1.) Find the ModSec error in the Apache error logs with the following command (Be sure to modify the command with your IP replacing “1.2.23.5”
grep ModSec /usr/local/apache/logs/error_log | grep “1.2.23.5”.
2.) The output of this command will give you a list of hits for ModSecurity from you or your developer’s IP, which you can see below. While these instructions may look intimidating, you will only want to pay attention to 3 bits of information highlighted.
Note:
Orange = client, the IP which tripped the rule
Blue = ID number of tripped rule within ModSec
Green = URI, the location where the error started from
[Sat Aug 15 23:07:04.179801 2020] [:error] [pid 79117:tid 139708457797895] [client 1.2.23.5:30006] [client 1.2.23.5] ModSecurity: Access denied with code 406 (phase 2). Pattern match "Mozilla/(4|5)\\\\.0$" at REQUEST_HEADERS:User-Agent. [file "/etc/apache2/conf.d/modsec2.user.conf"] [line "110"] [id "20000332"] [hostname "1.2.23.5"] [uri "/api/index.php"] [unique_id "WwjPWChxvG2DP5la-D55eQBBBDV"]
3.) Open the Easy Apache 4 configuration file:
vim /etc/apache2/conf.d/whitelist.conf
4.) Add the following text to the configuration. Remember to pay attention to the highlighted parts. Change the green “/api/index.php” to match your URI and the blue id to match the id of your error (Do not use the colon in this one).
<LocationMatch "/api/index.php">
SecRuleRemoveById 20000332
</LocationMatch>
5.) The final step for whitelisting, before you finalize the process, is to ensure you have correctly set up the whitelist. For Easy Apache 4 you will run the command:
apachectl -t
As long as the command returns “
Syntax Ok” you are safe to make the whitelist active by restarting Apache.
6.) Restart Apache with the following command.
/scripts/restartsrv_httpd
You have successfully whitelisted URI in ModSec
