I would like to exclude a directory from mod security. I have tried everything under the sun in every config file to no avail. I have put stuff in the vhost file, the crs-setup file, the modsecurity.conf file, the exceptions file in the rules directory, no matter where I put it nothing works.
I have tried a million variations of the below code:
<Directory /www/html/directory/>
SecRuleInheritance Off
SecRuleEngine Off
</Directory>
If I remove the directory tags it disables mod security just fine, however within the directory tag nothing works. I've tried Location and LocationMatch - nothing. I can't exclude file names either!
Edit: Here is the rule I have added to various places. I have added it to the top of httpd.conf, crs-setup.conf, modsecurity.conf 000.conf in /rules/ directory. It unblocks the directory but all images and css which are NOT in that directory are stripped.
SecRule REQUEST_URI "@beginsWith /directory" "phase:1,id:12345,allow"
Also tried:
SecRule REQUEST_URI "@beginsWith /directory" "phase:1,id:12345,ctl:ruleEngine=off"
Example url: domain.com/directory/javascript.php?sqlinectioncode