Cannot disable ModSecurity rules via Switch off security rules in Plesk

Symptoms

• Unable to disable ModSecurity rules by SecRuleRemoveById: How to disable a single ModSecurity rule for a website?

• The configuration files are containing SecRuleRemoveById settings, but the list of settings is being ignored:

  <IfModule mod_security2.c>
  SecRuleRemoveById 340476
  </IfModule>

  • If the ModSecurity rules were switched off at Plesk server level, check the following configuration file: /etc/httpd/conf/plesk.conf.d/server.conf

  • If the ModSecurity rules were switched off at domain level, check the following configuration file: /var/www/vhosts/system/example.com/conf/httpd.conf

• Access to a website page keeps being blocked with the following error:

  HTTP 403 Forbidden

• Going to Domains > example.com > Web Application Firewall > Logs, the ModSecurity log file contains the following error message:

  ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/10_asl_rules.conf"] [line "1437"] [id "340476"] [rev "32"] [msg "Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/index.php exclude)"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "beginsWith http://%{SERVER_NAME}/" against "MATCHED_VAR" required. [hostname "example.com"] [uri "/admin/index.php"] [unique_id "XOVxgU2H3CY34MT-xdWHsgAAAG8"], referer: https://example.com/admin/index.php

• Analyzing the error message, the ModSecurity configuration file /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/10_asl_rules.conf, the rule ID 340476 is defined in a LocationMatch statement:

  # less /etc/httpd/conf/modsecurity.d/rules/tortix/modsec/10_asl_rules.conf
  ...
  <LocationMatch>
  SecRule REQUEST_URI "!(pagemode=link_index|^/admin/index.php?fuse=admin)"
  "phase:2,chain,t:none,t:urlDecodeUni,t:lowercase,id:340476,rev:32,severity:2,msg:'Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/index.php exclude)',deny,log,auditlog,status:403"
  SecRule
  ...
  </LocationMatch>

Cause

Modsecurity issue MODSEC-274: rules defined within
LocationMatch
cannot be excluded by
SecRuleRemoveById directive.

Resolution

Note: This issue affects only the rules defined using
LocationMatch
directive. To disable other rules, the following instructions should work: How to disable a single ModSecurity rule for a website?

In order to disable such rules, it is required to use SecRule option in the configuration files of Apache:

1. Log in to Plesk GUI

2. Go to Domains > example.com > Web Application Firewall > Logs and retrieve the URI location and the matched rule ID. For example:

   ModSecurity: [file "/etc/httpd/conf/modsecurity.d/rules/tortix/modsec/10_asl_rules.conf"] [line "1437"] [id "340476"] [rev "32"] [msg "Atomicorp.com WAF Rules: Remote File Injection attempt in ARGS (/admin/index.php exclude)"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "beginsWith http://%{SERVER_NAME}/" against "MATCHED_VAR" required. [hostname "example.com"] [uri "/admin/index.php"] [unique_id "XOVxgU2H3CY34MT-xdWHsgAAAG8"], referer: https://example.com/admin/index.php

3. Go to Domains > example.com > Apache and nginx Settings > Additional Apache directives and add the following lines to both HTTP and HTTPS directives > Apply changes:

   <IfModule mod_security2.c>
   SecRule REQUEST_FILENAME "@beginswith /admin/index.php" "id:1000001,phase:1,t:none,nolog…