WordPress网站上适用于ModSecurity的Apache LocationMatch通配符 [英] Apache LocationMatch wildcard for ModSecurity on wordpress site
问题描述
我在运行WordPress网站的Ubuntu 14.04 Apache 2.4.7上安装了mod_security.我有一些需要忽略的规则,但是我在实现一些通配符规则时遇到了麻烦,因此不必指定每个页面.
I'm have mod_security installed on an Ubuntu 14.04 Apache 2.4.7 running a WordPress site. I have a handful of rules that I need to ignore, but I'm having trouble implementing some wildcard rules so that I don't have to specify each and every page..
我的site.conf文件中的内容是...
What I have (in my site.conf file) is...
<LocationMatch "/wp-admin/post.php">
SecRuleRemoveById 300016
</LocationMatch>
<LocationMatch "/wp-admin/nav-menus.php">
SecRuleRemoveById 300016
</LocationMatch>
<LocationMatch "(/wp-admin/|/wp-login.php)">
SecRuleRemoveById 950117
SecRuleRemoveById 950005
SecRuleRemovebyID 981173
SecRuleRemovebyId 960024
</LocationMatch>
<LocationMatch "/wp-admin/load-scripts.php">
SecRuleRemoveById 981173
</LocationMatch>
<LocationMatch "/wp-admin/plugins.php">
SecRuleRemoveById 981173
</LocationMatch>
<LocationMatch "/wp-admin/customize.php">
SecRuleRemoveById 981173
</LocationMatch>
我想要的是将所有内容合并为一个在wp-admin
和wp-login
上使用通配符的规则.
What I want is to consolidate everything into a single rule that uses a wildcard on wp-admin
and wp-login
.
我已经尝试了以下方法,但由于mod_security引发了拒绝,因此它似乎被忽略了.
I've tried the following but it seems to be ignored as mod_security is throwing denials..
<LocationMatch "(/wp-admin/*|/wp-login/*)">
....
还有
<LocationMatch "(/wp-admin/*)">
....
还有
<Location "/wp-admin/*">
....
我已经对LocationMatch和regex进行了一些研究,但是我在这里没有得到什么.我想做的事有可能吗?
I've done some research on LocationMatch and regex but I'm not getting something here. Is what I'm waning to do possible?
modsec_audit.log中的引荐来源网址为http://www.<site>.com/wp-admin/customize.php?theme=modality
The referrer URL in the modsec_audit.log is http://www.<site>.com/wp-admin/customize.php?theme=modality
推荐答案
这应该有效:
<LocationMatch "/wp-(admin|login)/">
您在这里不需要通配符,因为您只想检测路径的开始,并且与第二个斜杠之后的内容无关紧要.
You don't need a wildcard here, because you just want to detect the beginning of the path and it doesn't matter, what comes after the 2nd slash.
对于Location
,您需要~
来触发正则表达式解释:
For Location
, you need a ~
to trigger the regex interpretation:
<Location ~ "/wp-(admin|login)/">
更多详细信息:
- https://httpd.apache.org/docs/2.2/mod/core.html#location (请注意有关此处的斜杠的评论)
- https://httpd.apache.org/docs/2.2/mod/core.html#locationmatch
- https://httpd.apache.org/docs/2.2/mod/core.html#location (please note the comments about trailing slashes there)
- https://httpd.apache.org/docs/2.2/mod/core.html#locationmatch
这篇关于WordPress网站上适用于ModSecurity的Apache LocationMatch通配符的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!