Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
3.3.1rc1 breaks Directory and Location in Apache2
See original GitHub issueDescribe the bug
Using the 3.3.1rc1 breaks the ability to use SecRuleEngine/SecRuleRemoveById within the Directory/Location tags. Reverting back to 3.3.0 fixes the problems.
Steps to reproduce
Run an “attack” against Directory with ModSecurity disabled:
<Directory /var/www/somecrappysite>
SecRuleEngine Off
</Directory>
Expected behaviour
The Directory/Location settings should be honored.
Actual behaviour
A block occurs untill the statement is moved out of the Directory/Location tags, which makes unblocking specific items problematic.
Your Environment
- CRS version: 3.3.1rc1
- Paranoia level setting: 1
- ModSecurity version: 2.9.3-3
- Web Server and version: Apache 2.4.46-2
- Operating System and version: Debian testing
Issue Analytics
- State:
- Created 3 years ago
- Comments:10 (7 by maintainers)
Top Results From Across the Web
Configuration Sections - Apache HTTP Server Version 2.4
Directives in the configuration files may apply to the entire server, or they may be restricted to apply only to particular directories, files,...
Read more >How to fix common problems with Apache2 - UpCloud
Below is an example of the command output from a CentOS system. Make sure the server and document roots point to the correct...
Read more >How to configure Apache 2
2.1 Directory Access Control. This section deals with access control to directories. The following sections will deal with access control to files and...
Read more >What does Apache's "Require all granted" really do?
In Apache 2.4 would be like: <Location /> require all granted </Location> #Note that you dont need to use require all denied #to...
Read more >SLES 15 SP1 | Administration Guide | The Apache HTTP Server
Apache configuration files can be found in two different locations: ... The directory contains template files for virtual hosts with and without SSL....
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
I should do a blog post to explain it in detail… But it’s actually not so complicated.
Here is an example:
Virtual Host:
Server Context (Before CRS Inclusion):
Naturally, if you do your CRS Include in the VH, then you do not need this, but then you probably include CRS separately for several VHs and this can lead to memory problems with ModSec.
If I’m understanding correctly using the SecWebAppId would still not allow disabling of specific rules for certain Directory/Location directives? Or would they just trigger the logging bug not actually block the request?
Also do you have some examples? I seem to be getting lost in the documentation as how to achieve rule based actions in combination with the WEBAPPID variable.