Note: AP users should disable rules from the UI. There is no need to create custom rules, apache configuration files or other customizations when using AP, as AP supports disabling any rule on both a global and per domain basis.
For non-AP users, LocationMatch and Location do not work for phase:1 rules.
Location and LocationMatch are not available in apache until phase:2. If you need to disable a phase:1 rule, use AP which can disable phase:1 rules on a per domain and global basis.
If you are not using AP, and need to disable a phase:1 rule, you will need to create a custom rule to do this.
This following is an example of a custom rule to do this for rule 123456.
SecRule REQUEST_HEADERS:Host "example.com$"
"phase:1,id:91001,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleRemovebyID=123456"
In the example above, "example.com" is the domain to exclude this rule. This custom rule must be loaded before the rule you want to disable.
If you do not know how to create this kind of custom rule, please contact support@atomicorp.com and we'll put a quote together to help develop these custom rules for you.
Disabling Mod_Security Globally
If you are using AP, change this setting in the UI:
Hub Configuration > Web Application Firewall > General Settings > Web Application Firewall
If you are not using AP, you will need to do this manually:
1. Disable config file
mv /etc/httpd/conf.d/00_mod_security.conf /etc/httpd/conf.d/00_mod_security.conf.disabled
2. Restart Apache
service httpd restart
Disable Mod_security on a global URL
1. Create a global exclude file
vim /etc/httpd/modsecurity.d/00_custom_exclude.conf
2. Add the LocationMatch for the url to exclude. Example: /server.php
<LocationMatch /server.php>
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>
</LocationMatch>
3. Restart apache
service httpd restart
Set a URL to alert only
1. Create a global exclude file
vim /etc/httpd/modsecurity.d/00000_custom_exclude.conf
2. Add a custom rule
In this example the URL is: /foo/bar
Add this line to the file you created in Step 1:
SecRule REQUEST_URI "/foo/bar" "phase:1,id:1000000,t:none,t:lowercase,pass,nolog,noauditlog,ctl:ruleEngine=DetectionOnly"
Important Note: See the section customizing rules below to pick a unique id for your rule above. Duplicate rule ids will cause the rule to not load.
3. Restart apache
service httpd restart
Disabling Mod_Security Per domain
For Plesk Based Systems
For Plesk and similar systems you can also disable modsecurity in the Apache configuration.
1. Edit the vhost/vhost_ssl.conf for the domain
vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf
2. Add the following
<IfModule mod_security2.c> SecRuleEngine Off </IfModule>
Then restart apache, if you are using Plesk then you will also need follow steps 3 and 4.
3. Add vhost.conf to domain config
Plesk 9:
/usr/local/psa/admin/bin/websrvmng -a
Plesk 10/11:
/usr/local/psa/admin/bin/httpdmng --reconfigure-domain <domain_name>
4. Restart Apache
service httpd restart
For Cpanel based systems with EasyApache 4
For full information about include file path expectations, see the official cPanel documentation at Modify Apache Virtual Hosts with Include Files
1. Create the following paths, replacing <user> and <domain> with the correct values for your needs:
mkdir -p /etc/apache2/conf.d/userdata/ssl/2_4/<user>/<domain>
mkdir -p /etc/apache2/conf.d/userdata/std/2_4/<user>/<domain>
2. In each of the above paths, create a file named 'vhost.conf'
3. Add in the lines below to this file:
<IfModule mod_security2.c> SecRuleEngine Off </IfModule>
4. After any addition, modification or removal of userdata files, cPanel requires both of the following scripts to be run:
/usr/local/cpanel/scripts/rebuildhttpdconf
/usr/local/cpanel/scripts/restartsrv_httpd
For Cpanel based systems with EasyApache 3
1. Create the custom modsecurity configuration directory for the domain
For example, if the domain is example.com, you would need to create this directory:
mkdir /usr/local/apache/conf/userdata/std/2/username/example.com
2. Create the file vhost.conf in this directory
cd /usr/local/apache/conf/userdata/std/2/username/example.com
3. touch vhost.conf
4. Add in the lines below to this file:
<IfModule mod_security2.c> SecRuleEngine Off </IfModule>
5. Run the vhost includes script, for example if the domains username is "example":
/scripts/ensure_vhost_includes --user=example
Disabling Mod_security per domain for an IP address
For Plesk based systems
For Plesk and similar systems you can also disable modsecurity in the Apache configuration.
1. Edit the vhost/vhost_ssl.conf for the domain
vim /var/www/vhosts/<DOMAINNAME>/conf/vhost.conf
2. Add the following
<IfModule mod_security2.c> SecRule REMOTE_ADDR "^1.2.3.4$" "phase:1,t:none,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off,id:9999" </IfModule>
Note: You must change id: to a number that you have not used for any other custom rules. Customer generated rules should use the range 1-99999. Numbers about 99999 are reserved and will cause conflicts and are not supported.
3. Then restart apache, if you are using Plesk then you will also need continue
4. Add vhost.conf to domain config
Plesk 9:
/usr/local/psa/admin/bin/websrvmng -a
Plesk 10/11:
/usr/local/psa/admin/bin/httpdmng --reconfigure-domain <domain_name>
5. Restart Apache
service httpd restart
For cpanel based systems
1. Create the custom modsecurity configuration directory for the domain
For example, if the domain is example.com, you would need to create this directory:
mkdir /usr/local/apache/conf/userdata/std/2/username/example.com
2. Create the file vhost.conf in this directory
cd /usr/local/apache/conf/userdata/std/2/username/example.com
3. touch vhost.conf
4. Add in the lines below to this file:
<IfModule mod_security2.c> SecRule REMOTE_ADDR "^1.2.3.4$" "phase:1,t:none,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off,id:9999" </IfModule>
Note: You must change id: to a number that you have not used for any other custom rules. Customer generated rules should use the range 1-99999. Numbers about 99999 are reserved and will cause conflicts and are not supported.
5. Run the vhost includes script, for example if the domains username is "example":
/scripts/ensure_vhost_includes –user=example
Disable a rule for a single domain
If you have AP installed:
Method 1:
- Log into the AP GUI, and go to
- Administration > Rule Management > rules search
- Type in the rule ID and the rule manager will pull up the rule.
- Under 'Ignore IP', enter the IP of the domain you would like to ignore this rule then click 'submit'
If you do not have AP installed you will have to do this manually:
1. Edit your domains vhost.conf file (the location of this file will vary based on your control panel, contact your control panel vendor for assistance)
vim vhost.conf
2. Add the LocationMatch for the rule to exclude. Example, rule id 950005
<LocationMatch .*>
<IfModule mod_security2.c>
SecRuleRemoveById 950005
</IfModule>
</LocationMatch>
If you want to disable multiple rules:
3. Add the LocationMatch for the rule to exclude. Example, rule ids 950005 and 950006
<LocationMatch .*>
<IfModule mod_security2.c>
SecRuleRemoveById 950005
SecRuleRemoveById 950006
</IfModule>
</LocationMatch>
Disable a rule for all domains
With AP Installed
- Log into the AP GUI, and go to
- Administration > Rule Management > rules search
- Type in the rule ID and the rule manager will pull up the rule.
- Set "disabled" to yes and click update.
Per IP or network
Disable Mod_security for an IP address
- In AP UI go to Hub Access Control > Accesslist
- Add the IP address and reason for access listing
- Restart Apache
service httpd restart
Disable a rule by IP or network
You will need to create a custom rule, loaded after all your other rules. Lets say you wanted to exclude rule id 330039 for the network 1.2.0.0/16. You would construct a custom rule like this:
SecRule REMOTE_HOST "@ipmatch 1.2.0.0/16" \ "id:12345,phase:2,t:none,pass,nolog,noauditlog,ctl:ruleRemovebyID=330039"
Note: ipmatch can also use a list, with a combination of IPs and network for example:
@ipmatch 1.2.0.0/16,5.6.7.8,127.0.0.0/8
Warning: If the CIDR is invalid, this may cause a segfault of the mod_security module. Check to make sure your CIDR is valid before use.
Per application
Disable modsecurity for a specific web application
Note: this is not recommended
Add a custom rules after all your rules have been loaded. For example, if you wanted to disable modsecurity for the application /foo/bar.cgi you would add a custom rule like this:
<LocationMatch /foo/bar.cgi> SecRuleEngine Off </LocationMatch>