Hi, For some reason I'm struggling to to disable rules using SecRuleRemoveById inside a Location or LocationMatch.
I can disable rules globally (which isn't ideal) so I know the directive works but I don't know why Apache doesn't act upon the Location/LocationMatch. One of the applications on my web server that I'm trying to disable a rule for is Subsonic. Subsonic requires Tomcat and is a connected to Apache via the AJP connector module. I have successfully disabled one of the Atomicorp delayed rules in the past like this: <IfModule mod_jk.c> JkMount /subsonic ajp13_worker JkMount /subsonic/* ajp13_worker <Location /subsonic/upload.view> SecRuleRemoveById 330792 </Location> </IfModule> I am now trying to disable rule 960010 from the CRS for the entire application because of too many false positives. I have tried <Location /subsonic/> as well as multiple regular expressions for days but nothing works. Here is an example from the audit log: --35e37e6c-A-- [12/Nov/2013:12:19:05 +0000] UoIcuX8AAQEAAAJ3AQgAAAAA hidden 45509 hidden 443 --35e37e6c-B-- POST /subsonic/dwr/call/plaincall/nowPlayingService.getNowPlaying.dwr HTTP/1.1 Host: hidden Connection: keep-alive Content-Length: 214 Origin: https://hidden User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.114 Safari/537.36 Content-Type: text/plain Accept: */* Referer: https://hidden/subsonic/right.view? Accept-Encoding: gzip,deflate,sdch Accept-Language: en-GB,en-US;q=0.8,en;q=0.6 Cookie: player-656c6c6965=6; player-73727661646d=6; JSESSIONID=088A746CDC6B4356A388E7C1D44EEE6A.ajp13_worker; player-7068696c6c=9; compact_display_state=false --35e37e6c-F-- HTTP/1.1 403 Forbidden Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 221 Keep-Alive: timeout=5, max=88 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 --35e37e6c-H-- Message: Access denied with code 403 (phase 1). Match of "rx ^%{tx.allowed_request_content_type}$" against "TX:0" required. [file "/etc/apache2/owasp-modsecurity-crs/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "64"] [id "960010"] [rev "2"] [msg "Request content type is not allowed by policy"] [data "text/plain"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] Action: Intercepted (phase 1) Stopwatch: 1384258745437774 1085 (- - -) Stopwatch2: 1384258745437774 1085; combined=426, p1=363, p2=0, p3=0, p4=0, p5=63, sr=48, sw=0, l=0, gc=0 Producer: ModSecurity for Apache/2.7.5 (http://www.modsecurity.org/); OWASP_CRS/2.2.8. Server: Apache Engine-Mode: "ENABLED" --35e37e6c-Z-- I'd be grateful of any advice. Thanks for your time.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
