UPWORK/ODESK guru: Tips and Tricks for clients

skype: upwork.link , email: info@upwork.link

mod_security2: In .htaccess file?

without comments

ust to update this question for mod_security 2.7.0+ – they turned off the ability to mitigate modsec via htaccess unless you compile it with the –enable-htaccess-config flag. Most hosts do not use this compiler option since it allows too lax security. Instead, vhosts in httpd.conf are your go-to option for controlling modsec.

Even if you do compile modsec with htaccess mitigation, there are less directives available. SecRuleEngine can no longer be used there for example. Here is a list that is available to use by default in htaccess if allowed (keep in mind a host may further limit this list with AllowOverride):

    - SecAction
    - SecRule

    - SecRuleRemoveByMsg
    - SecRuleRemoveByTag
    - SecRuleRemoveById

    - SecRuleUpdateActionById
    - SecRuleUpdateTargetById
    - SecRuleUpdateTargetByTag
    - SecRuleUpdateTargetByMsg

As an additional note for 2.x users: the IfModule should now look for mod_security2.c instead of the older mod_security.c


https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#start-apache-httpd

Written by spectre

December 19th, 2014 at 11:44 am

Posted in Apache2

Leave a Reply

*