Red Hat Bugzilla – Bug 962995
custom rules not working
Last modified: 2014-07-08 11:33:29 EDT
/etc/httpd/conf.d/mod_security.conf has (near the top):
# ModSecurity Core Rules Set configuration
I have /etc/httpd/modsecurity.d/modsecurity_localrules.conf which disables some rules for some URLs by using SecRuleRemoveById. But it does not work anymore, because, according to https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecRuleRemoveById :
Note : This directive must be specified after the rule in which it is disabling. This should be used within local custom rule files that are processed after third party rule sets. Example file - modsecurity_crs_60_customrules.conf.
If I change /etc/httpd/conf.d/mod_security.conf to
then it starts to work. Should I rename my modsecurity_localrules.conf file to activated_rules/modsecurity_crs_60_customrules.conf as the Note above suggests or could the Include ordering be changed in the package?
That file is for custom rules, for disabling rules, you can chose a file name that makes sure it will be processed after rules definition eg:
What about the rules, which I have in /etc/httpd/conf.d/virtualhost.conf ? For example, now it looks like this:
These rules do not work too. Is it possible to somehow still have them in virtualhost.conf?
SecRuleRemoveById should work in vhost definition, just make sure that your configuration file is evaluated by Apache after mod_security / CRS config.