如何在.htaccess中禁用mod_security和mod_security2 [英] How to disable mod_security and mod_security2 in .htaccess

问题描述

我创建了一个Wordpress插件，该插件很受欢迎，但是我收到很多抱怨，称它不起作用。登录许多用户的WP网站后（询问管理员密码后），我注意到我无法轻易解决的最后一个问题是mod_security和mod_security2阻止了一些AJAX请求或.htaccess，这在某些配置上导致500错误。

I've created a Wordpress plugin which became popular but I'm getting lots of complaints that it's not working. After logging in to many user's WP websites(after asking for admin password) I noticed that the last problem I can't easily solve is mod_security and mod_security2 blocking some AJAX requests or .htaccess which is causing 500 error on some configurations.

首先，为什么这段代码会导致某些服务器返回500错误

So first of all why is this piece of code causing some servers to return 500 error

<IfModule mod_security2.c>
  SecRuleRemoveById 300015
  SecRuleRemoveById 300016
  SecRuleRemoveById 300017
  SecRuleRemoveById 950907
  SecRuleRemoveById 950005
  SecRuleRemoveById 950006
  SecRuleRemoveById 960008
  SecRuleRemoveById 960011
  SecRuleRemoveById 960904
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61

在其他服务器上通过id删除规则会导致500错误：

on other servers removing rules by id this way is causing 500 error:

<IfModule mod_security.c>
  SecRuleRemoveById 300015
  ...
  SecRuleRemoveById phpids-61
</IfModule>

因此，目前唯一不会导致任何服务器崩溃的工作是

so for now the only working thing which is not causing any server to crash is

<IfModule mod_security.c>
  SecFilterEngine Off
  SecFilterScanPOST Off
</IfModule>

但是对于具有mod_security2的服务器来说还不够！

but it's not enough for servers with mod_security2 !

如何编写跨服务器.htaccess文件，我应该添加哪些IF条件以在任何适用的位置禁用mod_security和mod_security2并且在其他配置上不会引起500错误？

How to write a cross-server .htaccess file, and what IF conditions should I add to disable mod_security and mod_security2 anywhere where it applies and not cause 500 errors on other configurations?

编辑：
不仅在Apache中。在任何使用.htaccess的地方。

Not only in Apache. Anywhere where .htaccess is used.

推荐答案

显示告诉联系服务器管理员的消息将是最后要做的事情。首先，我将尝试使用以下解决方案之一来自动创建配置：

Displaying a message telling to contact server administrator will be the last thing to do. First of all I'll try one of this solutions for automatic config creation:

在子文件夹中创建2-3个沙盒化的.htaccess配置

Create 2-3 sandboxed .htaccess configs in subfolders

1. 在插件激活测试过程中，使用模拟的远程AJAX测试逐一配置


2. 从最佳常规设置子文件夹开始


3. 在此文件夹中检查AJAX代理脚本调用以及图像，样式等文件的访问权限


4. 找到成功（取消阻止且不崩溃）的配置后，保存选定的.htaccess文件到包含AJAX代理PHP文件的文件夹中


5. 如果所有配置（或内置的wordpress AJAX脚本-不太可靠）都无法正常运行，则会显示错误，提示您联系服务器管理员以允许htaccess对于给定的文件夹

1. During plugin activation test configs one by one with simulated remote AJAX test
2. Start from the best general settings config subfolder
3. Check for AJAX proxy script calls and image, style etc. files access in this folder
4. After finding successful(unblocking and not crashing) config, save selected .htaccess file to the folder containing AJAX proxy PHP file
5. If none of the configs (or built-in wordpress AJAX script - not very reliable) is functional display an error telling to contact server admin to allow htaccess for given folder

OR

1. 检查仅当使用mod_security2来防止
   基本mod_security崩溃时，才使用PHP加载的模块


2. 添加SecRuleRemoveById id

这篇关于如何在.htaccess中禁用mod_security和mod_security2的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！