Apache Mod Security is not being disabled for certain path

postcd

Well-Known Member
Oct 22, 2010
717
19
68
Hello,

in cPanel i can disable Mod Security for a domain in cPanel / ModSecurity.

I wanted to disable it for certain path or files:
newreply.php, newthread.php, editpost.php

In WHM / Apache Configuration / Includes editor / Pre Virtual host include i tried:
<IfModule security2_module>
<IfModule mod_security.c>
<IfModule mod_security2.c>

Example codes tried:
<IfModule mod_security.c>
<If "%{REQUEST_URI} =~ m#/editpost.php#">
SecFilterEngine Off
SecFilterScanPOST Off
</If>
</IfModule>

<IfModule mod_security.c>
<FilesMatch "^(editpost|newreply|newthread)\.php$">
SecFilterEngine Off
SecFilterScanPOST Off
</FilesMatch>
</IfModule>

<IfModule mod_security.c>
<File editpost.php>
SecFilterEngine Off
SecFilterScanPOST Off
</File>
<File newreply.php>
SecFilterEngine Off
SecFilterScanPOST Off
</File>
<File newthread.php>
SecFilterEngine Off
SecFilterScanPOST Off
</File>
</IfModule>
(i also tried SecRuleEngine Off )

It not worked , because it not disabled mod security for the URL https://mydomain.com/editpost.php?p=123&do=editpost, i got 403 by mod. sec. I have not forgot to restart httpd.
Please kindly how to do it properly?

Server version: Apache/2.2.34 (Unix)
Server built: Oct 8 2017 12:30:19
Cpanel::Easy::Apache v3.34.17 rev9999
security2_module (shared)
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
462
113
UK
cPanel Access Level
Root Administrator
You can disable modsec for paths (I'm not sure it can go down to individual files ! )

Probably the easiest way of managing your requirements, is to install the free ConfigServer ModSecurity Control (cmc) module that will let you disable by rule, user, domain or DirectoryMatch (e.g. ^/home/someuser/public_html/ignore/some/path/), and has lots more convenient features.
 

postcd

Well-Known Member
Oct 22, 2010
717
19
68
Hello,

i have enabled Comodo ModSecurity vendor rules in WHM and one rule is blocking me.
So i added new rule that should disable mod security engine on certain URI:

SecRule REQUEST_URI "@pm editpost newreply newthread" "id:1076487,phase:1,nolog,noauditlog,allow,ctl:ruleEngine=Off"

I added it on the top of the WHM / Security / ModSecurity Tools / "Edit Rules".

But the Comodo vendor rule is still triggered and i am 403 as a result.

When i use:
SecRule REMOTE_ADDR "^myiphere$" "phase:1,t:none,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off,id:9999"
i am not blocked, so i assume my custom rules override vendor rules, but the SecRule REQUEST_URI is somehow wrong / or not supported?
 
Last edited:

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
You may be getting into rule parsing order, as rules are processed based on 2 things. first is order of includes but 2nd is phase.

Anyway I think your options below are probably depricated:
SecFilterEngine Off
SecFilterScanPOST Off

Try "SecRequestBodyAccess Off" (this will skip processing of the request bodies).

I don't see anything wrong with your @pm rule off hand for the record. But you could try this if you want:

SecRule REQUEST_URI "editpost|newreply|newthread" "id:1076487,phase:1,nolog,noauditlog,allow,ctl:ruleEngine=Off"

I would however recommend this ctl instead of removing the whole rule engine, 'ctl:ruleRemoveById=#COMODORULE'

It does seem modsec2.user.conf is included before vendor configs by cpanel's modsec2.conf, for users to be able to whitelist rules like this. Worst case remove off your nolog / noauditlog stuff from your rules for a bit to troubleshoot. The modsec audit log, coupled with the manual, can help you decipher just about anything.
 
Last edited:

postcd

Well-Known Member
Oct 22, 2010
717
19
68
Thx for help, yet i am NOT successfull

SecRule REQUEST_URI "editpost|newreply|newthread" "id:1076487,phase:1,nolog,noauditlog,allow,ctl:ruleEngine=Off"
I added Your rule on the top (WHM / Mod sec / Edit Rules section), but it do not prevent other rules (Comodo vendor rules) to cause 403 error. At the bottom of the "Edit Rules" is Included file /usr/local/apache/conf/modsec2.whitelist.conf

Code:
# ConfigServer ModSecurity whitelist file
<LocationMatch "/(editpost\.php|newthread\.php|newreply\.php)">
SecRuleRemoveById 300012
</LocationMatch>
That also did not work as with your rule.

On other hand following rule worked and request went thru without 403. But i think this rule is wrong and allows all traffic on server:

# Disables ModSecurity for certain paths
SecRule REQUEST_URI "!\/(mydomain\.com\/editpost\.php|mydomain\.com\/newthread\.php|mydomain\.com\/newreply\.php|mydomain2)" "id:945998,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
Following rule also works as mentioned earlier, but is for IP match not for file or path match:
SecRule REMOTE_ADDR "^myiphere$" "phase:1,t:none,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off,id:9999"
i want to whitelist domain.tld/file.php or at least file.php which does not work as mentioned.

depricated:
SecFilterEngine Off
SecFilterScanPOST Off

Try "SecRequestBodyAccess Off" (this will skip processing of the request bodies).
i tried to use yours mentioned "SecRequestBodyAccess Off" inside pre Virtualhost include all file, but that does not work either!:

<IfModule mod_security.c>
<File editpost.php>
SecRequestBodyAccess Off
</File>
</IfModule>

<IfModule mod_security.c>
<If "%{REQUEST_URI} =~ m#/editpost.php#">
SecRequestBodyAccess Off
</If>
</IfModule>

<IfModule mod_security.c>
<FilesMatch "^(editpost|newreply|newthread)\.php$">
SecRequestBodyAccess Off
</FilesMatch>
</IfModule>
I can"t believe there is no simple way to whitelist some path or file names at least from all mod. sec. rules including vendor rules? Please kindly advise, thank you alot in advance.
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,225
463
I can"t believe there is no simple way to whitelist some path or file names at least from all mod. sec. rules including vendor rules?
Hello,

This was possible in older versions of Mod Security through rules in the .htaccess file, however ModSecurity discontinued this functionality in version 2.x. You can read more about this at:

How to disable mod_security and mod_security2 in .htaccess

Additionally, you may find the following threads helpful for overall ModSecurity troubleshooting:

ModSec shows security scanner scanning 127.0.0.1
Editing ModSecurity vendor rules

Thank you.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Your ifmodule is wrong, so those will do nothing. You need to use <IfModule security2_module>

That said, something odd is going on. The line "SecRuleRemoveById 300012" by itself in a user config like modsec2.user.conf should properly disable the rule if that is the rule causing you trouble. Keep in mind you may have to whitelist several similar rule IDs in some cases. make sure you get rid of all your incorrect ifmodules first. A good way to make sure apache will include your config is to make an invalid line, I.e.
<IfModule security2_module>
SecRule Invalid
</IfModule>

Run a httpd configtest (NOT RESTART). It should throw an error for the invalid line. If it doesn't, then your include is not being called by apache, or your ifmodule is not allowing that directive to be processed. if it does throw the error, then you can immediately remove the invalid line so that it doesn't break apache, and add your settings knowing they're being parsed.
 

postcd

Well-Known Member
Oct 22, 2010
717
19
68
quizknows: i tried to add yours mentioned invalid rule:
<IfModule security2_module>
SecRule Invalid
</IfModule>
into WHM/Apache configuration/Include Editor/pre virtualhost all include
and it returned:
SecRule takes two or three arguments, rule target, operator and optional action list
So i assume "<IfModule security2_module>" is working..
So i removed invalid rule and tried to apply my custom rule which included:
SecFilterEngine Off
SecFilterScanPOST Off
but these not worked, Include editor said it is invalid directives
And it found invalid also SecRequestBodyAccess:
Code:
The “/usr/local/apache/bin/httpd” command (process 4764) reported error number 1 when it ended. Configuration problem detected on line 150 of file /usr/local/apache/conf/includes/pre_virtualhost_global.conf: Invalid command ' 145 146 147SecRequestBodyAccess Off 148 149 150 ===> <=== 151SecRequestBodyAccess Off 152 153 154 155SecRequestBodyAccess Off 156 --- /usr/local/apache/conf/includes/pre_virtualhost_global.conf ---
So i am now unsure which rule to use to disable Mod.Sec. Inside Mod. Sec. rules (configured and accepted thru WHM/Mod.Sec section) i have the:
SecRequestBodyAccess Off
without problem. So it seems Include editor somehow not support it. Isn"t that because it is invalid for Module security2_module ?
Into which file i need to add my rules:
Code:
<IfModule security2_module>

<FilesMatch "^(editpost|newreply|newthread)\.php$">
SecRequestBodyAccess Off
</FilesMatch>

<File editpost.php>
SecRequestBodyAccess Off
</File>

<If "%{REQUEST_URI} =~ m#/editpost.php#">
SecRequestBodyAccess Off
</If>

</IfModule>
Please?
And after that i execute /scripts/update_apachectl and then "service httpd configtest"? Unsure why i can not add it thru WHM. (i receive error above in this post)
 
Last edited by a moderator:

postcd

Well-Known Member
Oct 22, 2010
717
19
68
Thank you all who contributed to this topic.
Here are 2 things that worked (to disable modsecurity for certain file names):

OPTION A)
Add following rule to the WHM / ModSecurity Tools / Edit Custom Rules:
# Disable ModSecurity for certain file names
SecRule REQUEST_URI "(ajax.php|editpost.php|newthread.php|newpost.php|otherfilename.php)" "id:945998,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off"
the file name has to match not URL you see in browser address bar, but file name that is reported by ModSecurity Tools/Hits List

It not worked for me to define full path like domain.com/filename.php, only filename.php :-(

OPTION B)
At the bottom of the WHM / ModSecurity Tools / Edit Custom Rules, i have line:
Include /usr/local/apache/conf/modsec2.whitelist.conf and when i add following to that *.whitelist.conf file:
Code:
<LocationMatch "/(ajax\.php|otherfilenameaccordingtoModSecHitlist\.php)">
SecRuleRemoveById 212000 212620 212770 212870 2172809999999 300012 5000130
SecRequestBodyAccess Off
</LocationMatch>
and restart httpd (service httpd restart), then it also works. It works both SecRuleRemoveById (which disables mod. sec just for one or more rules) and SecRequestBodyAccess disables mod.sec. completely for the defined file name.
 
Last edited by a moderator:
  • Like
Reactions: cheke

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Glad you got going. For option A you could also chain a 2nd condition to limit to domain(s), i.e.

Code:
# Disable ModSecurity for certain file names
SecRule REQUEST_URI "(ajax.php|editpost.php|newthread.php|newpost.php|otherfilename.php)" "id:945998,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off,chain"
SecRule SERVER_NAME "domain.com"
That way the rule only invokes if both domain.com matches and your first regex matches. It seems option B is probably better and I'm guessing you maybe went that way.

Editing modsec2.user.conf through the GUI may run into limitations if that's how you were trying to edit rules. If you're doing anything advanced just use the command line.