Windows Server 2016 / IIS Cannot Disable for site

owasp-modsecurity / ModSecurity

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.

https://www.modsecurity.org

Apache License 2.0

8.29k stars 1.61k forks source link

Windows Server 2016 / IIS Cannot Disable for site #2082

Open jdornan opened 5 years ago

jdornan commented 5 years ago

I have installed version 2.9.3 using the ModSecurityIIS_2.9.3-64b.msi. My web server has multiple sites configured in IIS. ModSecurity is working but I'm unable to disable it for a specific site in the sites web.config file. I have tried adding the items below to the system.webServer section but neither seems to disable ModSecurity.

remove name="ModSecurityIIS"

ModSecurity enabled="false"

mguinness commented 3 years ago

I think the README is a little misleading, all you should need is below (tested as working).

<system.webServer>
  <ModSecurity enabled="false" />
</system.webServer>

Also see https://github.com/SpiderLabs/ModSecurity/issues/769#issuecomment-269029452 to allow a site to override the global config and have it's own.