I recently upgraded from 12.04 LTS to 14.04 LTS, and I'm trying to cope with the changes in modsecurity.
At first, modsecurity seemed to be completely broken (it was listed as orphaned packages to be removed with autoremove). I autoremoved, deleted the old configs, and then installed libapache2-modsecurity.
This seemed to work, however for some reason it seems to be ignoring commands in my virtualhost files. In the past, I have created special rules for different types of sites, and completely disabled the rule engine on pages where it would throw tons of false positives (such as phpmyadmin, or wordpress administration) with the following commands in the virtual host file:
<Directory /xxx/phpmyadmin> SecRuleEngine Off
</Directory>However, this no longer works. If I set in modsecurity.conf:
SecRuleEngine OnI cannot access the page at all - it immediately throws a 401 not permitted. The only solution I've found so far is to completely disable the engine in modsecurity.conf (even DetectionOnly will throw the errors):
SecRuleEngine OffMy question is, has something changed in apache 2.4 that would ignore these directory-specific settings? I have tried surrounding it in an IfModule security2_module and also adding the command to a .htaccess file in the directory with no result.
Thanks!
1 Answer
So I think I've figured it out, though I can't find any documentation on apache or modsecurity which would explain why it's not working the way it used to. Anyway, I'll post my solution here in case anyone else has the same problem.
Setting the SecRuleEngine flag in the modsecurity.conf file now overwrites all other values in virtual hosts, so it's either all on or all off. Setting it on here also seems to ignore SecRuleRemoveById flags in virtual hosts as well, which is pretty bad.
I've commented out the SecRuleEngine flag in modsecurity.conf, and I'm setting it on a folder-by-folder basis in my virtual hosts file. For example:
<Directory ***> <IfModule security2_module> SecRuleRemoveById xxxxxx SecRuleEngine On </IfModule>
</Directory>This seems to be working for me now.
