Disable mod_security rule for a specific application for a specific domain
If you face any mod_security issue, don’t white list the whole domain from mod_security rules. But override the mod_security settings for the domain narrowly, so that override is allowed for only particular page and particular rule. Follow the steps below to trouble shoot mod_security issues.
1) Tail the apache error logs and find the error.
2) Every rule has an Id and URL causing the mod_security issue. So overriding them alone will solve the issue. Check the sample aoache logs below.
++++++++++++++++++++++++++++
[19:37] [Tue Sep 06 19:31:22 2011] [error] [client 203.197.151.138] ModSecurity: [file “/usr/local/apache/conf/modsec_rules/30_asl_antispam.conf”] [line “116”] [id “300023”] [rev “1”] [msg “Atomicorp.com WAF Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more URLs in a post)”] [data “[http://domainname.com] |- | ahx || mitch schwenk || |- | almico || alfredo milani ccrestron || […”] [severity “ERROR”] Access denied with code 403 (phase 2). Pattern match “(\\[ ?http://.*){4,}” at ARGS:wpTextbox1. [hostname “domainname.com”] [uri “/index.php”] [unique_id “TmZm@lUN67oAACO3LgMAAAAN”]
++++++++++++++++++++++++++++
Here ID is 300023 and the URL is index.php. The error is Mutiple embedded URL used.
3) To override this, create a new directoryÂ
mkdir -p /usr/local/apache/conf/userdata/std/2/username/domainname/
4) Create mod_security2.conf file. vi /usr/local/apache/conf/userdata/std/2/username/domainname/mod_security.conf
5) Paste the following contents in the file based on the data collected in step 2.
++++++++++
SecRuleRemoveById ruleId
++++++++++
We are overriding the settings by URL and ID match.
Eg:
++++++++++
SecRuleRemoveById 300023
++++++++++
6) Run the scriptÂ
 /scripts/ensure_vhost_includes –user=username.
7) check whether the file is included in httpd using the command below.
grep “std/2/username” conf/httpd.conf
8) Restart the apache.
Fantastic content I think you learn something new every day. Nice, informative site by the way.Thanks to sharing
Thank you for your comment!!!
We always welcome your comments to improve our blog. So, Please keep on visiting our blog and provide an suggestion to improve our blog.