I found information about an optional Apache module called mod_security. This is a very nice module that acts as an Apache firewall – it blocks a lot of the usual routes that people use to hack websites. In particular it scans POST requests (sent when you ‘save’ something on a website’), and displays a 406 error for anything controversial.
The solution was very simple. The following lines were added to the .htaccess file to disable mod_security:
<ifmodule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule> In case if this didn't work, then create a conf file and disable mod_security for the domain. Follow the steps below You have to create a individual rule for that domain. You can see the conf via Apache. ----------- Include "/usr/local/apache/conf/userdata/*.conf" Include "/usr/local/apache/conf/userdata/*.owner-root" Include "/usr/local/apache/conf/userdata/std/*.conf" Include "/usr/local/apache/conf/userdata/std/*.owner-root" Include "/usr/local/apache/conf/userdata/std/2/*.conf" Include "/usr/local/apache/conf/userdata/std/2/*.owner-root" ----------- Now create a customized file to disable mod_security for that domain alone. # cd /usr/local/apache/conf/userdata/std/2/ # mkdir USERNAME (e.g domain name is google.com and the username is goog then create a directory as goog) # cd goog/ # mkdir google.com # cd google.com # touch mod_security2.conf # vi mod_security2.conf Now, add these lines in that file <ifmodule mod_security2.c> SecRuleEngine Off </IfModule> save and exit Then restart apache /etc/init.d/httpd restart
No comments:
Post a Comment