How to disable ModSecurity rules for Drupal and Wordpress.
This guide is based on various community forum posts, and hours of frustration.
This guide is intended as a relatively easy step by step guide to:
- Disable Apache2 ModSecurity rules for Drupal and Wordpress.
- ModSecurity is a very powerful web application firewall but needs to be configured to work with Drupal and Wordpress.
- The ModSecurity rules can no longer be disabled in the .htaccess file and this guide explains how to disable the rules based on the specific location of a request on the server without having to disable rules for an entire domain in the httpd.conf file, by creating a local rule exceptions file.
Requirements:
- Webserver with ModSecurity setup and configured. Click here for How to install apache2 mod_security and mod_evasive on Ubuntu 12.04 LTS server
- Ubuntu/Debian based linux server is used as reference during tutorial but instructions are fairly generic for all implementations of ModSecurity.
1. View ModSecurity Audit Log File.
- We need to first find the rules that are being triggered by ModSecurity on your webserver.
- Open the tail end of the ModSecurity log file called modsec_audit.log to view the last entries made to the log file.
- For Apache2 servers it is located in /var/log/apache2/
- Open the Terminal Window and enter :
sudo tail /var/log/apache2/modsec_audit.log --lines 60 | less
- The output should look similar to this screenshot below.
- Look for Access denied with code 403 and work backwards to find the start of the rule entry based on the log entry id.
- In this case the log entry ID is --00aee77f (see marked in yellow)
- Find the GET item - in this example it is /modern-classic (see marked in blue)
- Find the ModSecurity rule that was triggered by the GET - in this example the rule id 958291 (see marked in purple)
2. Create a Local Exceptions ModSecurity rule file.
- To disable / exclude certain ModSecurity rules you need to create a local exceptions file.
- There are various places you can create this file you only need to make sure that ModSecurity loads it during startup.
- We are going to create a whitelist.conf file in the /etc/modsecurity/activated_rules/ directory as all files with .conf extension will be loaded during ModSecurity startup.
- Open the Terminal Window and enter :
sudo vi /etc/modsecurity/activated_rules/whitelist.conf
- For our example we add the location of the GET and ModSecurity rule id from step 1.
- Add the following to your whitelist.conf file and save :
<LocationMatch "/modern-classic">
SecRuleRemoveById 958291
</LocationMatch>
- You need to add the location as a regex of the directory path or file that is causing the ModSecurity rule to be triggered.
- In the following example we add the location directly to the file that triggers the ModSecurity rule.
<LocationMatch "/wp-admin/update.php">
SecRuleRemoveById 981173
</LocationMatch>
3. Restart Webserver.
- To the changes to take effect you need to restart you webserver.
- For Apache2 servers, open the Terminal Window and enter :
sudo service apache2 restart
No comments:
Post a Comment
** Comments are reviewed, but not delayed posted **