Exclude file extensions from Mod Security

NTar

Member
Apr 16, 2015
21
1
3
Netherlands
cPanel Access Level
Root Administrator
Hi guys,

After resolving all problems with Mod Security, I've got one question left.

It seems Mod Security forbids loading custom .ttf files (generally uploaded and enabled by our users themselves) for any visitor.

Is it possible to add an except for these files?

For example, I've made this code below. Of course, it doesn't work since I don't have knowledge how to exclude specific files from being banned by Mod Security, so I used an existing rule using DirectoryMatch.

Code:
<DirectoryMatch '.ttf'>
SecRuleRemoveById 950001
SecRuleRemoveById 950109
SecRuleRemoveById 950901
SecRuleRemoveById 958056
SecRuleRemoveById 958030
SecRuleRemoveById 958057
SecRuleRemoveById 958030
SecRuleRemoveById 958977
SecRuleRemoveById 959073
SecRuleRemoveById 959072
SecRuleRemoveById 960024
SecRuleRemoveById 960915
SecRuleRemoveById 970015
SecRuleRemoveById 970901
SecRuleRemoveById 973335
SecRuleRemoveById 973333
SecRuleRemoveById 973340
SecRuleRemoveById 973342
SecRuleRemoveById 973343
SecRuleRemoveById 973304
SecRuleRemoveById 973334
SecRuleRemoveById 973332
SecRuleRemoveById 973327
SecRuleRemoveById 973324
SecRuleRemoveById 973300
SecRuleRemoveById 973302
SecRuleRemoveById 970003
SecRuleRemoveById 973317
SecRuleRemoveById 973306
SecRuleRemoveById 913342
SecRuleRemoveById 973350
SecRuleRemoveById 950907
SecRuleRemoveById 981205
SecRuleRemoveById 981251
SecRuleRemoveById 981244
SecRuleRemoveById 981255
SecRuleRemoveById 981249
SecRuleRemoveById 981242
SecRuleRemoveById 981231
SecRuleRemoveById 981256
SecRuleRemoveById 981243
SecRuleRemoveById 981245
SecRuleRemoveById 981246
SecRuleRemoveById 981257
SecRuleRemoveById 981173
SecRuleRemoveById 981318
SecRuleRemoveById 981317
SecRuleRemoveById 981248
SecRuleRemoveById 981240
SecRuleRemoveById 981204
</DirectoryMatch>
I hope someone will help me out. Thanks! :)

- NTar
 

NTar

Member
Apr 16, 2015
21
1
3
Netherlands
cPanel Access Level
Root Administrator
I've looking deeper to the problem and I can confirm the issue was blocking cross origin. Adding this to my virtual host seems to fix the issue.

Code:
[LIST=1]
[*]# Always set these headers.
[*]Header always set Access-Control-Allow-Origin "*"
[*]Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
[*]Header always set Access-Control-Max-Age "1000"
[*]Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
[*]# Added a rewrite to respond with a 200 SUCCESS on every OPTIONS request.
[*]RewriteEngine On
[*]RewriteCond %{REQUEST_METHOD} OPTIONS
[*]RewriteRule ^(.*)$ $1 [R=200,L]
[/LIST]
Now I need to find a way to unblock .js files. :)

I've listened the error below.

Code:
"NetworkError: 500 Internal Server Error - http://domain*.com/*fontname*.font.js"
ReferenceError: Cufon is not defined - Cufon.replace('.cufon_headings',{ fontFamily: 'cufon', hover:'true' });
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,213
363
Hello,

Yes, the error in /usr/local/apache/logs/error_log should help you determine the rule ID that's preventing access.

Thank you.
 

NTar

Member
Apr 16, 2015
21
1
3
Netherlands
cPanel Access Level
Root Administrator
Thanks for pointing out where to locate the error_log.

The error_log is about 200 Mb big in just a month. :eek: There are a lot of errors to find here, I've mentioned the three most noticeable errors below.

Code:
[:error] [pid 16105] [client 94.215.**.***] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "*domain*"] [uri "/wp-content/themes/template/functions/admin_options/stylesheets/admin_options.css"] [unique_id "VWWRT5XS1W0AAD7pGoEAAAAC"]

[:error] [pid 12364] [client 145.7.***.**] ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname "*domain*"] [uri "/wp-content/uploads/2013/04/image92382-170x113.jpg"] [unique_id "VWa-iJXS1W0AADBMxMUAAAAQ"]

[core:error] [pid 9106] [client 95.97.***.**] AH00124: Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace., referer: *domain*
Especially the last one is something to look about. I've tried to Google about it, but I didn't find a workaround to fix it. Looking forward to your reply! Thanks!
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
The internal redirects is either a problem with code, or an infinite redirect loop caused by an htaccess error. Most likely it has nothing to do with modsecurity unless the sites custom 404 handling is redirecting someone to a page which is blocked by modsecurity. That would be obvious if it was happening though.

The Geo Lookup and collections errors won't result in any particular file extensions being blocked. They are discussed in some other ModSecurity threads on here.

As far as I know, ModSecurity should not be restricting any access to .ttf files. If it were you would see an obvious error telling you that. As far as I can tell your 500 error referenced earlier is likely an application coding error.