Difference between revisions of "Mod security"
(→Disable Mod_security rule for all applications in a single domain) |
m (→Disable Mod_security rule for all domains) |
||
Line 71: | Line 71: | ||
== Disable Mod_security rule for all domains == | == Disable Mod_security rule for all domains == | ||
− | + | Use ASL utility to disable rule by ID. Example: 950005 | |
asl --disable-signature 950005 | asl --disable-signature 950005 | ||
+ | |||
+ | Note: This requires that [[Atomic Secured Linux]] be installed. | ||
== Disable Mod_security rules on a specific application, for a list of IPs == | == Disable Mod_security rules on a specific application, for a list of IPs == |
Revision as of 13:02, 8 September 2009
Disabling Mod_Security Globally
Step 1) Disable config file
mv /etc/httpd/conf.d/00_mod_security.conf /etc/httpd/conf.d/00_mod_security.conf.disabled
Step 2) Restart Apache
/etc/init.d/httpd restart
Disabling Mod_security per domain
Step 1) edit the vhost/vhost_ssl.conf for the domain
vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf
Step 2) Add the following
SecRuleEngine Off
Step 3) Add vhost.conf to domain config
/usr/local/psa/admin/bin/websrvmng -a
Step 4) Restart Apache
/etc/init.d/httpd restart
Disable Mod_security on a global URL
Step 1) Create a global exclude file
vim /etc/httpd/modsecurity.d/00_asl_custom_exclude.conf
Step 2) Add the LocationMatch for the url to exclude. Example: /server.php
<LocationMatch /server.php> SecRuleEngine Off </LocationMatch>
Step 3) Restart apache
/etc/init.d/httpd restart
Disable a Mod_security rule (or rules) for all applications in a single domain
Step 1) edit the vhost/vhost_ssl.conf for the domain
vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf
Step 2) Add the LocationMatch for the rule to exclude. Example, ruleid 950005
<LocationMatch .*> SecRuleRemoveById 950005 </LocationMatch>
If you want to disable multiple rules:
Step 2) Add the LocationMatch for the rule to exclude. Example, ruleids 950005 and 950006
<LocationMatch .*> SecRuleRemoveById 950005 SecRuleRemoveById 950006 </LocationMatch>
Disable Mod_security rule for a specific application in a single domain
Step 1) edit the vhost/vhost_ssl.conf for the domain
vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf
Step 2) Add the LocationMatch for the rule to exclude. Example, ruleid 950005
<LocationMatch /URL/path/to/application.php> SecRuleRemoveById 950005 </LocationMatch>
Disable Mod_security rule for all domains
Use ASL utility to disable rule by ID. Example: 950005
asl --disable-signature 950005
Note: This requires that Atomic Secured Linux be installed.
Disable Mod_security rules on a specific application, for a list of IPs
Step 1) edit the vhost/vhost_ssl.conf for the domain
vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf
Step 2) Add the LocationMatch for the rule to exclude.
<LocationMatch /foo/bar.php> SecRule REMOTE_ADDR "@pmFromFile /etc/asl/whitelist" "nolog,phase:1,allow" </LocationMatch>
Step 3) Add IP to /etc/asl/whitelist
echo "10.11.12.13" >> /etc/asl/whitelist
Or:
If you want to create a special whitelist for just that application:
Step 1) edit the vhost/vhost_ssl.conf for the domain
vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf
Step 2) Add the LocationMatch for the rule to exclude.
<LocationMatch /foo/bar.php> SecRule REMOTE_ADDR "@pmFromFile /path/to/your/custom/whitelist_for_this_application" "nolog,phase:1,allow" </LocationMatch>
Step 3) Create your custom whitelist and add IP to /etc/asl/whitelist
echo "10.11.12.13" >> /path/to/your/custom/whitelist_for_this_application
Keep in mind these custom lists are *not* managed by ASL, so if you want to add IPs to these lists you will need to do it from the command line.