I have an apache 2.2.29-1.4 with mod_security 2.8.0-5.25 which is a reverse proxy with mod_proxy_http for a local java application.
I have false positive on some urls and would like to whitelist some OWASP rules just on the given URIs.
Currently globally whitelisting a rule with
SecRuleRemoveById 960010
works perfectly
But both
<LocationMatch ^/(myapp/mymethod.do.*)$>
SecRuleRemoveById 960010
ProxyPassMatch http://localhost:8080/$1
</LocationMatch>
and
<Location "/myapp/mymethod.do">
SecRuleRemoveById 960010
</Location>
ProxyPass /myapp/mymethod.do http://localhost:8080/myapp/mymethod.do
ProxyPassReverse /myapp/mymethod.do http://localhost:8080/myapp/mymethod.do
do not whitelist the rule.
I also tried adding new mod_security rules to modify the existing ones but whitelisting an URI always fails...
Any insight?
960010 is a phase 1 rule. Phase 1 runs before
<location>
directives are processed.So you need to write a rule with ModSecurity doing the location filtering for you rather than Apache.
Something like this:
This basically creates another rule which only fires for this URL and removes this rule. Note that this must be added BEFORE rule 960010 is defined. I've given the rule id of 12345 but change that to any free id less than 100,000 (above this is reserved for rule sets like OWASP).
More details on all the syntax in reference manual: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual