Open LoZio opened 3 years ago
martinhsv
commented
3 years ago Hi @LoZio ,
The content:
The warning not to use ModSecurity-apache is not just about one specific bug or functionality gap, but a more overall warning that it is not ready for use. As additionally noted in the README:
"With Apache HTTP Server, the recommended version of ModSecurity is v2.9.x."
Devstellar
commented
2 years ago When I load the module into Apache it works and logs fine. I needed to disable the module for a specific virtualhost, so inside a vhost I put the modesecurity off directive. To make a long story short, I tried to put it in every possible place, even directly after the LoadModule line. The module is always alive and kicking.
Try this:
<IfModule security3_module>
modsecurity_rules "SecRuleEngine Off"
</IfModule>
LoZio
commented
2 years ago When I load the module into Apache it works and logs fine. I needed to disable the module for a specific virtualhost, so inside a vhost I put the modesecurity off directive. To make a long story short, I tried to put it in every possible place, even directly after the LoadModule line. The module is always alive and kicking.
Try this:
<IfModule security3_module> modsecurity_rules "SecRuleEngine Off" </IfModule>
Already tested, I wrote it in the first post.
I built Modsecurity and Modsecurity-apache on Debian 10. When I load the module into Apache it works and logs fine. I needed to disable the module for a specific virtualhost, so inside a vhost I put the modesecurity off directive. To make a long story short, I tried to put it in every possible place, even directly after the LoadModule line. The module is always alive and kicking. If I remove the LoadModule directive, apache complains about the modsecurity directives in the various files, as expected. My apache is
If I try to override rules (modsecurity_rules directive) it seems to just ignore them. Am I missing something big or is this what the "NOTE: This project is not production ready" line refers to? Thanks