Wednesday 13 February 2008

Disabling mod_security 2 for individual directories

I ran into some trouble with mod_security falsely blocking my joomla administrator pages.

The old method of disabling mod_security by placing a SecFilterEngine Off SecFilterScanPOST Off in a .htaccess doesn't work anymore. This doesn't seem to be clear in the docs and I only found this info in a mod-sec mailing post.

So the rules now need to go directly into the apache conf files.

I have most sites hosted on a plesk server. In plesk you can add to the virtual host config inside a vhost.conf file found in "/var/www/vhosts/<domain.com>/conf/vhost.conf".
Create or edit this file and enter:

<location "/" >
SecRuleEngine Off
</location>


Apply the vhost changes if a new vhost file with:
/usr/local/psa/admin/bin/websrvmng -v -a

And reload the httpd server with:
service httpd restart

Better still disable specific rules with
SecRuleRemoveById _rule_id_

Instead of the sledgehammer SecRuleEngine Off

No comments: