How to allow some file extension through ModSecurity using .htaccess?
hello all
I have a cpanel account and ModSecurity is enabled.
i want to serve for example cfg file but server replies back with 403.
If i disable modesecurity via the cpanel the file gets served ok.
my question How to allow some extension through ModSecurity using .htaccess?
appreciate any guide on how to solve such access problems.
Thanks
ehab
Comments
I've no idea if you can do what you wish in .htaccess, though it is possible by using a per domain modsecurity conf file. I've looked at the CWP implementation of this - example shown below:
/usr/local/apache/conf/userdata/account_name/account.domain.tld/modsec.conf
Replace the modsec rule ID with your 'offending' one.
For WHM, if you have top-level access, I recommend Configserver ModSecurity Control. It makes it simple, with a GUI.
HTH
It wisnae me! A big boy done it and ran away.
NVMe2G for life! until death (the end is nigh)
@AlwaysSkint, i am a normal user hosting at a cpanel provider.
I don't have access to any of the modesc conf files.
my latest attempt was like ----------- .htaccess
but not working. i get a 500 response. i just added # for comments
I'd be surprised if you could defeat modsecurity at a user level - kinda bypasses its' purpose. I'm not surprised that those (commented out) directives trigger a 500 response. Your best bet might be to ask your cPanel provider to exclude the cfg particular rule ID from your domain/account. Given your client IP address and approx. time of access, it'll be easy to spot the rule ID that's being triggered.
Having said that, I might have a play around, should someone else not chime in.
It wisnae me! A big boy done it and ran away.
NVMe2G for life! until death (the end is nigh)
In WHM, with the previously mentioned CMC utility, I've discovered two files that are used on a per domain basis:
Without knowing which ModSec Ruleset your provider is using, I can't give you a specific rule ID to add to the whitelist.
Later:
https://support.cpanel.net/hc/en-us/articles/4403595742487-How-to-disable-a-mod-security-rule-on-a-per-user-basis-
Even later:
I've found a few 'articles' mentioning bypassing modsec. My advice: don't even try - speak to your provider.
It wisnae me! A big boy done it and ran away.
NVMe2G for life! until death (the end is nigh)
On a DirectAdmin reseller hosting account, I was given options to enter a rule ID and set it to ignore, per each DirectAdmin sub-account individually.
Hell, I was even advised to do so on an occasion (strange 403), which, for that particular problem, I thought was not the best solution.
Not every provider allows that (with either DirectAdmin or cPanel).
What it looks like (DirectAdmin):
Detailed info about providers whose services I've used:
BikeGremlin web-hosting reviews
Forgot the "simple solutions" (not seeing the forest from the trees), here are some other ideas:
a) .zip the file (if it can be just downloaded).
b) Put it on a separate cPanel account, using a subdomain, and configure ModSecurity for that account differently.
Detailed info about providers whose services I've used:
BikeGremlin web-hosting reviews
i will wait for my ticket reply.
meanwhile, another provider with cpanel has the modesecurity on but the extension is permissible. So it must be different from provider to another.
and @bikegremlin yep, there are simpler solutions. i might change the extension all together, lets see ...
Note: It's not uncommon to have a range of excluded rules. Each of the control panels usually have a predefined exclusion set, used for the control panel itself, plus often further entries for Wordpress and others.
It wisnae me! A big boy done it and ran away.
NVMe2G for life! until death (the end is nigh)
i did get a reply to my ticket and extensions were added to rules from the server side and they work now as expected.
so the only way is server side.
As I suspected/expected.
It wisnae me! A big boy done it and ran away.
NVMe2G for life! until death (the end is nigh)