BUG: modsecurity SecRuleEngine setting per domain doesn't work
- Open
- Subscribe
|
J |
Jason McOrmick |
Bugreport: the enable/disable ModSecurity on a per-domain basis doesn't seem to work at all.
On my DA 1.649 / OLS 1.7.16 server, whatever SecRuleEngine set in any of the separate /usr/local/directadmin/data/users/USER/domains/DOMAIN.COM.modsecurity_rules files, it will be ignored. Only the default server-wide value from the /usr/local/lsws/conf/httpd-modsecurity.conf file is used.
Also, IF it would work: the modsec interface has only the On/Off settings for SecRuleEngine: it's missing "DetectionOnly" which can be helpful for tracking down rule issues without affecting user experience.
Related to feedback.directadmin.com/b/feature-requests/modsecurity-user-level-restriction
Activity Newest / Oldest
Jason McOrmick
Also, I'm not sure what the purpose of /usr/local/directadmin/data/admin/modsecurity_rules is in this.
I believe it should be:
*/usr/local/directadmin/custombuild/configure/openlitespeed/conf/httpd-modsecurity.conf*
is a template that builds
*/usr/local/lsws/conf/httpd-modsecurity.conf*, which serves as the default ModSec settings.
Then, on the domain that's being visited, the
*/usr/local/directadmin/data/users/USER/domains/DOMAIN.COM.modsecurity_rules* are loaded and _should_ override those default settings?
And finally, any directives from */usr/local/directadmin/data/admin/modsecurity_rules* should override those?