Disable modsecurity For a Specific Directory

apache-2.2 httpd centos mod-security

How do you disable modsecurity for just a specific directory. I'm getting errors in phpMyAdmin that are caused by modsecurity tripping based on rules. I have the following files set up:

# /etc/httpd/modsecurity.d/modsecurity_crs_15_customrules.conf
<LocationMatch "^/phpMA/">
    SecRuleEngine Off
</LocationMatch>

# /etc/httpd/modsecurity.d/modsecurity_crs_60.custom.conf
<LocationMatch '^/phpMA/*'>
    SecRuleRemoveById 950004
    SecRuleRemoveById 950005
    SecRuleRemoveById 950006
    SecRuleRemoveById 960010
    SecRuleRemoveById 960012
</LocationMatch>

From what I can find the first file should disable it, but it still trips, so I tried adding the rule IDs it is tripping to the 60 file, but it still complains.

I'm running the following packages on CentOS 5.3:

  • mod_security-2.5.0-jason.2
  • httpd-2.2.8-jason.3
  • mod-php5-apache2-zend-ce-5.2.10-65

SecRuleEngine Off must work . Have you tried to put SecRuleEngine inside Directory:

<Directory /var/www/site/phpMA>
SecRuleEngine Off
</Directory>

instead of LocationMatch ?


On some servers and web hosts, it's possible to disable ModSecurity via .htaccess, but via this method you can only switch it on or off, you usually can’t disable individual rules.

So rather than leaving your entire site unprotected, it’s best to limit this to specific URLs. You can specify them in a regex in the <If> statement below...

### DISABLE mod_security firewall
### Some rules are currently too strict and are blocking legitimate users
### We only disable it for URLs that contain the regex below
### The regex below should be placed between "m#" and "#" 
### (this syntax is required when the string contains forward slashes)
<IfModule mod_security.c>
  <If "%{REQUEST_URI} =~ m#/admin/#">
    SecFilterEngine Off
    SecFilterScanPOST Off
  </If>
</IfModule>

Never disable all rules !! This could cause serious security issues !

You need to check the logfile of modsecurity with

tail -f /var/log/apache2/modsec_audit.log

and exclude each rule one by one reproducing the errors on the phpmyadmin interface.

Next, add :

<Directory /path/to/phpmyadmin>
    <IfModule security2_module>
        SecRuleRemoveByTag "WEB_ATTACK/SQL_INJECTION"
        {And other rules you need to disable ...}
    </IfModule>
</Directory>

to /etc/apache2/mods-enabled/modsecurity.conf

The tag you need to remove will be in the log file like this. For a full description of removing rules for a particular folder, see the Github wiki of the project.

Related

Set up Recovery Actions to Take Place When a Service Fails
Nginx Munin plugin shows no data
Can I run mysqld on top of glusterfs?
What is a practical way to mirror an Amazon S3 bucket?
Tools to test multicast routing [closed]
How can I restore a duplicity backup from a certain date?
Does this SMART selftest indicate a failing drive?
nmap on my webserver shows TCP ports 554 and 7070 open
Run OPTIMIZE TABLE to defragment tables for better performance
What is the sequence of Windows RPC ports 135, 137, 139 (and higher ports)? What changes with Port 145?
apache2ctl: 87: ulimit: error setting limit (Operation not permitted)
Securing a rack in a shared server room