1

I have modSecurity installed and working on a server with multiple hosts and I want to disable some rules for one host only. This is what is what I put in the virtual host file:

 <IfModule mod_security2.c>
    SecRuleEngine On
    SecRuleRemoveById 981173
 </IfModule>

This didn't work so I changed to this:

 <IfModule mod_security2.c>
    SecRuleEngine Off
 </IfModule>

This also didn't work and the rules are still being applied to this site. Currently my only option is turn turn modSecurity off completely but that's obviously not what I want.

This is the mod_security.conf file:

LoadModule security2_module modules/mod_security2.so

<IfModule !mod_unique_id.c>
    LoadModule unique_id_module modules/mod_unique_id.so
</IfModule>
<IfModule mod_security2.c>
    # Default recommended configuration
    SecRuleEngine Off
    SecRequestBodyAccess On
    SecRule REQUEST_HEADERS:Content-Type "text/xml" \
         "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
    SecRequestBodyLimit 13107200
    SecRequestBodyNoFilesLimit 131072
    SecRequestBodyInMemoryLimit 131072
    SecRequestBodyLimitAction Reject
    SecRule REQBODY_ERROR "!@eq 0" \
    "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
    SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
    "id:'200002',phase:2,t:none,log,deny,status:400,msg:'Multipart request body \
    failed strict validation: \
    PE %{REQBODY_PROCESSOR_ERROR}, \
    BQ %{MULTIPART_BOUNDARY_QUOTED}, \
    BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
    DB %{MULTIPART_DATA_BEFORE}, \
    DA %{MULTIPART_DATA_AFTER}, \
    HF %{MULTIPART_HEADER_FOLDING}, \
    LF %{MULTIPART_LF_LINE}, \
    SM %{MULTIPART_MISSING_SEMICOLON}, \
    IQ %{MULTIPART_INVALID_QUOTING}, \
    IP %{MULTIPART_INVALID_PART}, \
    IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
    FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

    SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
    "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"

    SecPcreMatchLimit 1000
    SecPcreMatchLimitRecursion 1000

    SecRule TX:/^MSC_/ "!@streq 0" \
            "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

    SecResponseBodyAccess Off
    SecDebugLog /var/log/httpd/modsec_debug.log
    SecDebugLogLevel 0
    SecAuditEngine RelevantOnly
    SecAuditLogRelevantStatus "^(?:5|4(?!04))"
    SecAuditLogParts ABIJDEFHZ
    SecAuditLogType Serial
    SecAuditLog /var/log/httpd/modsec_audit.log
    SecArgumentSeparator &
    SecCookieFormat 0
    SecTmpDir /var/lib/mod_security
    SecDataDir /var/lib/mod_security

    # ModSecurity Core Rules Set and Local configuration
       Include modsecurity.d/*.conf
       Include modsecurity.d/activated_rules/*.conf
       Include modsecurity.d/local_rules/*.conf
#       Include modsecurity-crs/modsecurity_crs_10_config.conf
#       Include modsecurity-crs/base_rules/*.conf

</IfModule>

And this is the full virtual host file:

<VirtualHost *:443>
  ServerName domain.com

  DocumentRoot "/var/www/domain"
  DirectoryIndex index.php
  ErrorLog /var/log/httpd/domain.com-error_log
  CustomLog /var/log/httpd/domain.com-access_log combined

  SSLEngine on
  SSLProtocol all -SSLv2 -SSLv3
  SSLHonorCipherOrder on
  SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH
 EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
  SSLCertificateFile /etc/letsencrypt/live/www.domain.com/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/www.domain.com/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/www.domain.com/chain.pem

  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

 <IfModule mod_security2.c>
    SecRuleEngine On
    SecRuleRemoveById 981173
 </IfModule>

  <Directory "/var/www/domain">
    AllowOverride All
    Allow from All
  </Directory>
</VirtualHost>

Any suggestions how I can get this to work?

williamsdb
  • 483
  • 1
  • 7
  • 17

1 Answers1

0

If you are defining your ModSecurity rules after you vhost is loaded then that will likely override your vhost setting.

This is best handled with a new rule to explicitly turn off ModSecurity based on the server name requested:

SecRule SERVER_NAME "domain\.com$" \
     "phase:1,id:1000,nolog, \
     ctl:ruleRemoveById=981173, \
     ctl:ruleRemoveById=1234, \
     ctl:ruleRemoveById=1235"

For multiple domains can change the regexpr expression, for example:

SecRule SERVER_NAME "(domain\.com|domain2\.com|domain3\.com)$" \
     "phase:1,id:1000,nolog, \
     ctl:ruleRemoveById=981173, \
     ctl:ruleRemoveById=1234, \
     ctl:ruleRemoveById=1235"

Or perhaps:

SecRule SERVER_NAME "(domain|domain2|domain3)\.com$" \
     "phase:1,id:1000,nolog, \
     ctl:ruleRemoveById=981173, \
     ctl:ruleRemoveById=1234, \
     ctl:ruleRemoveById=1235"

Or just have separate rules. Note each rule will require a unique id.

That way Mod Security will process that rule an dynamically turn off the rules you list for that host. This rule should be defined after the config which turns the rule engine on but before any other rules are defined. This could be just before your "SecRequestBodyAccess On" access line based on your config.

The alternative is to only define the rules in each vhost config separately, but think above is easier.

Barry Pollard
  • 4,461
  • 14
  • 26
  • That command will turn off the rule engine for that domain but that's not what I want. I need to be able to turn off individual rules by id for a domain. How would I do that? Would an alternative to change the order the vhost are loaded by changing mod_security.conf to, say, zzz_mod_security.conf? – williamsdb Jan 09 '16 at 15:49
  • Corrected answer to what you want. – Barry Pollard Jan 09 '16 at 16:29
  • Ok that works for a single domain but if I add that multiple times for multiple domains (which is what we have) httpd won't reload. So how can I add rules to remove by id for domain1.com, domain2.com, domain3.com etc. Thanks! – williamsdb Jan 11 '16 at 08:36
  • You said for one vhost in your original question. Added some commentary about multiple domain exclusions. You can edit the regexpr to your exact needs. – Barry Pollard Jan 11 '16 at 12:14
  • Actually I said "working on a server with multiple hosts" but anyway your change would remove the same rules from all domains which won't work for me. I want to exclude separate rules for each domain. Ideally I would like to get this working with the rules in each vhost file. – williamsdb Jan 11 '16 at 15:51
  • Actually you said "and I want to disable some rules for one host only". Anyway in that case, create separate rules for each domain but ensure not to use the same id (1000) for each rule. so use 1000,1001,1002...etc. I would guess that the reason you cannot specify this in the vhost is because ModSecurity scans some requests BEFORE it even reads the host header that the request is intended for. So basically ModSecurity reads it before the vhost entries are processed. – Barry Pollard Jan 11 '16 at 16:05