Skip to content

Unable to disable module once loaded #84

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
LoZio opened this issue Sep 5, 2021 · 3 comments
Open

Unable to disable module once loaded #84

LoZio opened this issue Sep 5, 2021 · 3 comments

Comments

@LoZio
Copy link

LoZio commented Sep 5, 2021

I built Modsecurity and Modsecurity-apache on Debian 10.
When I load the module into Apache it works and logs fine.
I needed to disable the module for a specific virtualhost, so inside a vhost I put the modesecurity off directive. To make a long story short, I tried to put it in every possible place, even directly after the LoadModule line. The module is always alive and kicking.
If I remove the LoadModule directive, apache complains about the modsecurity directives in the various files, as expected.
My apache is

Server version: Apache/2.4.38 (Debian)
Server built:   2021-06-10T10:13:06
Server's Module Magic Number: 20120211:84
Server loaded:  APR 1.6.5, APR-UTIL 1.6.1
Compiled using: APR 1.6.5, APR-UTIL 1.6.1
Architecture:   64-bit
Server MPM:     prefork
  threaded:     no
    forked:     yes (variable process count)

If I try to override rules (modsecurity_rules directive) it seems to just ignore them.
Am I missing something big or is this what the "NOTE: This project is not production ready" line refers to?
Thanks
@martinhsv
Copy link
Contributor

Hi @LoZio ,

The content:

The warning not to use ModSecurity-apache is not just about one specific bug or functionality gap, but a more overall warning that it is not ready for use. As additionally noted in the README:

"With Apache HTTP Server, the recommended version of ModSecurity is v2.9.x."

@Devstellar
Copy link

When I load the module into Apache it works and logs fine.
I needed to disable the module for a specific virtualhost, so inside a vhost I put the modesecurity off directive. To make a long story short, I tried to put it in every possible place, even directly after the LoadModule line. The module is always alive and kicking.

Try this:

        <IfModule security3_module>
          modsecurity_rules "SecRuleEngine Off"
        </IfModule>

@LoZio
Copy link
Author

LoZio commented Sep 14, 2021

When I load the module into Apache it works and logs fine.
I needed to disable the module for a specific virtualhost, so inside a vhost I put the modesecurity off directive. To make a long story short, I tried to put it in every possible place, even directly after the LoadModule line. The module is always alive and kicking.

Try this:

        <IfModule security3_module>
          modsecurity_rules "SecRuleEngine Off"
        </IfModule>

Already tested, I wrote it in the first post.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@LoZio @Devstellar @martinhsv