LocationMatch issues

Discussion in 'General' started by alleks, Jan 8, 2013.

  1. alleks

    alleks Member

    So, on my server with the latest stable ISPConfig and also having installed mod_security... I'm trying to avoid some rules for wordpress specific pages, but with no success.

    Rules:

    Code:
    <LocationMatch "/">
      SecRuleRemoveById 910006 # Google robot activity - Useful in someways but noisy for sites where you want them crawled
      SecRuleRemoveById 960015 # Request Missing an Accept Header -  Allow for Google Reader
    </LocationMatch>
    
    <LocationMatch "/wp-admin/post.php">
      SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in arguments.
    </LocationMatch>
    
    <LocationMatch "(/wp-admin/|/wp-login.php)">
      SecRuleRemoveById 950005 # Remote File Access Attempt - Probably no need to be disabled by everyone; it allows me putting /etc/ and other linux paths in posts.
      SecRuleRemoveById 950117 # Remote File Inclusion Attack - Disable to allow http:// to be passed in args
      SecRuleRemoveById 960010 # Request content type is not allowed by policy
    </LocationMatch>
    
    <LocationMatch "(/wp-admin/options.php|/wp-admin/theme-editor.php|/wp-content/plugins/)">
      SecRuleRemoveById 950907 # System Command Injection
      SecRuleRemoveById 950005 # Remote File Access Attempt - Probably no need to be disabled by everyone; it allows me putting /etc/ and other linux paths in posts.
      SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in arguments.
      SecRuleRemoveById 959006 # SQL Injection Attack -
      SecRuleRemoveById 960008 # Request Missing a Host Header
      SecRuleRemoveById 960011 # GET or HEAD requests with bodies
      SecRuleRemoveById 960904 # Request Containing Content, but Missing Content-Type header
    
      SecRuleRemoveById phpids-17 # Detects JavaScript object properties and methods
      SecRuleRemoveById phpids-20 # Detects JavaScript language constructs
      SecRuleRemoveById phpids-21 # Detects very basic XSS probings
      SecRuleRemoveById phpids-30 # Detects common XSS concatenation patterns 1/2
      SecRuleRemoveById phpids-61 # Detects url injections and RFE attempts
    </LocationMatch>
    
    <LocationMatch "/wp-includes/">
      SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in arguments.
      SecRuleRemoveById 959006 # SQL Injection Attack -
      SecRuleRemoveById 960010 # Request content type is not allowed by policy - Allows for amongst other things spell check to work on admin area
      SecRuleRemoveById 960012 # Require Content-Length to be provided with every POST request - Same as above
    
      SecRuleRemoveById phpids-17 # Detects JavaScript object properties and methods
      SecRuleRemoveById phpids-20 # Detects JavaScript language constructs
      SecRuleRemoveById phpids-21 # Detects very basic XSS probings
      SecRuleRemoveById phpids-30 # Detects common XSS concatenation patterns 1/2
      SecRuleRemoveById phpids-61 # Detects url injections and RFE attempts
    </LocationMatch>
    Any ideas why the LocationMatch won't match? Just to make clear, setting the command outside LocationMatch works

    My question on SO http://stackoverflow.com/questions/14202050/locationmatch-not-matching
     
  2. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    Were did you add these lines, in the apache directives field of the website?
     
  3. alleks

    alleks Member

    Yes Till, in the apache directives in Domain's options
     
  4. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    Have you checked in the vhost file if the directives have been added there? Maybe there is a syntax error somewhere and ispconfig could not apply the new configuration.

    I added some mod_security rules a few days ago in one site by adding them in the apache directives field in ispconfig and it worked on my server. I described it here in the faq, the rules I used are not as complete as your list though:

    http://www.faqforge.com/linux/apache-mod_security-settings-for-wordpress-and-modx/
     

Share This Page