SecRuleEngine Off 在虚拟主机中的单个域上不起作用

SecRuleEngine Off 在虚拟主机中的单个域上不起作用

我在一台有多个主机的服务器上安装了 modSecurity 并开始运行,我想仅对一台主机禁用一些规则。这是我在虚拟主机文件中输入的内容:

 <IfModule mod_security2.c>
    SecRuleEngine On
    SecRuleRemoveById 981173
 </IfModule>

这不起作用所以我改成了这样:

 <IfModule mod_security2.c>
    SecRuleEngine Off
 </IfModule>

这也不起作用,规则仍然适用于此网站。目前我唯一的选择是完全关闭 modSecurity,但这显然不是我想要的。

这是 mod_security.conf 文件:

LoadModule security2_module modules/mod_security2.so

<IfModule !mod_unique_id.c>
    LoadModule unique_id_module modules/mod_unique_id.so
</IfModule>
<IfModule mod_security2.c>
    # Default recommended configuration
    SecRuleEngine Off
    SecRequestBodyAccess On
    SecRule REQUEST_HEADERS:Content-Type "text/xml" \
         "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
    SecRequestBodyLimit 13107200
    SecRequestBodyNoFilesLimit 131072
    SecRequestBodyInMemoryLimit 131072
    SecRequestBodyLimitAction Reject
    SecRule REQBODY_ERROR "!@eq 0" \
    "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
    SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
    "id:'200002',phase:2,t:none,log,deny,status:400,msg:'Multipart request body \
    failed strict validation: \
    PE %{REQBODY_PROCESSOR_ERROR}, \
    BQ %{MULTIPART_BOUNDARY_QUOTED}, \
    BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
    DB %{MULTIPART_DATA_BEFORE}, \
    DA %{MULTIPART_DATA_AFTER}, \
    HF %{MULTIPART_HEADER_FOLDING}, \
    LF %{MULTIPART_LF_LINE}, \
    SM %{MULTIPART_MISSING_SEMICOLON}, \
    IQ %{MULTIPART_INVALID_QUOTING}, \
    IP %{MULTIPART_INVALID_PART}, \
    IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
    FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

    SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
    "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"

    SecPcreMatchLimit 1000
    SecPcreMatchLimitRecursion 1000

    SecRule TX:/^MSC_/ "!@streq 0" \
            "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

    SecResponseBodyAccess Off
    SecDebugLog /var/log/httpd/modsec_debug.log
    SecDebugLogLevel 0
    SecAuditEngine RelevantOnly
    SecAuditLogRelevantStatus "^(?:5|4(?!04))"
    SecAuditLogParts ABIJDEFHZ
    SecAuditLogType Serial
    SecAuditLog /var/log/httpd/modsec_audit.log
    SecArgumentSeparator &
    SecCookieFormat 0
    SecTmpDir /var/lib/mod_security
    SecDataDir /var/lib/mod_security

    # ModSecurity Core Rules Set and Local configuration
       Include modsecurity.d/*.conf
       Include modsecurity.d/activated_rules/*.conf
       Include modsecurity.d/local_rules/*.conf
#       Include modsecurity-crs/modsecurity_crs_10_config.conf
#       Include modsecurity-crs/base_rules/*.conf

</IfModule>

这是完整的虚拟主机文件:

<VirtualHost *:443>
  ServerName domain.com

  DocumentRoot "/var/www/domain"
  DirectoryIndex index.php
  ErrorLog /var/log/httpd/domain.com-error_log
  CustomLog /var/log/httpd/domain.com-access_log combined

  SSLEngine on
  SSLProtocol all -SSLv2 -SSLv3
  SSLHonorCipherOrder on
  SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH
 EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
  SSLCertificateFile /etc/letsencrypt/live/www.domain.com/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/www.domain.com/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/www.domain.com/chain.pem

  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

 <IfModule mod_security2.c>
    SecRuleEngine On
    SecRuleRemoveById 981173
 </IfModule>

  <Directory "/var/www/domain">
    AllowOverride All
    Allow from All
  </Directory>
</VirtualHost> 

有什么建议可以使它发挥作用吗?

答案1

如果您在加载 vhost 之后定义 ModSecurity 规则,那么它可能会覆盖您的 vhost 设置。

最好的处理方法是使用新规则根据请求的服务器名称明确关闭 ModSecurity:

SecRule SERVER_NAME "domain\.com$" \
     "phase:1,id:1000,nolog, \
     ctl:ruleRemoveById=981173, \
     ctl:ruleRemoveById=1234, \
     ctl:ruleRemoveById=1235"

对于多个域可以改变正则表达式,例如:

SecRule SERVER_NAME "(domain\.com|domain2\.com|domain3\.com)$" \
     "phase:1,id:1000,nolog, \
     ctl:ruleRemoveById=981173, \
     ctl:ruleRemoveById=1234, \
     ctl:ruleRemoveById=1235"

也许:

SecRule SERVER_NAME "(domain|domain2|domain3)\.com$" \
     "phase:1,id:1000,nolog, \
     ctl:ruleRemoveById=981173, \
     ctl:ruleRemoveById=1234, \
     ctl:ruleRemoveById=1235"

或者只是有单独的规则。注意每条规则都需要一个唯一的 ID。

这样,Mod Security 将处理该规则并动态关闭您为该主机列出的规则。此规则应定义打开规则引擎的配置,但是定义了任何其他规则。根据您的配置,这可能位于“SecRequestBodyAccess On”访问行之前。

另一种方法是仅在每个 vhost 配置中单独定义规则,但上面的想法更容易。

相关内容