I have modSecurity installed and working on a server with multiple hosts and I want to disable some rules for one host only. This is what is what I put in the virtual host file:
<IfModule mod_security2.c>
SecRuleEngine On
SecRuleRemoveById 981173
</IfModule>
This didn't work so I changed to this:
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>
This also didn't work and the rules are still being applied to this site. Currently my only option is turn turn modSecurity off completely but that's obviously not what I want.
This is the mod_security.conf file:
LoadModule security2_module modules/mod_security2.so
<IfModule !mod_unique_id.c>
LoadModule unique_id_module modules/mod_unique_id.so
</IfModule>
<IfModule mod_security2.c>
# Default recommended configuration
SecRuleEngine Off
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction Reject
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200002',phase:2,t:none,log,deny,status:400,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
SecRule TX:/^MSC_/ "!@streq 0" \
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
SecResponseBodyAccess Off
SecDebugLog /var/log/httpd/modsec_debug.log
SecDebugLogLevel 0
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/httpd/modsec_audit.log
SecArgumentSeparator &
SecCookieFormat 0
SecTmpDir /var/lib/mod_security
SecDataDir /var/lib/mod_security
# ModSecurity Core Rules Set and Local configuration
Include modsecurity.d/*.conf
Include modsecurity.d/activated_rules/*.conf
Include modsecurity.d/local_rules/*.conf
# Include modsecurity-crs/modsecurity_crs_10_config.conf
# Include modsecurity-crs/base_rules/*.conf
</IfModule>
And this is the full virtual host file:
<VirtualHost *:443>
ServerName domain.com
DocumentRoot "/var/www/domain"
DirectoryIndex index.php
ErrorLog /var/log/httpd/domain.com-error_log
CustomLog /var/log/httpd/domain.com-access_log combined
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH
EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
SSLCertificateFile /etc/letsencrypt/live/www.domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.domain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.domain.com/chain.pem
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
<IfModule mod_security2.c>
SecRuleEngine On
SecRuleRemoveById 981173
</IfModule>
<Directory "/var/www/domain">
AllowOverride All
Allow from All
</Directory>
</VirtualHost>
Any suggestions how I can get this to work?