Rule doesn't always apply due to <LocationMatch .*>

2 posts Page 1 of 1
lucasrolff
Junior Member
Posts: 1
Joined: 07 Mar 2017, 14:11


Hi guys,

We run a bunch of cPanel servers where we use the cPanel Mod_security vendor functionality, and there we include the "Comodo WAF" ruleset (https://waf.comodo.com/doc/meta_comodo-apache.yaml)

To control Mod_security further we use the CMC, since we can disable rules per site level if we want to.

One rule though (ID 220030) we disable globally through CMC, because the rule only applies to PHP versions before 5.4.2 (not something we offer).

When we disable this rule, it never actually takes effect - and mod_security continues to block based on this rule.

Then I tried disabling the same rule globally via cPanel's Mod Security rules list, and there it works perfectly.

Turns out the only difference (other than file location), is that CMC wraps the SecRuleRemoveById within a LocationMatch .* block - where cPanel's own tool doesn't do this.

Whenever you disable rules in mod_security, you have two options - using SecRules or the SecRuleRemovebyId - SecRuleRemoveById is a global directive, and shouldn't be put inside a LocationMatch block in first place (at least according to a bunch of "issues" on github from SpiderLabs itself.

So.. To investigate further, I enabled the rule in cPanel's own tool again, and then went into the ./conf.d/modsec2.whitelist.conf file and removed the LocationMatch .* that CMC puts around the rules when it disables it, and suddenly everything starts to work.

Is it possible CMC can get bugfixed to not include the LocationMatch at any point? Specially not when just using .* - since the LocationMatch becomes rather obsolete if you just want to match anything anyway (which turns out to not be the case for a bunch of rules).

Thank you in advance.
ForumAdmin
Moderator
Posts: 1264
Joined: 01 Oct 2008, 09:24


This was already in development and has now been released in v2.10 of cmc:
https://blog.configserver.com
2 posts Page 1 of 1