0

I would like to exclude a directory from mod security. I have tried everything under the sun in every config file to no avail. I have put stuff in the vhost file, the crs-setup file, the modsecurity.conf file, the exceptions file in the rules directory, no matter where I put it nothing works.

I have tried a million variations of the below code:

    <Directory /www/html/directory/>
            SecRuleInheritance Off
            SecRuleEngine Off
        </Directory>

If I remove the directory tags it disables mod security just fine, however within the directory tag nothing works. I've tried Location and LocationMatch - nothing. I can't exclude file names either!

Edit: Here is the rule I have added to various places. I have added it to the top of httpd.conf, crs-setup.conf, modsecurity.conf 000.conf in /rules/ directory. It unblocks the directory but all images and css which are NOT in that directory are stripped.

SecRule REQUEST_URI "@beginsWith /directory" "phase:1,id:12345,allow"

Also tried:

SecRule REQUEST_URI "@beginsWith /directory" "phase:1,id:12345,ctl:ruleEngine=off"

Example url: domain.com/directory/javascript.php?sqlinectioncode

user3080539
  • 23
  • 5

1 Answers1

1

You cannot use those commands within Directory tags.

See this similar question on StackOverflow for more information: https://stackoverflow.com/questions/42829492/how-to-add-mod-security-exception/

Barry Pollard
  • 4,461
  • 14
  • 26
  • I configured it like the link said to. I have those rules in a file called 000.conf in my rules directory. I get the following in modsec log file: Message: Warning. Operator GE matched 8 at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/owasp-modsecurity-crs/rules/REQUES‌​T-949-BLOCKING-EVALU‌​ATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score:$ – user3080539 Nov 17 '17 at 01:32
  • Looks like if I add that line it shows the page but doesn't allow CSS or images. But it does allow it. How can we stop it from blocking the CSS and images? – user3080539 Nov 17 '17 at 01:37
  • It says to put it first as to not block other requests. I put it first in /rules/ directory. I tried putting it first in crs-setup.conf file. Also tried putting it first in mod sec config file. Not sure whee to put it at this point. – user3080539 Nov 17 '17 at 02:27
  • Can you edit your original question to show the exact rules you’ve added? – Barry Pollard Nov 17 '17 at 07:18
  • Ok, check it out. – user3080539 Nov 18 '17 at 04:25