I never activated before the mod_security
or edit Virtual Hosts, so it's a new challenge for me, I tried to follow this tutorial but seems that most of the tutorials around the web are not reflecting my situation.
I have an EC2 instance running Apache 2 on Ubuntu 14.04, I don't have a file called httpd, however inside my /etc/apache2/sites-available
folder I have the file called 000-default.conf
:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
<IfModule security2_module>
SecRuleEngine Off
</IfModule>
<Directory /var/www >
AllowOverride All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
and this is my security2.conf
located into /etc/apache2/mods-available
<IfModule security2_module>
SecDataDir /var/cache/modsecurity
Include "/usr/share/modsecurity-crs/*.conf"
Include "/usr/share/modsecurity-crs/activated_rules/*.conf"
IncludeOptional /etc/modsecurity/*.conf
</IfModule>
I wish to enable the mod_security
but right now I cannot because inside ../html
folder (the folder of my wesite) I have WordPress and phpMyAdmin (so if I remove SecRuleEngine Off, it gives me error permission denied on all the website).
From the tutorial mentioned above I know that I need to use this code for exclude a specific directory:
<Directory "/var/www/wp-admin">
<IfModule security2_module>
SecRuleEngine Off
</IfModule>
</Directory>
What I don't understand is: do I need to create a new .conf file inside /sites-available
? For example, how it should looks like the .conf file to exclude phpMyAdmin directory located into /usr/share/phpmyadmin
?
Best Answer
[This was too long for a comment, so posted it as an answer. Hope it helps]
It seems you have not configured Virtual Hosts. Instead have just one main DocumentRoot and you call sites with http://ip-address/site-folder url.
Let's say its two virtual hosts: One in /var/www/html/wordpress and the other /var/www/html/phpmyadmin.
If you need to disable for phpmyadmin, then under the virtual host configuration of phpmyadmin, add the line that you stated in the latter half:
And to disable it for wordpress admin, add the same under wordpress site's virtual host configuration: ie.
Source: https://www.digitalocean.com/community/tutorials/how-to-set-up-mod_security-with-apache-on-debian-ubuntu
If there is no VirtualHost configuration, then you can try adding the directive:
<Directory>..</Directory>
for both phpmyadmin and wp-admin in the mod_security config file: '/etc/apache2/mods-available/security2.conf'Test the syntax with
apachectl -t
before reloading it.