The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exclude file extensions from Mod Security

Discussion in 'Security' started by NTar, May 30, 2015.

  1. NTar

    NTar Member

    Joined:
    Apr 16, 2015
    Messages:
    21
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Hi guys,

    After resolving all problems with Mod Security, I've got one question left.

    It seems Mod Security forbids loading custom .ttf files (generally uploaded and enabled by our users themselves) for any visitor.

    Is it possible to add an except for these files?

    For example, I've made this code below. Of course, it doesn't work since I don't have knowledge how to exclude specific files from being banned by Mod Security, so I used an existing rule using DirectoryMatch.

    Code:
    <DirectoryMatch '.ttf'>
    SecRuleRemoveById 950001
    SecRuleRemoveById 950109
    SecRuleRemoveById 950901
    SecRuleRemoveById 958056
    SecRuleRemoveById 958030
    SecRuleRemoveById 958057
    SecRuleRemoveById 958030
    SecRuleRemoveById 958977
    SecRuleRemoveById 959073
    SecRuleRemoveById 959072
    SecRuleRemoveById 960024
    SecRuleRemoveById 960915
    SecRuleRemoveById 970015
    SecRuleRemoveById 970901
    SecRuleRemoveById 973335
    SecRuleRemoveById 973333
    SecRuleRemoveById 973340
    SecRuleRemoveById 973342
    SecRuleRemoveById 973343
    SecRuleRemoveById 973304
    SecRuleRemoveById 973334
    SecRuleRemoveById 973332
    SecRuleRemoveById 973327
    SecRuleRemoveById 973324
    SecRuleRemoveById 973300
    SecRuleRemoveById 973302
    SecRuleRemoveById 970003
    SecRuleRemoveById 973317
    SecRuleRemoveById 973306
    SecRuleRemoveById 913342
    SecRuleRemoveById 973350
    SecRuleRemoveById 950907
    SecRuleRemoveById 981205
    SecRuleRemoveById 981251
    SecRuleRemoveById 981244
    SecRuleRemoveById 981255
    SecRuleRemoveById 981249
    SecRuleRemoveById 981242
    SecRuleRemoveById 981231
    SecRuleRemoveById 981256
    SecRuleRemoveById 981243
    SecRuleRemoveById 981245
    SecRuleRemoveById 981246
    SecRuleRemoveById 981257
    SecRuleRemoveById 981173
    SecRuleRemoveById 981318
    SecRuleRemoveById 981317
    SecRuleRemoveById 981248
    SecRuleRemoveById 981240
    SecRuleRemoveById 981204
    </DirectoryMatch>
    
    I hope someone will help me out. Thanks! :)

    - NTar
     
  2. NTar

    NTar Member

    Joined:
    Apr 16, 2015
    Messages:
    21
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
  3. NTar

    NTar Member

    Joined:
    Apr 16, 2015
    Messages:
    21
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    I've looking deeper to the problem and I can confirm the issue was blocking cross origin. Adding this to my virtual host seems to fix the issue.

    Code:
    [LIST=1]
    [*]# Always set these headers.
    [*]Header always set Access-Control-Allow-Origin "*"
    [*]Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
    [*]Header always set Access-Control-Max-Age "1000"
    [*]Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
    [*]# Added a rewrite to respond with a 200 SUCCESS on every OPTIONS request.
    [*]RewriteEngine On
    [*]RewriteCond %{REQUEST_METHOD} OPTIONS
    [*]RewriteRule ^(.*)$ $1 [R=200,L]
    [/LIST]
    
    Now I need to find a way to unblock .js files. :)

    I've listened the error below.

    Code:
    "NetworkError: 500 Internal Server Error - http://domain*.com/*fontname*.font.js"
    ReferenceError: Cufon is not defined - Cufon.replace('.cufon_headings',{ fontFamily: 'cufon', hover:'true' });
     
    #3 NTar, May 31, 2015
    Last edited: Jun 1, 2015
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Can you post the modsecurity error from the Apache error log that occurs?
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  6. NTar

    NTar Member

    Joined:
    Apr 16, 2015
    Messages:
    21
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Thanks for pointing out where to locate the error_log.

    The error_log is about 200 Mb big in just a month. :eek: There are a lot of errors to find here, I've mentioned the three most noticeable errors below.

    Code:
    [:error] [pid 16105] [client 94.215.**.***] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "*domain*"] [uri "/wp-content/themes/template/functions/admin_options/stylesheets/admin_options.css"] [unique_id "VWWRT5XS1W0AAD7pGoEAAAAC"]
    
    [:error] [pid 12364] [client 145.7.***.**] ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname "*domain*"] [uri "/wp-content/uploads/2013/04/image92382-170x113.jpg"] [unique_id "VWa-iJXS1W0AADBMxMUAAAAQ"]
    
    [core:error] [pid 9106] [client 95.97.***.**] AH00124: Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace., referer: *domain*
    
    Especially the last one is something to look about. I've tried to Google about it, but I didn't find a workaround to fix it. Looking forward to your reply! Thanks!
     
  7. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    The internal redirects is either a problem with code, or an infinite redirect loop caused by an htaccess error. Most likely it has nothing to do with modsecurity unless the sites custom 404 handling is redirecting someone to a page which is blocked by modsecurity. That would be obvious if it was happening though.

    The Geo Lookup and collections errors won't result in any particular file extensions being blocked. They are discussed in some other ModSecurity threads on here.

    As far as I know, ModSecurity should not be restricting any access to .ttf files. If it were you would see an obvious error telling you that. As far as I can tell your 500 error referenced earlier is likely an application coding error.
     
Loading...

Share This Page