Does a mod_security execution/rule error or errors in general block users from visiting my website? Ive got many rule and execution errors, Ive just whitelisted these rules but maybe I could just ignore them.
The website is in production with visitors so I don't want to try and see if I do get blocked, if I enable modsec in "sharp" mode.
Thanks in advance.
Best Answer
Depends how the rules are written but in general, yes rules are written to block.
Other than that can't really answer unless you give more specifics on what rules you're running. Most common are the OWASP Core Rule Set, most of which are designed to block depending which detection mode you are running that in.
Best practice is to run ModSecurity in DetectionOnly mode initially and fine tune rules with overrides to remove the inevitable false positives, before you switch to the blocking "On" mode.
DetectionOnly mode should not allow any "disruptive actions" like blocking, with a couple of important things to be aware of:
1) Rules can override this with a Ctl action to switch from DetectionOnly to On. Not aware of any CRS rules which do this.
2) "Allow" counts as a disruptive action. This action is used to whitelist certain actions or calls - for example to reduce unnecessary calling of ModSecurity rules for static resources. In DetectionOnly mode this action is ignored and all subsequent following rules are run. In On mode this action would kick in and ModSecurity would skip the rest of the request. I think this is counter intuitive and allow should not be considered a "disruptive action" so DetectionOnly more close resembles On mode without the blocking. Therefore when I add any rules with "allow" action I also add "ctl:ruleEngine=On" to force the allow even in DetectionOnly mode.
Adding appropriate "allow" whitelisting can be very important for performance for high load servers and I would encourage its use. The CRS has a couple of these as optional rules but in my opinion they don't go far enough.