Disable Mod_Security2 for one domain

Remco00

Verified User
Joined
Feb 22, 2006
Messages
283
Is it possible to disable Mod_Security2 for just one domain? Will it be as simple as customizing the httpd.conf for the specific domain so it includes:

Code:
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>
 
Even the documentation leads you to believe that'll work, but it doesn't, I've tried:

Maybe actually putting this in the rule sets:
SecRule REQUEST_URI "^/PATH_TO_THE_DOMAIN/" "phase:1,allow,ctl:ruleEngine=off"


Note: I haven't tried this so I'm not responsible if it breaks. If REQUEST_URI does't work, then maybe there is another that would.
 
Last edited:
I read a ton of sites and some say it works and some say it doesnt. You might have better luck asking on wht.us ... it is way more active then here.
 
We're using this:

Code:
SecRule SERVER_NAME "www\.domain\.com$" "phase:1,nolog,noauditlog,allow,ctl:ruleEngine=Off"

And this does work. But perhaps your given solution does too, I haven't checked.
 
And did you put that line in the very end of the .conf file or did you created a new rule for it?
 
Well, I just tested this on both, a DA server and a non-DA server, but nothing works :confused: , so god knows how its done.
 
It should not really matter where you would put this. But we have it just below the main configuration. It's the first rule for us.
 
Is it possible to disable Mod_Security2 for just one domain? Will it be as simple as customizing the httpd.conf for the specific domain so it includes:

Code:
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>

Here I wrote a short How-To. Try it and update us with results.
 
I know this is an old topic, but I was looking for results on the howto zEitEr wrote.
I'm not able to get this to work. Apparently mod_security is still active although I can see
<IfModule mod_security2.c>
SecRuleEngine OFF
</IfModule>
in the users httpd.conf.
Has anybody got any positive results with this configuration?
 
It was not disabled globally, but now it is.
The weird thing is that my owasp rules seem active although I disabled it in the httpd.conf for that domain. But the regular rules seem not to be active.
I'm testing if mod_security is enabled with the nikto.pl script. When I run this script against my test website it is generating lots of modsecurity audit log entries. That is why I think that modsecurity is still enabled.

I added the following rule in /etc/modsecurity2/modsecurity.conf for testing purposes and when I disable modsecurity for a domain this rule doesn't apply anymore, the webpage is displayed.
SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access'"

Maybe I did something wrong with the rulesets. I enabled 2 rulesets: owasp and the default modsecurity.conf. This means I can enable modsecurity in 2 places server-wide and also for every domain. Now I have disabled them all, but still the nikto.pl script triggers modsecurity for this domain.

root@test:/etc# grep SecRuleEngine httpd/conf/extra/httpd-custom-modsecurity.conf
#SecRuleEngine DetectionOnly
SecRuleEngine Off
root@test:/etc# grep SecRuleEngine modsecurity2/modsecurity.conf
#SecRuleEngine DetectionOnly
SecRuleEngine Off
# when SecRuleEngine is set to DetectionOnly mode in order to minimize
root@test:/etc# grep SecRuleEngine /usr/local/directadmin/data/users/admin/httpd.conf
SecRuleEngine OFF
 
Back
Top