1

I am trying to show a custom error page when Apache/ModSecurity rules are triggered. My plan is as follows:

  • Change the status code for all rules to (for example) 501
  • use ErrorDocument directive to display a custom error page for this code
  • Use php in the error page to log the error at application level, show customized message, etc.

What I have tried so far:

SecRuleUpdateActionById 1-999999 "phase:2,status:501"

and

SecDefaultAction "deny,log,redirect:http://some.url/"

I tried those in modsecurity.conf before and after including CRS rules, as well as .htaccess.

Doesn't work - still get a 403 error at all times.

Karolis
  • 159
  • 2
  • 7

2 Answers2

1

Have you tried the combination of the two?:

SecDefaultAction "phase:1,log,auditlog,deny,status:503"
SecDefaultAction "phase:2,log,auditlog,deny,status:503"

Note you can different default actions per phase like above.

Note also that some rule sets (e.g. OWASP CRS) also set these default actions, and Kay also need then set a certain way if using anomaly scoring or immediate blocking.

Barry Pollard
  • 4,461
  • 14
  • 26
  • I had the same question as asked here. The hint by Barry was working for me – BUT I had to add these lines in the CORRECT FILE! And that was to copy `/owasp-modsecurity-csr/rules/REQUEST-999-…conf.example` => `/REQUEST-999-…conf` (note the stripped .example) & then add the mentioned lines, uncommented, within that copied file. – Oliver Jan 04 '22 at 21:58
  • Addendum: used version 3.3.2 of the OWASP CSP for Apache2 on Ubuntu. – Oliver Jan 04 '22 at 22:05
-1

I have found a way of using custom error pages or messages with mod_security. What you need to do is use ProxyPass file ! in the waf.conf file

    ProxyPass /403.html !
    ProxyPass /500.html !

This then allows me to place a custom 403 or 500 file in the webroot in Apache so when mod_security wants to show an error it will show the custom error message.

Andrew Smalley
  • 11
  • 4