Page 1 of 1

CMC doesn't play well with Atomicorp WAF rules

Posted: 21 Aug 2014, 18:53
by JohnK
I noticed in your requirements that CMC requires mod_security installed via easyapache, and after the hassle I ran into with this particular combination of software, I can see why.

The Atomicorp WAF rules do something interesting to the easyapache build order. Specifically, they remove mod_security from the easyapache build, and then add it back in during the posteasyapache step.

Unfortunately this has a nasty consequence that when easyapache runs its configuration test immediately after its build, it runs into errors caused by the CMC override files that are placed in the /usr/local/apache/conf/userdata/ directory. Easyapache ends up failing to verify the configuration because it's finding mod_security directives in these files, when (at this point in the build) mod_security is not installed.

I found a fix however by wrapping all those files in <IfModule mod_security2.c> and </ifmodule> headers during preeasyapache, and removing them again during posteasyapache. These headers however are safe to leave in even with mod_security installed. I took them out again because I was not sure how CMC would react to this extra data being present in those files when it goes to view or edit them.

My suggestion is to have CMC make these headers standard for all the files it inserts, so that this workaround is not required.