对于某些人来说,这可能是一个显而易见的问题,但我不明白为什么 ModSec 忽略了我的规则例外。
我正在使用 Debian 10 和 SSL 安全 URL 来监控 Monit 软件,该软件在www.example.com:3286其上运行,经我的 Apache2 错误日志验证,触发 modsec 规则 id 920350,从而阻止我访问 Monit Web 界面。
我使用此命令将规则例外附加到modsecurity.conf:
echo "SecRuleRemoveById 920350" >> /etc/modsecurity/modsecurity.conf
我回去验证了它的存在。然后重新启动了 Apache,但规则被忽略了。
因此,我尝试将异常直接添加到www.example.com使用以下方法的虚拟主机:
<ifModule mod_security2.c>
SecRuleRemoveById 920350
</ifModule>
然后再次重新启动Apache,异常再次被忽略。
我错过了什么?
附加信息
/etc/modsecurity 的文件/文件夹结构:
crs- 子文件夹modsecurity.conf- 文件modsecurity.conf-recommended- 文件RESPONSE-999-EXCLUSION-RULES-AFTER-CRS- 文件unicode.mapping- 文件crs- 子文件夹内容crs-setup.conf- 文件REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf- 文件RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf- 文件
此外,根据要求:我编辑的 vhost 文件:
# cat 100-example.com.vhost
<Directory /var/www/example.com>
AllowOverride None
Require all denied
</Directory>
<VirtualHost *:80>
DocumentRoot /var/www/clients/client5/web6/web
ServerName example.com
ServerAlias www.example.com
ServerAdmin [email protected]
ErrorLog /var/log/ispconfig/httpd/example.com/error.log
<Directory /var/www/example.com/web>
# Clear PHP settings of this website
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler None
</FilesMatch>
Options +SymlinksIfOwnerMatch
AllowOverride All
Require all granted
</Directory>
<Directory /var/www/clients/client5/web6/web>
# Clear PHP settings of this website
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler None
</FilesMatch>
Options +SymlinksIfOwnerMatch
AllowOverride All
Require all granted
</Directory>
<IfModule mod_python.c>
<Directory /var/www/example.com/web>
<FilesMatch "\.py$">
SetHandler mod_python
</FilesMatch>
PythonHandler mod_python.publisher
PythonDebug On
</Directory>
<Directory /var/www/clients/client5/web6/web>
<FilesMatch "\.py$">
SetHandler mod_python
</FilesMatch>
PythonHandler mod_python.publisher
PythonDebug On
</Directory>
</IfModule>
# cgi enabled
<Directory /var/www/clients/client5/web6/cgi-bin>
AllowOverride All
Require all granted
</Directory>
ScriptAlias /cgi-bin/ /var/www/clients/client5/web6/cgi-bin/
<FilesMatch "\.(cgi|pl)$">
SetHandler cgi-script
</FilesMatch>
# suexec enabled
<IfModule mod_suexec.c>
SuexecUserGroup web1 client1
</IfModule>
<IfModule mod_fastcgi.c>
<Directory /var/www/clients/client5/web6/cgi-bin>
Require all granted
</Directory>
<Directory /var/www/example.com/web>
<FilesMatch "\.php[345]?$">
<If "-f '%{REQUEST_FILENAME}'">
SetHandler php-fcgi
</If>
</FilesMatch>
</Directory>
<Directory /var/www/clients/client5/web6/web>
<FilesMatch "\.php[345]?$">
<If "-f '%{REQUEST_FILENAME}'">
SetHandler php-fcgi
</If>
</FilesMatch>
</Directory>
Action php-fcgi /php-fcgi virtual
Alias /php-fcgi /var/www/clients/client5/web6/cgi-bin/php-fcgi-*-80-example.com
FastCgiExternalServer /var/www/clients/client5/web6/cgi-bin/php-fcgi-*-80-example.com -idle-timeout 300 -socket /var/lib/php7.3-fpm/web1.sock -pass-header Authorization -pass-header Content-Type
</IfModule>
<IfModule mod_proxy_fcgi.c>
#ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php7.3-fpm/web1.sock|fcgi://localhost//var/www/clients/client5/web6/web/$1
<Directory /var/www/clients/client5/web6/web>
<FilesMatch "\.php[345]?$">
<If "-f '%{REQUEST_FILENAME}'">
SetHandler "proxy:unix:/var/lib/php7.3-fpm/web1.sock|fcgi://localhost"
</If>
</FilesMatch>
</Directory>
</IfModule>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/
RewriteRule ^ - [END]
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,NE]
# add support for apache mpm_itk
<IfModule mpm_itk_module>
AssignUserId web1 client1
</IfModule>
<IfModule mod_dav_fs.c>
# Do not execute PHP files in webdav directory
<Directory /var/www/clients/client5/web6/webdav>
<ifModule mod_security2.c>
SecRuleRemoveById 960015
SecRuleRemoveById 960032
#SecRuleRemoveById 920350
</ifModule>
<FilesMatch "\.ph(p3?|tml)$">
SetHandler None
</FilesMatch>
</Directory>
DavLockDB /var/www/clients/client5/web6/tmp/DavLock
# DO NOT REMOVE THE COMMENTS!
# IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
# WEBDAV BEGIN
# WEBDAV END
</IfModule>
# skipping apache_directives, as that will be handled by the ssl vhost
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /var/www/clients/client5/web6/web
ServerName example.com
ServerAlias www.example.com
ServerAdmin [email protected]
<IfModule mod_http2.c>
Protocols h2 http/1.1
</IfModule>
<IfModule mod_brotli.c>
AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript application/xml application/xml+rss application/atom+xml application/json application/x-font-ttf application/vnd.ms-fontobject image/x-icon
</IfModule>
ErrorLog /var/log/ispconfig/httpd/example.com/error.log
<IfModule mod_ssl.c>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
# SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
# <IfModule mod_headers.c>
# Header always add Strict-Transport-Security "max-age=15768000"
# </IfModule>
SSLCertificateFile /var/www/clients/client5/web6/ssl/example.com-le.crt
SSLCertificateKeyFile /var/www/clients/client5/web6/ssl/example.com-le.key
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
</IfModule>
<Directory /var/www/example.com/web>
# Clear PHP settings of this website
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler None
</FilesMatch>
Options +SymlinksIfOwnerMatch
AllowOverride All
Require all granted
</Directory>
<Directory /var/www/clients/client5/web6/web>
# Clear PHP settings of this website
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler None
</FilesMatch>
Options +SymlinksIfOwnerMatch
AllowOverride All
Require all granted
</Directory>
<IfModule mod_python.c>
<Directory /var/www/example.com/web>
<FilesMatch "\.py$">
SetHandler mod_python
</FilesMatch>
PythonHandler mod_python.publisher
PythonDebug On
</Directory>
<Directory /var/www/clients/client5/web6/web>
<FilesMatch "\.py$">
SetHandler mod_python
</FilesMatch>
PythonHandler mod_python.publisher
PythonDebug On
</Directory>
</IfModule>
# cgi enabled
<Directory /var/www/clients/client5/web6/cgi-bin>
AllowOverride All
Require all granted
</Directory>
ScriptAlias /cgi-bin/ /var/www/clients/client5/web6/cgi-bin/
<FilesMatch "\.(cgi|pl)$">
SetHandler cgi-script
</FilesMatch>
# suexec enabled
<IfModule mod_suexec.c>
SuexecUserGroup web1 client1
</IfModule>
<IfModule mod_fastcgi.c>
<Directory /var/www/clients/client5/web6/cgi-bin>
Require all granted
</Directory>
<Directory /var/www/example.com/web>
<FilesMatch "\.php[345]?$">
<If "-f '%{REQUEST_FILENAME}'">
SetHandler php-fcgi
</If>
</FilesMatch>
</Directory>
<Directory /var/www/clients/client5/web6/web>
<FilesMatch "\.php[345]?$">
<If "-f '%{REQUEST_FILENAME}'">
SetHandler php-fcgi
</If>
</FilesMatch>
</Directory>
Action php-fcgi /php-fcgi virtual
Alias /php-fcgi /var/www/clients/client5/web6/cgi-bin/php-fcgi-*-443-example.com
FastCgiExternalServer /var/www/clients/client5/web6/cgi-bin/php-fcgi-*-443-example.com -idle-timeout 300 -socket /var/lib/php7.3-fpm/web1.sock -pass-header Authorization -pass-header Content-Type
</IfModule>
<IfModule mod_proxy_fcgi.c>
#ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php7.3-fpm/web1.sock|fcgi://localhost//var/www/clients/client5/web6/web/$1
<Directory /var/www/clients/client5/web6/web>
<FilesMatch "\.php[345]?$">
<If "-f '%{REQUEST_FILENAME}'">
SetHandler "proxy:unix:/var/lib/php7.3-fpm/web1.sock|fcgi://localhost"
</If>
</FilesMatch>
</Directory>
</IfModule>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/
RewriteRule ^ - [END]
# add support for apache mpm_itk
<IfModule mpm_itk_module>
AssignUserId web1 client1
</IfModule>
<IfModule mod_dav_fs.c>
# Do not execute PHP files in webdav directory
<Directory /var/www/clients/client5/web6/webdav>
<ifModule mod_security2.c>
SecRuleRemoveById 960015
SecRuleRemoveById 960032
</ifModule>
<FilesMatch "\.ph(p3?|tml)$">
SetHandler None
</FilesMatch>
</Directory>
DavLockDB /var/www/clients/client5/web6/tmp/DavLock
# DO NOT REMOVE THE COMMENTS!
# IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
# WEBDAV BEGIN
# WEBDAV END
</IfModule>
</VirtualHost>
<IfModule mod_ssl.c>
SSLStaplingCache shmcb:/var/run/ocsp(128000)
</IfModule>