[英]How to disable mod_security and mod_security2 in .htaccess
I've created a Wordpress plugin which became popular but I'm getting lots of complaints that it's not working. 我创建了一个Wordpress插件,该插件变得很流行,但是我收到很多抱怨,称它不起作用。 After logging in to many user's WP websites(after asking for admin password) I noticed that the last problem I can't easily solve is mod_security and mod_security2 blocking some AJAX requests or .htaccess which is causing 500 error on some configurations.
登录许多用户的WP网站后(询问管理员密码后),我注意到我无法轻易解决的最后一个问题是mod_security和mod_security2阻止了一些AJAX请求或.htaccess,这在某些配置上导致500错误。
So first of all why is this piece of code causing some servers to return 500 error 那么首先为什么这段代码会导致某些服务器返回500错误
<IfModule mod_security2.c>
SecRuleRemoveById 300015
SecRuleRemoveById 300016
SecRuleRemoveById 300017
SecRuleRemoveById 950907
SecRuleRemoveById 950005
SecRuleRemoveById 950006
SecRuleRemoveById 960008
SecRuleRemoveById 960011
SecRuleRemoveById 960904
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
on other servers removing rules by id this way is causing 500 error: 在其他服务器上以这种方式通过id删除规则会导致500错误:
<IfModule mod_security.c>
SecRuleRemoveById 300015
...
SecRuleRemoveById phpids-61
</IfModule>
so for now the only working thing which is not causing any server to crash is 因此,目前唯一不会导致任何服务器崩溃的工作是
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
but it's not enough for servers with mod_security2 ! 但是对于具有mod_security2的服务器来说还不够!
How to write a cross-server .htaccess file, and what IF conditions should I add to disable mod_security and mod_security2 anywhere where it applies and not cause 500 errors on other configurations? 如何编写跨服务器的.htaccess文件,以及应添加哪些IF条件以在任何适用的位置禁用mod_security和mod_security2,并且在其他配置下不会引起500错误?
Edit: Not only in Apache. 编辑:不仅在Apache中。 Anywhere where .htaccess is used.
使用.htaccess的任何地方。
Ryan C. Barnett, ModSecurity Community Manager claimed: ModSecurity社区经理Ryan C. Barnett声称:
Support for .htaccess files was discontinued in 2.x as it raised too many security issues.
在2.x中不再支持.htaccess文件,因为它引发了太多的安全问题。
source: http://article.gmane.org/gmane.comp.apache.mod-security.user/3065 来源: http : //article.gmane.org/gmane.comp.apache.mod-security.user/3065
The only possible configuration that enable on htaccess are the following (since 2.7.3) but you need to ./configure --enable-htaccess-config
: 以下是启用htaccess的唯一可能的配置(自2.7.3开始),但您需要
./configure --enable-htaccess-config
:
SecRule 安全规则
SecRuleRemoveByMsg SecRuleRemoveByMsg
SecRuleRemoveById SecRuleRemoveById
SecRuleUpdateActionById SecRuleUpdateActionById
https://github.com/SpiderLabs/ModSecurity/blob/876d4f5f9558595c00f40af25ea6216386f15cd7/CHANGES#L69 https://github.com/SpiderLabs/ModSecurity/blob/876d4f5f9558595c00f40af25ea6216386f15cd7/CHANGES#L69
Displaying a message telling to contact server administrator will be the last thing to do. 显示消息告诉联系服务器管理员将是最后要做的事情。 First of all I'll try one of this solutions for automatic config creation:
首先,我将尝试使用以下解决方案之一来自动创建配置:
Create 2-3 sandboxed .htaccess configs in subfolders 在子文件夹中创建2-3个沙盒.htaccess配置
OR 要么
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.