Mod Security 2 doesn't let users override it in .htaccess?

LawsHosting

LawsHosting

Verified User
Joined
Sep 13, 2008
Messages
2,426
Location
London UK
Found this interesting article today (better late than never!)

http://blog.asmallorange.com/mod-security-override-no-longer-works/

So, earlier today, a customer let me know that mod-security 2 doesn’t support overriding mod-security via .htaccess.
Of course it does, I argued – we’ve been passing out the code for it since we upgraded to Apache 2 and Mod-Security 2 and its been working since last summer. No, it doesn’t, he argued back- and I, of course, argued back that it does. So, we had to get a tie-breaker at our data center, and 4 system administrators debating the issues later, it appears that in mod-security 2.5, you all no longer have the ability to turn off mod-security protection on your sites yourselves.......
Click to expand...
I mean, seriously? I agree its safer but still a pain

So, the best next thing is to make a whitelist.conf and insert the specific rule to disable it!

eg.
Code: 
SecRule REQUEST_URI "^/home/<user>/domains/<domain>/public_html/<directory>" "phase:1,allow,ctl:ruleEngine=off"

I'm not sure this even works, putting the whole path do a directory, does it?
 
You must log in or register to reply here.
Back
Top