12

How do you disable modsecurity for just a specific directory. I'm getting errors in phpMyAdmin that are caused by modsecurity tripping based on rules. I have the following files set up:

# /etc/httpd/modsecurity.d/modsecurity_crs_15_customrules.conf
<LocationMatch "^/phpMA/">
    SecRuleEngine Off
</LocationMatch>

# /etc/httpd/modsecurity.d/modsecurity_crs_60.custom.conf
<LocationMatch '^/phpMA/*'>
    SecRuleRemoveById 950004
    SecRuleRemoveById 950005
    SecRuleRemoveById 950006
    SecRuleRemoveById 960010
    SecRuleRemoveById 960012
</LocationMatch>

From what I can find the first file should disable it, but it still trips, so I tried adding the rule IDs it is tripping to the 60 file, but it still complains.

I'm running the following packages on CentOS 5.3:

  • mod_security-2.5.0-jason.2
  • httpd-2.2.8-jason.3
  • mod-php5-apache2-zend-ce-5.2.10-65
masegaloeh
  • 17,978
  • 9
  • 56
  • 104
dragonmantank
  • 483
  • 3
  • 12
  • 19

3 Answers3

19

SecRuleEngine Off must work . Have you tried to put SecRuleEngine inside Directory:

<Directory /var/www/site/phpMA>
SecRuleEngine Off
</Directory>

instead of LocationMatch ?

hdanniel
  • 4,253
  • 22
  • 25
4

On some servers and web hosts, it's possible to disable ModSecurity via .htaccess, but via this method you can only switch it on or off, you usually can’t disable individual rules.

So rather than leaving your entire site unprotected, it’s best to limit this to specific URLs. You can specify them in a regex in the <If> statement below...

### DISABLE mod_security firewall
### Some rules are currently too strict and are blocking legitimate users
### We only disable it for URLs that contain the regex below
### The regex below should be placed between "m#" and "#" 
### (this syntax is required when the string contains forward slashes)
<IfModule mod_security.c>
  <If "%{REQUEST_URI} =~ m#/admin/#">
    SecFilterEngine Off
    SecFilterScanPOST Off
  </If>
</IfModule>
Simon East
  • 1,484
  • 1
  • 14
  • 18
  • Can you explain what the `=~` and `m#` mean? – DevOpsSauce May 12 '21 at 17:40
  • @IRGeekSauce The `=~` indicates that what follows should be interpreted as a regular expression, not a simple string. Normally regular expressions start and end with a forward slash but since that gets really confusing and error prone when you’re dealing with URLs (you would then need to escape every forward slash with a backslash) they provide a second option which is placing it between `m#` and `#`. It’s not very intuitive I know. [See this docs page](https://httpd.apache.org/docs/2.4/expr.html) for the official mentions — not very well explained, I must admit. – Simon East May 13 '21 at 01:24
2

Never disable all rules !! This could cause serious security issues !

You need to check the logfile of modsecurity with

tail -f /var/log/apache2/modsec_audit.log

and exclude each rule one by one reproducing the errors on the phpmyadmin interface.

Next, add :

<Directory /path/to/phpmyadmin>
    <IfModule security2_module>
        SecRuleRemoveByTag "WEB_ATTACK/SQL_INJECTION"
        {And other rules you need to disable ...}
    </IfModule>
</Directory>

to /etc/apache2/mods-enabled/modsecurity.conf

The tag you need to remove will be in the log file like this. For a full description of removing rules for a particular folder, see the Github wiki of the project.

Pierre C.
  • 121
  • 4