Question
How to disable specific ModSecurity rules for a domain or server-wide?
Answer
Note: Not all rules can be disabled due to the MODSEC-274 bug in ModSecurity.
-
Go to Domains > example.com > Web Application Firewall (ModSecurity).
Note: The Switch off security rules section is visible only when the Web Application Firewall (ModSecurity) mode is set to On or Detection only.
-
By rule IDs
-
By rule tags
In the Switch off security rules section of the page, specify rule IDs (for example, 340003), tags (for example, CVE-2011-4898), or a regular expression (for example, XSS) used in the rules that need to be switched off, and click OK.
-
-
Go to Tools & Settings > Web Application Firewall (ModSecurity).
Note: The Switch off security rules section is visible only when the Web Application Firewall (ModSecurity) mode is set to On or Detection only.
-
In the Switch off security rules section of the page, you may switch off rules as follows:
-
By rule IDs. Add IDs from the error message to the Security rule IDs field as shown on the following picture (Click to enlarge) and apply the changes.
Note: If there are several rule IDs, put each on a new line.
-
By rule tags. Add rule tags from the error message from Active to Deactivated as shown on the following picture (Click to enlarge) and apply the changes.
-
Note: the Rule ID is written in body message of the error. For example in the error below:
ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/modsecurity.d/rules/owasp_modsecurity_crs_3-plesk/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "example.com"] [uri "/robots.txt"] [unique_id "XPsROH8AAQEAABEiZFcAAABC"]
the Rule ID is 949110