发表新帖
发表新帖

How can I disable mod_security in .htaccess file?

后端 未结
关注
7 1625
盖世英雄少女心
盖世英雄少女心 2020-12-02 22:42

How can we disable mod_security by using .htaccess file on Apache server?

I am using WordPress on my personal domain and posting a post whi

相关标签:
7条回答
  • 孤城傲影
    2020-12-02 23:18

    Just to update this question for mod_security 2.7.0+ - they turned off the ability to mitigate modsec via htaccess unless you compile it with the --enable-htaccess-config flag. Most hosts do not use this compiler option since it allows too lax security. Instead, vhosts in httpd.conf are your go-to option for controlling modsec.

    Even if you do compile modsec with htaccess mitigation, there are less directives available. SecRuleEngine can no longer be used there for example. Here is a list that is available to use by default in htaccess if allowed (keep in mind a host may further limit this list with AllowOverride):

        - SecAction
    - SecRule

    - SecRuleRemoveByMsg
    - SecRuleRemoveByTag
    - SecRuleRemoveById

    - SecRuleUpdateActionById
    - SecRuleUpdateTargetById
    - SecRuleUpdateTargetByTag
    - SecRuleUpdateTargetByMsg

    More info on the official modsec wiki

    As an additional note for 2.x users: the IfModule should now look for mod_security2.c instead of the older mod_security.c

    0 讨论(0)
  • 再見小時候
    2020-12-02 23:20

    When the above solution doesn’t work try this:

    <IfModule mod_security.c>
  SecRuleEngine Off
  SecFilterInheritance Off
  SecFilterEngine Off
  SecFilterScanPOST Off
  SecRuleRemoveById 300015 3000016 3000017
</IfModule>
    0 讨论(0)
  • 日久生厌
    2020-12-02 23:24

    In .htaccess file at site root directory edit following line:

    <ifmodule mod_security.c>

SecFilterEngine Off
SecFilterScanPOST Off

</ifmodule>

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

    Just keep the mod_security rules like SecFilterEngine and parts apart from each other. Its works for apache server

    0 讨论(0)
  • 爱一瞬间的悲伤
    2020-12-02 23:31

    With some web hosts including NameCheap, it's not possible to disable ModSecurity using .htaccess. The only option is to contact tech support and ask them to alter the configuration for you.

    0 讨论(0)
  • 清酒与你
    2020-12-02 23:31

    For anyone that simply are looking to bypass the ERROR page to display the content on shared hosting. You might wanna try and use redirect in .htaccess file. If it is say 406 error, on UnoEuro it didn't seem to work simply deactivating the security. So I used this instead:

    ErrorDocument 406 /

    Then you can always change the error status using PHP. But be aware that in my case doing so means I am opening a door to SQL injections as I am bypassing WAF. So you will need to make sure that you either have your own security measures or enable the security again asap.

    0 讨论(0)
  • 暗喜
    2020-12-02 23:32

    On some servers and web hosts, it's possible to disable ModSecurity via .htaccess, but only in its entirety – you can't disable individual rules.

    Rather than disabling it for your entire site, it's best to limit this to specific URLs. You can specify which URLs to match via the regex in the <If> statement below...

    ### DISABLE mod_security firewall
### Some rules are currently too strict and are blocking legitimate users
### We only disable it for URLs that contain the regex below
### The regex below should be placed between "m#" and "#" 
### (this syntax is required when the string contains forward slashes)
<IfModule mod_security.c>
  <If "%{REQUEST_URI} =~ m#/admin/#">
    SecFilterEngine Off
    SecFilterScanPOST Off
  </If>
</IfModule>
    0 讨论(0)
 看不清?
提交回复
热议问题