UnixServerAdmin

Server Administration & Management

How to disable Mod_security rules

Case-A :- By domain, for a specific application, for a list of IPs

1) Edit the vhost/vhost_ssl.conf for the domain

# vi /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf

2) Add the LocationMatch for the rule to exclude.

<LocationMatch /foo/bar.php>
  <IfModule mod_security2.c>
    SecRule REMOTE_ADDR “@pmFromFile /etc/asl/whitelist” “nolog,phase:1,allow”
  </IfModule>
</LocationMatch>

3) Add IP to /etc/asl/whitelist

echo “10.11.12.13” >> /etc/asl/whitelist

Case-B :- If you want to create a special whitelist for just that application

1) Edit the vhost/vhost_ssl.conf for the domain

# vi /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf

2) Add the LocationMatch for the rule to exclude.

<LocationMatch /foo/bar.php>
  <IfModule mod_security2.c>
    SecRule REMOTE_ADDR “@pmFromFile /path/to/your/custom/whitelist_for_this_application” “nolog,phase:1,allow”
  </IfModule>
</LocationMatch>

3) Create your custom whitelist and add IP to /etc/asl/whitelist

echo “10.11.12.13” >> /path/to/your/custom/whitelist_for_this_application

Keep in mind these custom lists are *not* managed by ASL, so if you want to add IPs to these lists you will need to do it from the command line.

Case-C :- Disable Mod_security rules globally for a specific application

Add this to either you vhost.conf file, or if your want to make this global make sure this exclusion is loaded after your rules are loaded. A good place to add this in the 999_asl_user_exclude.conf file. If you don’t have this file, just create it. The system is smart enough to know to load it.

<LocationMatch /url/to/your/application>
  <IfModule mod_security2.c>
    SecRuleRemoveById 1234567
    SecRuleRemoveById 9999999
  </IfModule>
</LocationMatch>

Whats important to remember is that the LocationMatch variable must match the URL, not the path on the system.

Advertisements

July 1, 2011 Posted by | Mod_Security | , | Leave a comment