堆栈内存溢出
  简体   繁体   English

如何在.htaccess中禁用mod_security和mod_security2

[英]How to disable mod_security and mod_security2 in .htaccess

 原文  2013-09-30 11:52:38       php/ ajax/ apache/ .htaccess/ mod-security

问题描述

I've created a Wordpress plugin which became popular but I'm getting lots of complaints that it's not working. 我创建了一个Wordpress插件,该插件变得很流行,但是我收到很多抱怨,称它不起作用。 After logging in to many user's WP websites(after asking for admin password) I noticed that the last problem I can't easily solve is mod_security and mod_security2 blocking some AJAX requests or .htaccess which is causing 500 error on some configurations. 登录许多用户的WP网站后(询问管理员密码后),我注意到我无法轻易解决的最后一个问题是mod_security和mod_security2阻止了一些AJAX请求或.htaccess,这在某些配置上导致500错误。

So first of all why is this piece of code causing some servers to return 500 error 那么首先为什么这段代码会导致某些服务器返回500错误 

<IfModule mod_security2.c>
  SecRuleRemoveById 300015
  SecRuleRemoveById 300016
  SecRuleRemoveById 300017
  SecRuleRemoveById 950907
  SecRuleRemoveById 950005
  SecRuleRemoveById 950006
  SecRuleRemoveById 960008
  SecRuleRemoveById 960011
  SecRuleRemoveById 960904
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61

on other servers removing rules by id this way is causing 500 error: 在其他服务器上以这种方式通过id删除规则会导致500错误: 

<IfModule mod_security.c>
  SecRuleRemoveById 300015
  ...
  SecRuleRemoveById phpids-61
</IfModule>

so for now the only working thing which is not causing any server to crash is 因此,目前唯一不会导致任何服务器崩溃的工作是 

<IfModule mod_security.c>
  SecFilterEngine Off
  SecFilterScanPOST Off
</IfModule>

but it's not enough for servers with mod_security2 ! 但是对于具有mod_security2的服务器来说还不够!

How to write a cross-server .htaccess file, and what IF conditions should I add to disable mod_security and mod_security2 anywhere where it applies and not cause 500 errors on other configurations? 如何编写跨服务器的.htaccess文件,以及应添加哪些IF条件以在任何适用的位置禁用mod_security和mod_security2,并且在其他配置下不会引起500错误?

Edit: Not only in Apache. 编辑:不仅在Apache中。 Anywhere where .htaccess is used. 使用.htaccess的任何地方。

2 个解决方案

解决方案1
 5  2013-10-05 10:44:33

Ryan C. Barnett, ModSecurity Community Manager claimed: ModSecurity社区经理Ryan C. Barnett声称:

Support for .htaccess files was discontinued in 2.x as it raised too many security issues. 在2.x中不再支持.htaccess文件,因为它引发了太多的安全问题。

source: http://article.gmane.org/gmane.comp.apache.mod-security.user/3065 来源: http//article.gmane.org/gmane.comp.apache.mod-security.user/3065

The only possible configuration that enable on htaccess are the following (since 2.7.3) but you need to ./configure --enable-htaccess-config : 以下是启用htaccess的唯一可能的配置(自2.7.3开始),但您需要./configure --enable-htaccess-config

  • SecAction 安全动作

  • SecRule 安全规则

  • SecRuleRemoveByMsg SecRuleRemoveByMsg

  • SecRuleRemoveByTag SecRuleRemoveByTag

  • SecRuleRemoveById SecRuleRemoveById

  • SecRuleUpdateActionById SecRuleUpdateActionById

  • SecRuleUpdateTargetById SecRuleUpdateTargetById
  • SecRuleUpdateTargetByTag SecRuleUpdateTargetByTag
  • SecRuleUpdateTargetByMsg SecRuleUpdateTargetByMsg

https://github.com/SpiderLabs/ModSecurity/blob/876d4f5f9558595c00f40af25ea6216386f15cd7/CHANGES#L69 https://github.com/SpiderLabs/ModSecurity/blob/876d4f5f9558595c00f40af25ea6216386f15cd7/CHANGES#L69

解决方案2
 0 已采纳  2013-10-11 16:15:24

Displaying a message telling to contact server administrator will be the last thing to do. 显示消息告诉联系服务器管理员将是最后要做的事情。 First of all I'll try one of this solutions for automatic config creation: 首先,我将尝试使用以下解决方案之一来自动创建配置:

Create 2-3 sandboxed .htaccess configs in subfolders 在子文件夹中创建2-3个沙盒.htaccess配置

  1. During plugin activation test configs one by one with simulated remote AJAX test 在插件激活测试期间,使用模拟的远程AJAX测试一一配置
  2. Start from the best general settings config subfolder 从最佳常规设置config子文件夹开始
  3. Check for AJAX proxy script calls and image, style etc. files access in this folder 检查此文件夹中的AJAX代理脚本调用和图像,样式等文件访问
  4. After finding successful(unblocking and not crashing) config, save selected .htaccess file to the folder containing AJAX proxy PHP file 找到成功的配置(取消阻止且不会崩溃)后,将选定的.htaccess文件保存到包含AJAX代理PHP文件的文件夹中
  5. If none of the configs (or built-in wordpress AJAX script - not very reliable) is functional display an error telling to contact server admin to allow htaccess for given folder 如果所有配置(或内置的wordpress AJAX脚本-不太可靠)都无法正常显示,则会显示一条错误消息,告知联系服务器管理员以允许对指定文件夹进行htaccess

OR 要么

  1. Check loaded modules with PHP 使用PHP检查加载的模块
  2. add SecRuleRemoveById id only if mod_security2 is present to prevent basic mod_security crashing 仅当存在mod_security2时才添加SecRuleRemoveById id以防止基本的mod_security崩溃

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在 .htaccess 文件中禁用 mod_security? - How can I disable mod_security in .htaccess file? 网址中带有“〜”字样的Mod_security 406 - Mod_security 406 with a '~' in the URL 禁用bridge.php脚本的mod_security - disable mod_security for a bridge.php script 如何编写mod_security友好的PHP代码? - How to write mod_security friendly PHP code? 如何检查是否使用PHP激活mod_security(没有卷曲) - How to check if mod_security is activated with PHP (without curl) 如何在不使用mod_security的情况下允许在查询字符串中使用http? - How to Allow http in query string without using mod_security? 在EC2上安装mod_security - Installing mod_security on EC2 检测是否使用PHP安装了Mod_Security? - Detect if Mod_Security Is Installed With PHP? PHP共享主机和mod_security - php shared host and mod_security 如何在 Windows 2008 IIS 上启用 mod_security - How to enable mod_security on Windows 2008 IIS
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM