">
    AllowOverride All
    Allow from All
  </Directory>
</VirtualHost>

Any suggestions how I can get this to work?

centos6mod securityrules

One Answer

If you are defining your ModSecurity rules after you vhost is loaded then that will likely override your vhost setting.

This is best handled with a new rule to explicitly turn off ModSecurity based on the server name requested:

SecRule SERVER_NAME "domain.com$" 
     "phase:1,id:1000,nolog, 
     ctl:ruleRemoveById=981173, 
     ctl:ruleRemoveById=1234, 
     ctl:ruleRemoveById=1235"

For multiple domains can change the regexpr expression, for example:

SecRule SERVER_NAME "(domain.com|domain2.com|domain3.com)$" 
     "phase:1,id:1000,nolog, 
     ctl:ruleRemoveById=981173, 
     ctl:ruleRemoveById=1234, 
     ctl:ruleRemoveById=1235"

Or perhaps:

SecRule SERVER_NAME "(domain|domain2|domain3).com$" 
     "phase:1,id:1000,nolog, 
     ctl:ruleRemoveById=981173, 
     ctl:ruleRemoveById=1234, 
     ctl:ruleRemoveById=1235"

Or just have separate rules. Note each rule will require a unique id.

That way Mod Security will process that rule an dynamically turn off the rules you list for that host. This rule should be defined after the config which turns the rule engine on but before any other rules are defined. This could be just before your "SecRequestBodyAccess On" access line based on your config.

The alternative is to only define the rules in each vhost config separately, but think above is easier.

Answered by Barry Pollard on December 20, 2021

Add your own answers!

Ask a Question

Get help from others!

Recent Answers

Recent Questions

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP