Disable modsecurity For a Specific Directory

apache-2.2 centos httpd mod-security

32,106

Solution 1

SecRuleEngine Off must work . Have you tried to put SecRuleEngine inside Directory:

<Directory /var/www/site/phpMA>
SecRuleEngine Off
</Directory>

instead of LocationMatch ?

Solution 2

On some servers and web hosts, it's possible to disable ModSecurity via .htaccess, but via this method you can only switch it on or off, you usually can’t disable individual rules.

So rather than leaving your entire site unprotected, it’s best to limit this to specific URLs. You can specify them in a regex in the <If> statement below...

### DISABLE mod_security firewall
### Some rules are currently too strict and are blocking legitimate users
### We only disable it for URLs that contain the regex below
### The regex below should be placed between "m#" and "#" 
### (this syntax is required when the string contains forward slashes)
<IfModule mod_security.c>
  <If "%{REQUEST_URI} =~ m#/admin/#">
    SecFilterEngine Off
    SecFilterScanPOST Off
  </If>
</IfModule>

Solution 3

Never disable all rules !! This could cause serious security issues !

You need to check the logfile of modsecurity with

tail -f /var/log/apache2/modsec_audit.log

and exclude each rule one by one reproducing the errors on the phpmyadmin interface.

Next, add :

<Directory /path/to/phpmyadmin>
    <IfModule security2_module>
        SecRuleRemoveByTag "WEB_ATTACK/SQL_INJECTION"
        {And other rules you need to disable ...}
    </IfModule>
</Directory>

to /etc/apache2/mods-enabled/modsecurity.conf

The tag you need to remove will be in the log file like this. For a full description of removing rules for a particular folder, see the Github wiki of the project.

32,106

dragonmantank

Love to program in PHP, starting to look into Python and C# as well.

Updated on September 17, 2022

Comments

dragonmantank almost 2 years
How do you disable modsecurity for just a specific directory. I'm getting errors in phpMyAdmin that are caused by modsecurity tripping based on rules. I have the following files set up:
```
# /etc/httpd/modsecurity.d/modsecurity_crs_15_customrules.conf
<LocationMatch "^/phpMA/">
    SecRuleEngine Off
</LocationMatch>

# /etc/httpd/modsecurity.d/modsecurity_crs_60.custom.conf
<LocationMatch '^/phpMA/*'>
    SecRuleRemoveById 950004
    SecRuleRemoveById 950005
    SecRuleRemoveById 950006
    SecRuleRemoveById 960010
    SecRuleRemoveById 960012
</LocationMatch>
```
From what I can find the first file should disable it, but it still trips, so I tried adding the rule IDs it is tripping to the 60 file, but it still complains.

I'm running the following packages on CentOS 5.3:
- mod_security-2.5.0-jason.2
- httpd-2.2.8-jason.3
- mod-php5-apache2-zend-ce-5.2.10-65
- Pierre C. over 5 years
  
  The approved answer is not secure. Refer to: serverfault.com/a/766395/345813
dragonmantank almost 15 years

Tried adding that to the 15 file and still getting the same errors being caught in modsecurity_audit.log
hdanniel almost 15 years

Are the files modsecurity_crs_15_customrules.conf and modsecurity_crs_60.custom.conf included (not commented) in your /etc/httpd/conf.d/mod_security.conf ?
dragonmantank almost 15 years

facepalm No, they weren't. That took care of it.
DevOpsSauce about 3 years

Can you explain what the =~ and m# mean?
Simon East about 3 years

@IRGeekSauce The =~ indicates that what follows should be interpreted as a regular expression, not a simple string. Normally regular expressions start and end with a forward slash but since that gets really confusing and error prone when you’re dealing with URLs (you would then need to escape every forward slash with a backslash) they provide a second option which is placing it between m# and #. It’s not very intuitive I know. See this docs page for the official mentions — not very well explained, I must admit.