Ubuntu – How to exclude mod_security from sub-directories on Amazon EC2 with LAMP

apache-2.2mod-securityUbuntu

I never activated before the mod_security or edit Virtual Hosts, so it's a new challenge for me, I tried to follow this tutorial but seems that most of the tutorials around the web are not reflecting my situation.
I have an EC2 instance running Apache 2 on Ubuntu 14.04, I don't have a file called httpd, however inside my /etc/apache2/sites-available folder I have the file called 000-default.conf: 

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        <IfModule security2_module>
            SecRuleEngine Off
        </IfModule>
        <Directory /var/www >
            AllowOverride All
        </Directory>
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

and this is my security2.conf located into /etc/apache2/mods-available

<IfModule security2_module>
        SecDataDir /var/cache/modsecurity
        Include "/usr/share/modsecurity-crs/*.conf"
        Include "/usr/share/modsecurity-crs/activated_rules/*.conf"
        IncludeOptional /etc/modsecurity/*.conf
</IfModule>

I wish to enable the mod_security but right now I cannot because inside ../html folder (the folder of my wesite) I have WordPress and phpMyAdmin (so if I remove SecRuleEngine Off, it gives me error permission denied on all the website).
From the tutorial mentioned above I know that I need to use this code for exclude a specific directory:

<Directory "/var/www/wp-admin">
    <IfModule security2_module>
        SecRuleEngine Off
    </IfModule>
</Directory>

What I don't understand is: do I need to create a new .conf file inside /sites-available? For example, how it should looks like the .conf file to exclude phpMyAdmin directory located into /usr/share/phpmyadmin?

Best Answer

[This was too long for a comment, so posted it as an answer. Hope it helps]

It seems you have not configured Virtual Hosts. Instead have just one main DocumentRoot and you call sites with http://ip-address/site-folder url.

Let's say its two virtual hosts: One in /var/www/html/wordpress and the other /var/www/html/phpmyadmin.
If you need to disable for phpmyadmin, then under the virtual host configuration of phpmyadmin, add the line that you stated in the latter half:

<VirtualHost *:80>
  ..
  ..
  ..
    <Directory "/var/www/html/phpmyadmin">
      <IfModule security2_module>
          SecRuleEngine Off
      </IfModule>
    </Directory>
  ..
  ..
</VirtualHost>

And to disable it for wordpress admin, add the same under wordpress site's virtual host configuration: ie. 

<virtualhost *:80>
  ..
  ..
  ..
     <Directory "/var/www/html/wordpress/wp-admin">
      <IfModule security2_module>
         SecRuleEngine Off
      </IfModule>
    </Directory>
  ..
  ..
</VirtualHost>

Source: https://www.digitalocean.com/community/tutorials/how-to-set-up-mod_security-with-apache-on-debian-ubuntu

If there is no VirtualHost configuration, then you can try adding the directive: <Directory>..</Directory> for both phpmyadmin and wp-admin in the mod_security config file: '/etc/apache2/mods-available/security2.conf'

Test the syntax with apachectl -t before reloading it.

Related Topic