Exclude file extensions from Mod Security

NTar

• May 30, 2015 17:24

Hi guys, After resolving all problems with Mod Security, I've got one question left. It seems Mod Security forbids loading custom .ttf files (generally uploaded and enabled by our users themselves) for any visitor. Is it possible to add an except for these files? For example, I've made this code below. Of course, it doesn't work since I don't have knowledge how to exclude specific files from being banned by Mod Security, so I used an existing rule using DirectoryMatch.
SecRuleRemoveById 950001 SecRuleRemoveById 950109 SecRuleRemoveById 950901 SecRuleRemoveById 958056 SecRuleRemoveById 958030 SecRuleRemoveById 958057 SecRuleRemoveById 958030 SecRuleRemoveById 958977 SecRuleRemoveById 959073 SecRuleRemoveById 959072 SecRuleRemoveById 960024 SecRuleRemoveById 960915 SecRuleRemoveById 970015 SecRuleRemoveById 970901 SecRuleRemoveById 973335 SecRuleRemoveById 973333 SecRuleRemoveById 973340 SecRuleRemoveById 973342 SecRuleRemoveById 973343 SecRuleRemoveById 973304 SecRuleRemoveById 973334 SecRuleRemoveById 973332 SecRuleRemoveById 973327 SecRuleRemoveById 973324 SecRuleRemoveById 973300 SecRuleRemoveById 973302 SecRuleRemoveById 970003 SecRuleRemoveById 973317 SecRuleRemoveById 973306 SecRuleRemoveById 913342 SecRuleRemoveById 973350 SecRuleRemoveById 950907 SecRuleRemoveById 981205 SecRuleRemoveById 981251 SecRuleRemoveById 981244 SecRuleRemoveById 981255 SecRuleRemoveById 981249 SecRuleRemoveById 981242 SecRuleRemoveById 981231 SecRuleRemoveById 981256 SecRuleRemoveById 981243 SecRuleRemoveById 981245 SecRuleRemoveById 981246 SecRuleRemoveById 981257 SecRuleRemoveById 981173 SecRuleRemoveById 981318 SecRuleRemoveById 981317 SecRuleRemoveById 981248 SecRuleRemoveById 981240 SecRuleRemoveById 981204
I hope someone will help me out. Thanks! :) - NTar

• 

  NTar

  • May 31, 2015 16:41

  Can someone please help? cPanel helpdesk redirects me to

  0
• 

  NTar

  • May 31, 2015 17:16

  I've looking deeper to the problem and I can confirm the issue was blocking cross origin. Adding this to my virtual host seems to fix the issue.
  

  ]
  • # Always set these headers.
  • Header always set Access-Control-Allow-Origin "*"
  • Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
  • Header always set Access-Control-Max-Age "1000"
  • Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
  • # Added a rewrite to respond with a 200 SUCCESS on every OPTIONS request.
  • RewriteEngine On
  • RewriteCond %{REQUEST_METHOD} OPTIONS
  • RewriteRule ^(.*)$ $1 [R=200,L]

  
  Now I need to find a way to unblock .js files. :) I've listened the error below.
  "NetworkError: 500 Internal Server Error - http://domain*.com/*fontname*.font.js" ReferenceError: Cufon is not defined - Cufon.replace('.cufon_headings',{ fontFamily: 'cufon', hover:'true' });
  

  0
• 

  quizknows

  • May 31, 2015 18:20

  Can you post the modsecurity error from the Apache error log that occurs?

  0
• 

  cPanelMichael

  • June 02, 2015 12:48

  Hello, Yes, the error in /usr/local/apache/logs/error_log should help you determine the rule ID that's preventing access. Thank you.

  0
• 

  NTar

  • June 02, 2015 13:06

  Thanks for pointing out where to locate the error_log. The error_log is about 200 Mb big in just a month. :eek: There are a lot of errors to find here, I've mentioned the three most noticeable errors below.
  [:error] [pid 16105] [client 94.215.**.***] ModSecurity: Geo Lookup: Failed to lock proc mutex: Permission denied [hostname "*domain*"> [uri "/wp-content/themes/template/functions/admin_options/stylesheets/admin_options.css"> [unique_id "VWWRT5XS1W0AAD7pGoEAAAAC"> [:error] [pid 12364] [client 145.7.***.**] ModSecurity: collections_remove_stale: Failed to access DBM file "/var/cpanel/secdatadir/ip": Permission denied [hostname "*domain*"> [uri "/wp-content/uploads/2013/04/image92382-170x113.jpg"> [unique_id "VWa-iJXS1W0AADBMxMUAAAAQ"> [core:error] [pid 9106] [client 95.97.***.**] AH00124: Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace., referer: *domain*
  Especially the last one is something to look about. I've tried to Google about it, but I didn't find a workaround to fix it. Looking forward to your reply! Thanks!

  0
• 

  quizknows

  • June 02, 2015 19:21

  The internal redirects is either a problem with code, or an infinite redirect loop caused by an htaccess error. Most likely it has nothing to do with modsecurity unless the sites custom 404 handling is redirecting someone to a page which is blocked by modsecurity. That would be obvious if it was happening though. The Geo Lookup and collections errors won't result in any particular file extensions being blocked. They are discussed in some other ModSecurity threads on here. As far as I know, ModSecurity should not be restricting any access to .ttf files. If it were you would see an obvious error telling you that. As far as I can tell your 500 error referenced earlier is likely an application coding error.

  0

Please sign in to leave a comment.