为什么我的 ModSecurity 规则例外被忽略?

为什么我的 ModSecurity 规则例外被忽略?

对于某些人来说,这可能是一个显而易见的问题,但我不明白为什么 ModSec 忽略了我的规则例外。

我正在使用 Debian 10 和 SSL 安全 URL 来监控 Monit 软件,该软件在www.example.com:3286其上运行,经我的 Apache2 错误日志验证,触发 modsec 规则 id 920350,从而阻止我访问 Monit Web 界面。

我使用此命令将规则例外附加到modsecurity.conf

echo "SecRuleRemoveById 920350" >> /etc/modsecurity/modsecurity.conf

我回去验证了它的存在。然后重新启动了 Apache,但规则被忽略了。

因此,我尝试将异常直接添加到www.example.com使用以下方法的虚拟主机:

<ifModule mod_security2.c>
    SecRuleRemoveById 920350
</ifModule>

然后再次重新启动Apache,异常再次被忽略。

我错过了什么?

附加信息

/etc/modsecurity 的文件/文件夹结构:

  • crs- 子文件夹

  • modsecurity.conf- 文件

  • modsecurity.conf-recommended- 文件

  • RESPONSE-999-EXCLUSION-RULES-AFTER-CRS- 文件

  • unicode.mapping- 文件

  • crs- 子文件夹内容

  • crs-setup.conf- 文件

  • REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf- 文件

  • RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf- 文件

此外,根据要求:我编辑的 vhost 文件:

# cat 100-example.com.vhost

<Directory /var/www/example.com>
  AllowOverride None
  Require all denied
</Directory>

<VirtualHost *:80>

  DocumentRoot /var/www/clients/client5/web6/web

  ServerName example.com
  ServerAlias www.example.com
  ServerAdmin [email protected]

  ErrorLog /var/log/ispconfig/httpd/example.com/error.log

  <Directory /var/www/example.com/web>
    # Clear PHP settings of this website
    <FilesMatch ".+\.ph(p[345]?|t|tml)$">
      SetHandler None
    </FilesMatch>
    Options +SymlinksIfOwnerMatch
    AllowOverride All
    Require all granted
  </Directory>

  <Directory /var/www/clients/client5/web6/web>
    # Clear PHP settings of this website
    <FilesMatch ".+\.ph(p[345]?|t|tml)$">
      SetHandler None
    </FilesMatch>
    Options +SymlinksIfOwnerMatch
    AllowOverride All
    Require all granted
  </Directory>

  <IfModule mod_python.c>
    <Directory /var/www/example.com/web>
      <FilesMatch "\.py$">
      SetHandler mod_python
      </FilesMatch>
      PythonHandler mod_python.publisher
      PythonDebug On
    </Directory>
    <Directory /var/www/clients/client5/web6/web>
      <FilesMatch "\.py$">
      SetHandler mod_python
      </FilesMatch>
      PythonHandler mod_python.publisher
      PythonDebug On
    </Directory>
  </IfModule>

  # cgi enabled
  <Directory /var/www/clients/client5/web6/cgi-bin>
    AllowOverride All
    Require all granted
  </Directory>
  ScriptAlias  /cgi-bin/ /var/www/clients/client5/web6/cgi-bin/
  <FilesMatch "\.(cgi|pl)$">
  SetHandler cgi-script
  </FilesMatch>
  # suexec enabled
  <IfModule mod_suexec.c>
    SuexecUserGroup web1 client1
  </IfModule>
  <IfModule mod_fastcgi.c>
    <Directory /var/www/clients/client5/web6/cgi-bin>
      Require all granted
    </Directory>
    <Directory /var/www/example.com/web>
      <FilesMatch "\.php[345]?$">
      <If "-f '%{REQUEST_FILENAME}'">
      SetHandler php-fcgi
      </If>
      </FilesMatch>
    </Directory>
    <Directory /var/www/clients/client5/web6/web>
      <FilesMatch "\.php[345]?$">
      <If "-f '%{REQUEST_FILENAME}'">
      SetHandler php-fcgi
      </If>
      </FilesMatch>
    </Directory>
    Action php-fcgi /php-fcgi virtual
    Alias /php-fcgi /var/www/clients/client5/web6/cgi-bin/php-fcgi-*-80-example.com
    FastCgiExternalServer /var/www/clients/client5/web6/cgi-bin/php-fcgi-*-80-example.com -idle-timeout 300 -socket /var/lib/php7.3-fpm/web1.sock -pass-header Authorization  -pass-header Content-Type
  </IfModule>
  <IfModule mod_proxy_fcgi.c>
    #ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php7.3-fpm/web1.sock|fcgi://localhost//var/www/clients/client5/web6/web/$1
    <Directory /var/www/clients/client5/web6/web>
      <FilesMatch "\.php[345]?$">
        <If "-f '%{REQUEST_FILENAME}'">
          SetHandler "proxy:unix:/var/lib/php7.3-fpm/web1.sock|fcgi://localhost"
        </If>
      </FilesMatch>
    </Directory>
  </IfModule>


  RewriteEngine on
  RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/
  RewriteRule ^ - [END]
  RewriteCond %{HTTPS} off
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,NE]

  # add support for apache mpm_itk
  <IfModule mpm_itk_module>
    AssignUserId web1 client1
  </IfModule>

  <IfModule mod_dav_fs.c>
    # Do not execute PHP files in webdav directory
    <Directory /var/www/clients/client5/web6/webdav>
    <ifModule mod_security2.c>
      SecRuleRemoveById 960015
      SecRuleRemoveById 960032
      #SecRuleRemoveById 920350
    </ifModule>
    <FilesMatch "\.ph(p3?|tml)$">
    SetHandler None
    </FilesMatch>
    </Directory>
    DavLockDB /var/www/clients/client5/web6/tmp/DavLock
    # DO NOT REMOVE THE COMMENTS!
    # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
    # WEBDAV BEGIN
    # WEBDAV END
  </IfModule>

  # skipping apache_directives, as that will be handled by the ssl vhost

</VirtualHost>


<VirtualHost *:443>

  DocumentRoot /var/www/clients/client5/web6/web

  ServerName example.com
  ServerAlias www.example.com
  ServerAdmin [email protected]

  <IfModule mod_http2.c>
    Protocols h2 http/1.1
  </IfModule>

  <IfModule mod_brotli.c>
    AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript application/xml application/xml+rss application/atom+xml application/json application/x-font-ttf application/vnd.ms-fontobject image/x-icon
  </IfModule>

  ErrorLog /var/log/ispconfig/httpd/example.com/error.log

  <IfModule mod_ssl.c>
    SSLEngine on
    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    # SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
    SSLHonorCipherOrder     on
    # <IfModule mod_headers.c>
    # Header always add Strict-Transport-Security "max-age=15768000"
    # </IfModule>
    SSLCertificateFile /var/www/clients/client5/web6/ssl/example.com-le.crt
    SSLCertificateKeyFile /var/www/clients/client5/web6/ssl/example.com-le.key
    SSLUseStapling on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
  </IfModule>

  <Directory /var/www/example.com/web>
    # Clear PHP settings of this website
    <FilesMatch ".+\.ph(p[345]?|t|tml)$">
      SetHandler None
    </FilesMatch>
    Options +SymlinksIfOwnerMatch
    AllowOverride All
    Require all granted
  </Directory>
  <Directory /var/www/clients/client5/web6/web>
    # Clear PHP settings of this website
    <FilesMatch ".+\.ph(p[345]?|t|tml)$">
      SetHandler None
    </FilesMatch>
    Options +SymlinksIfOwnerMatch
    AllowOverride All
    Require all granted
  </Directory>


  <IfModule mod_python.c>
    <Directory /var/www/example.com/web>
      <FilesMatch "\.py$">
        SetHandler mod_python
      </FilesMatch>
      PythonHandler mod_python.publisher
      PythonDebug On
    </Directory>
    <Directory /var/www/clients/client5/web6/web>
      <FilesMatch "\.py$">
        SetHandler mod_python
      </FilesMatch>
      PythonHandler mod_python.publisher
      PythonDebug On
    </Directory>
  </IfModule>

  # cgi enabled
  <Directory /var/www/clients/client5/web6/cgi-bin>
    AllowOverride All
    Require all granted
  </Directory>
  ScriptAlias  /cgi-bin/ /var/www/clients/client5/web6/cgi-bin/
  <FilesMatch "\.(cgi|pl)$">
    SetHandler cgi-script
  </FilesMatch>
  # suexec enabled
  <IfModule mod_suexec.c>
    SuexecUserGroup web1 client1
  </IfModule>
  <IfModule mod_fastcgi.c>
    <Directory /var/www/clients/client5/web6/cgi-bin>
    Require all granted
    </Directory>
    <Directory /var/www/example.com/web>
      <FilesMatch "\.php[345]?$">
        <If "-f '%{REQUEST_FILENAME}'">
          SetHandler php-fcgi
        </If>
      </FilesMatch>
    </Directory>
    <Directory /var/www/clients/client5/web6/web>
      <FilesMatch "\.php[345]?$">
        <If "-f '%{REQUEST_FILENAME}'">
          SetHandler php-fcgi
        </If>
      </FilesMatch>
    </Directory>
    Action php-fcgi /php-fcgi virtual
    Alias /php-fcgi /var/www/clients/client5/web6/cgi-bin/php-fcgi-*-443-example.com
    FastCgiExternalServer /var/www/clients/client5/web6/cgi-bin/php-fcgi-*-443-example.com -idle-timeout 300 -socket /var/lib/php7.3-fpm/web1.sock -pass-header Authorization  -pass-header Content-Type
  </IfModule>
  <IfModule mod_proxy_fcgi.c>
    #ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php7.3-fpm/web1.sock|fcgi://localhost//var/www/clients/client5/web6/web/$1
    <Directory /var/www/clients/client5/web6/web>
      <FilesMatch "\.php[345]?$">
        <If "-f '%{REQUEST_FILENAME}'">
          SetHandler "proxy:unix:/var/lib/php7.3-fpm/web1.sock|fcgi://localhost"
        </If>
      </FilesMatch>
    </Directory>
  </IfModule>


  RewriteEngine on
  RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/
  RewriteRule ^ - [END]

  # add support for apache mpm_itk
  <IfModule mpm_itk_module>
    AssignUserId web1 client1
  </IfModule>

  <IfModule mod_dav_fs.c>
  # Do not execute PHP files in webdav directory
    <Directory /var/www/clients/client5/web6/webdav>
      <ifModule mod_security2.c>
        SecRuleRemoveById 960015
        SecRuleRemoveById 960032
      </ifModule>
      <FilesMatch "\.ph(p3?|tml)$">
        SetHandler None
      </FilesMatch>
    </Directory>
    DavLockDB /var/www/clients/client5/web6/tmp/DavLock
    # DO NOT REMOVE THE COMMENTS!
    # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
    # WEBDAV BEGIN
    # WEBDAV END
  </IfModule>

</VirtualHost>

<IfModule mod_ssl.c>
 SSLStaplingCache shmcb:/var/run/ocsp(128000)
</IfModule>

相关内容