View more context

 

andante

yeah those are things that aren't security-friendly

Joe

i’m still very new to ModSecurity, so what will follow are probably some fairly stupid questions, but ¯_(ツ)_/¯

Joe

1) can I disable a specific rule using .htaccess or the apache VirtualHost config? (having a hard time finding a straight answer on this)

Joe

2) can I disable a specific rule (like the one preventing access to the Files area) by turning off that rule if the request URI contains /admin? (and would that be a good idea in the first place?)

andante

havent used it myself, but i can offer my opinion on whether it would be a good idea - i think the answer is "if you trust the people in your admin section"

andante

basically, my view is that you need to trust them to some degree, right? if you are letting them publish pages and upload files, you have already opened yourself up to so many attack vectors, that turning off mod_security seems to be a negligible change

Joe

if they’ve authenticated, I don’t need to block their request

Joe

if they’re not, though, that’s really when I want ModSecurity to kick in

andante

https://stackoverflow.com/a/46045010 could be the answer

Show 1 attachment(s)
Stack Overflow  
Disable mod_security by requested URL

I use mod_security with Apache 2.4. On this platform we have an ecommerce system using the following URL for its administrative tools: http://www.tld.com/en/backend I want to achive to goals: Ac...

Hide attachment content