How to disable mod_security and mod_security2 in .htaccess

♀尐吖头ヾ 提交于 2019-12-10 14:59:53

问题


I've created a Wordpress plugin which became popular but I'm getting lots of complaints that it's not working. After logging in to many user's WP websites(after asking for admin password) I noticed that the last problem I can't easily solve is mod_security and mod_security2 blocking some AJAX requests or .htaccess which is causing 500 error on some configurations.

So first of all why is this piece of code causing some servers to return 500 error

<IfModule mod_security2.c>
  SecRuleRemoveById 300015
  SecRuleRemoveById 300016
  SecRuleRemoveById 300017
  SecRuleRemoveById 950907
  SecRuleRemoveById 950005
  SecRuleRemoveById 950006
  SecRuleRemoveById 960008
  SecRuleRemoveById 960011
  SecRuleRemoveById 960904
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61

on other servers removing rules by id this way is causing 500 error:

<IfModule mod_security.c>
  SecRuleRemoveById 300015
  ...
  SecRuleRemoveById phpids-61
</IfModule>

so for now the only working thing which is not causing any server to crash is

<IfModule mod_security.c>
  SecFilterEngine Off
  SecFilterScanPOST Off
</IfModule>

but it's not enough for servers with mod_security2 !

How to write a cross-server .htaccess file, and what IF conditions should I add to disable mod_security and mod_security2 anywhere where it applies and not cause 500 errors on other configurations?

Edit: Not only in Apache. Anywhere where .htaccess is used.


回答1:


Ryan C. Barnett, ModSecurity Community Manager claimed:

Support for .htaccess files was discontinued in 2.x as it raised too many security issues.

source: http://article.gmane.org/gmane.comp.apache.mod-security.user/3065

The only possible configuration that enable on htaccess are the following (since 2.7.3) but you need to ./configure --enable-htaccess-config:

  • SecAction
  • SecRule

  • SecRuleRemoveByMsg

  • SecRuleRemoveByTag
  • SecRuleRemoveById

  • SecRuleUpdateActionById

  • SecRuleUpdateTargetById
  • SecRuleUpdateTargetByTag
  • SecRuleUpdateTargetByMsg

https://github.com/SpiderLabs/ModSecurity/blob/876d4f5f9558595c00f40af25ea6216386f15cd7/CHANGES#L69




回答2:


Displaying a message telling to contact server administrator will be the last thing to do. First of all I'll try one of this solutions for automatic config creation:

Create 2-3 sandboxed .htaccess configs in subfolders

  1. During plugin activation test configs one by one with simulated remote AJAX test
  2. Start from the best general settings config subfolder
  3. Check for AJAX proxy script calls and image, style etc. files access in this folder
  4. After finding successful(unblocking and not crashing) config, save selected .htaccess file to the folder containing AJAX proxy PHP file
  5. If none of the configs (or built-in wordpress AJAX script - not very reliable) is functional display an error telling to contact server admin to allow htaccess for given folder

OR

  1. Check loaded modules with PHP
  2. add SecRuleRemoveById id only if mod_security2 is present to prevent basic mod_security crashing


来源:https://stackoverflow.com/questions/19093542/how-to-disable-mod-security-and-mod-security2-in-htaccess

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!