php 如何在 .htaccess 文件中禁用 mod_security?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/12928360/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How can I disable mod_security in .htaccess file?
提问by Gaurav Agrawal
How can we disable mod_securityby using .htaccessfile on Apache server?
我们如何mod_security通过使用.htaccessApache 服务器上的文件来禁用?
I am using WordPress on my personal domain and posting a post which content has some code block and as per my hosting provider said mod_securitygives an error and my IP has gone into firewall because of mod_security.
我在我的个人域上使用 WordPress 并发布了一个帖子,其中的内容有一些代码块,并且根据我的托管服务提供商的说法mod_security给出了一个错误,并且我的 IP 由于mod_security.
So I want to disable mod_securityby using .htaccessfile.
所以我想mod_security通过使用.htaccess文件来禁用。
回答by Xyon
It is possible to do this, but most likely your host implemented mod_securityfor a reason. Be sure they approve of you disabling it for your own site.
可以这样做,但很可能是您的主机mod_security出于某种原因实施的。确保他们同意您为自己的网站禁用它。
That said, this should do it;
也就是说,这应该这样做;
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
回答by Simon East
On someservers and web hosts, it's possible to disable ModSecurity via .htaccess, but only in its entirety – you can't disable individual rules.
在某些服务器和 Web 主机上,可以通过 禁用 ModSecurity .htaccess,但只能完全禁用——您不能禁用单个规则。
Rather than disabling it for your entire site, it's best to limit this to specific URLs. You can specify which URLs to match via the regex in the <If>statement below...
与其为整个站点禁用它,不如将其限制为特定的 URL。您可以通过<If>下面语句中的正则表达式指定要匹配的 URL ...
### DISABLE mod_security firewall
### Some rules are currently too strict and are blocking legitimate users
### We only disable it for URLs that contain the regex below
### The regex below should be placed between "m#" and "#"
### (this syntax is required when the string contains forward slashes)
<IfModule mod_security.c>
<If "%{REQUEST_URI} =~ m#/admin/#">
SecFilterEngine Off
SecFilterScanPOST Off
</If>
</IfModule>
回答by dhaupin
Just to update this question for mod_security 2.7.0+ - they turned off the ability to mitigate modsec via htaccess unless you compile it with the --enable-htaccess-configflag. Most hosts do not use this compiler option since it allows too lax security. Instead, vhosts in httpd.conf are your go-to option for controlling modsec.
只是为了更新 mod_security 2.7.0+ 的这个问题 - 他们关闭了通过 htaccess 减轻 modsec 的能力,除非你用--enable-htaccess-config标志编译它。大多数主机不使用此编译器选项,因为它允许过于宽松的安全性。相反,httpd.conf 中的 vhosts 是您控制 modsec 的首选选项。
Even if you do compile modsec with htaccess mitigation, there are less directives available. SecRuleEnginecan no longer be used there for example. Here is a list that is available to use by default in htaccess if allowed (keep in mind a host may further limit this list with AllowOverride):
即使您使用 htaccess 缓解编译 modsec,可用的指令也较少。SecRuleEngine例如,不能再在那里使用。如果允许,这是一个默认情况下可在 htaccess 中使用的列表(请记住,主机可能会使用 进一步限制此列表AllowOverride):
- SecAction
- SecRule
- SecRuleRemoveByMsg
- SecRuleRemoveByTag
- SecRuleRemoveById
- SecRuleUpdateActionById
- SecRuleUpdateTargetById
- SecRuleUpdateTargetByTag
- SecRuleUpdateTargetByMsg
More info on the official modsec wiki
As an additional note for 2.x users: the IfModuleshould now look for mod_security2.cinstead of the older mod_security.c
作为 2.x 用户的附加说明:IfModule现在应该寻找mod_security2.c而不是旧的mod_security.c
回答by manuel-84
When the above solution doesn't work try this:
当上述解决方案不起作用时,试试这个:
<IfModule mod_security.c>
SecRuleEngine Off
SecFilterInheritance Off
SecFilterEngine Off
SecFilterScanPOST Off
SecRuleRemoveById 300015 3000016 3000017
</IfModule>
回答by OpenWebWar
In .htaccess file at site root directory edit following line:
在站点根目录的 .htaccess 文件中编辑以下行:
<ifmodule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</ifmodule>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>Just keep the mod_security rules like SecFilterEngine and parts apart from each other. Its works for apache server
只需将诸如 SecFilterEngine 和部件之类的 mod_security 规则彼此分开即可。它适用于 apache 服务器
回答by Alex
With some web hosts including NameCheap, it's not possible to disable ModSecurity using .htaccess. The only option is to contact tech support and ask them to alter the configuration for you.
对于包括NameCheap在内的一些网络主机,不可能使用.htaccess. 唯一的选择是联系技术支持并要求他们为您更改配置。
回答by Vadim Cool
For anyone that simply are looking to bypass the ERROR page to display the content on shared hosting. You might wanna try and use redirect in .htaccess file. If it is say 406 error, on UnoEuro it didn't seem to work simply deactivating the security. So I used this instead:
对于任何只想绕过 ERROR 页面以在共享主机上显示内容的人。您可能想尝试在 .htaccess 文件中使用重定向。如果是 406 错误,在 UnoEuro 上,它似乎无法简单地停用安全性。所以我用这个代替:
ErrorDocument 406 /
Then you can always change the error status using PHP. But be aware that in my case doing so means I am opening a door to SQL injections as I am bypassing WAF. So you will need to make sure that you either have your own security measures or enable the security again asap.
然后您可以随时使用 PHP 更改错误状态。但请注意,在我的情况下,这样做意味着我在绕过 WAF 时为 SQL 注入打开了一扇门。因此,您需要确保您有自己的安全措施或尽快再次启用安全性。
