ModSecurity – How to Exclude ModSecurity Rules by Hostname

firewallmod-securityweb-application-firewall

I'm using OWASP core rule set 3.2.0 set up with ModSecurity 3.0.4 and ModSecurity-nginx.

If I have a rule exclusion like this, in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf:

 SecRule REQUEST_URI "@beginsWith /api.php" \
     "id:1015,\
     phase:2,\
     pass,\
     nolog,\
     ctl:ruleRemoveById=941160"

How do I also limit this exclusion to a specific hostname? For example, wiki.example.com.

Best Answer

Using REQUEST_HEADERS:Host chained with REQUEST_URI does the trick, but gets harder to maintain, if there are several sites that either need or don't need the exclusion. Therefore, an alternative solution would be disabling the rules on the Nginx configuration for the virtualhost, instead.

It's possible to disable some rules using modsecurity_rules inside specific server & location:

server {
    server_name wiki.example.com;
    modsecurity on;
    . . .

    location /api.php {
        modsecurity_rules '
            SecRuleRemoveById 941160
        ';
    }
}

The same is possible with Apache, too, as some Apache users may later find this question based on its title. With Apache, you can use SecRuleRemoveById / modsecurity_rules directives

inside VirtualHost and Location or LocationMatch:

<VirtualHost *:443>
    ServerName wiki.example.com
    . . .

    <LocationMatch "^/api.php">
        <IfModule security2_module>
            SecRuleRemoveById 941160
        </IfModule>
        <IfModule security3_module>
            modsecurity_rules 'SecRuleRemoveById 941160'
        </IfModule>
    </LocationMatch>
</VirtualHost>

or, although not recommended, even with .htaccess:

<IfModule security2_module>
    <If "%{REQUEST_URI} =~ m#^/api.php#">
        SecRuleRemoveById 941160
    </If>
</IfModule>

<IfModule security3_module>
    <If "%{REQUEST_URI} =~ m#^/api.php#">
        modsecurity_rules 'SecRuleRemoveById 941160'
    </If>
</IfModule>

Related Solutions

Mod_security – PCRE limits exceeded

Holy recursion, Batman!

I claim you have something wrong with your mod_security rules. That kind of recursion seems to be unnecessary and will most likely cause some serious load for your server. Fix the rules and/or Apache config, and don't try to "fix" this problem with arbitrarily large numbers.

Security – Modsecurity check REQUEST_URI without query parameters

You could use the REQUEST_FILENAME variable instead of REQUEST_URI.

You are recommended not to directly edit the OWASP CRS rules themselves but instead to add extra rules to adjust them. This allows you to upgrade the CRS and still keep your rules. Here you could do this by adding the following config after you load all the OWASP CRS rules files to adjust this rule:

SecRuleUpdateTargetById 973338 REQUEST_FILENAME REQUEST_URI

However this will reduce this rule for all request when you may only want to do this for this one URL in which case a better method may be to turn this rule off only for this URL by adding the following rule before you load the OWASP CRS rules files (note the id needs to be unique so if you already have a rule 1 then pick a unique if here):

SecRule REQUEST_FILENAME chart.php "phase:2,nolog,id:1,ctl:ruleRemoveById=973338,pass"

And yes, before you ask, it is annoying that some overrides are specified after the rules and others, that use ctl, need to be specified before.

If you have multiple rules to disable you can use syntax like this:

SecRule REQUEST_FILENAME chart.php "phase:2,nolog,id:1,ctl:ruleRemoveById=973338,ctl:ruleRemoveById=973306,pass"

Best Answer

Related Solutions

Mod_security – PCRE limits exceeded

Security – Modsecurity check REQUEST_URI without query parameters

Related Topic