WordPress网站上适用于ModSecurity的Apache LocationMatch通配符 [英] Apache LocationMatch wildcard for ModSecurity on wordpress site

问题描述

我在运行WordPress网站的Ubuntu 14.04 Apache 2.4.7上安装了mod_security.我有一些需要忽略的规则，但是我在实现一些通配符规则时遇到了麻烦，因此不必指定每个页面.

I'm have mod_security installed on an Ubuntu 14.04 Apache 2.4.7 running a WordPress site. I have a handful of rules that I need to ignore, but I'm having trouble implementing some wildcard rules so that I don't have to specify each and every page..

我的site.conf文件中的内容是...

What I have (in my site.conf file) is...

  <LocationMatch "/wp-admin/post.php">
     SecRuleRemoveById 300016
  </LocationMatch>

  <LocationMatch "/wp-admin/nav-menus.php">
     SecRuleRemoveById 300016
  </LocationMatch>

  <LocationMatch "(/wp-admin/|/wp-login.php)">
     SecRuleRemoveById 950117
     SecRuleRemoveById 950005
     SecRuleRemovebyID 981173
     SecRuleRemovebyId 960024
  </LocationMatch>

    <LocationMatch "/wp-admin/load-scripts.php">
     SecRuleRemoveById 981173
    </LocationMatch>


    <LocationMatch "/wp-admin/plugins.php">
     SecRuleRemoveById 981173
    </LocationMatch>

    <LocationMatch "/wp-admin/customize.php">
     SecRuleRemoveById 981173
    </LocationMatch>

我想要的是将所有内容合并为一个在wp-admin和wp-login上使用通配符的规则.

What I want is to consolidate everything into a single rule that uses a wildcard on wp-admin and wp-login.

我已经尝试了以下方法，但由于mod_security引发了拒绝，因此它似乎被忽略了.

I've tried the following but it seems to be ignored as mod_security is throwing denials..

<LocationMatch "(/wp-admin/*|/wp-login/*)">
....

还有

<LocationMatch "(/wp-admin/*)">
....

还有

<Location "/wp-admin/*">
....

我已经对LocationMatch和regex进行了一些研究，但是我在这里没有得到什么.我想做的事有可能吗?

I've done some research on LocationMatch and regex but I'm not getting something here. Is what I'm waning to do possible?

modsec_audit.log中的引荐来源网址为http://www.<site>.com/wp-admin/customize.php?theme=modality

The referrer URL in the modsec_audit.log is http://www.<site>.com/wp-admin/customize.php?theme=modality

推荐答案

这应该有效:

<LocationMatch "/wp-(admin|login)/">

您在这里不需要通配符，因为您只想检测路径的开始，并且与第二个斜杠之后的内容无关紧要.

You don't need a wildcard here, because you just want to detect the beginning of the path and it doesn't matter, what comes after the 2nd slash.

对于Location，您需要~来触发正则表达式解释:

For Location, you need a ~ to trigger the regex interpretation:

<Location ~ "/wp-(admin|login)/">

更多详细信息:

• https://httpd.apache.org/docs/2.2/mod/core.html#location (请注意有关此处的斜杠的评论)
• https://httpd.apache.org/docs/2.2/mod/core.html#locationmatch

• https://httpd.apache.org/docs/2.2/mod/core.html#location (please note the comments about trailing slashes there)
• https://httpd.apache.org/docs/2.2/mod/core.html#locationmatch

这篇关于WordPress网站上适用于ModSecurity的Apache LocationMatch通配符的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！