The old method of disabling mod_security by placing a SecFilterEngine Off SecFilterScanPOST Off in a .htaccess doesn't work anymore. This doesn't seem to be clear in the docs and I only found this info in a mod-sec mailing post.
So the rules now need to go directly into the apache conf files.
I have most sites hosted on a plesk server. In plesk you can add to the virtual host config inside a vhost.conf file found in
"/var/www/vhosts/<domain.com>/conf/vhost.conf".Create or edit this file and enter:
<location "/" >
SecRuleEngine Off
</location>
Apply the vhost changes if a new vhost file with:
/usr/local/psa/admin/bin/websrvmng -v -aAnd reload the httpd server with:
service httpd restartBetter still disable specific rules with
SecRuleRemoveById _rule_id_
Instead of the sledgehammer SecRuleEngine Off
No comments:
Post a Comment