ModSecurity Rule

最後更新: 2021-07-21


Basic Configure


# DetectionOnly: log only

SecRuleEngine DetectionOnly


SecRuleEngine On

# Configures whether response bodies are to be buffered.

# This is only neccessary if data leakage detection and protection is required.

SecResponseBodyAccess On


SecResponseBodyAccess Off


ModSecurity Setting



# Configures whether request bodies will be buffered and processed by ModSecurity(POST data)

SecRequestBodyAccess On

# 當 POST 的 size 超過 SecRequestBodyLimit 時如何處理

SecRequestBodyLimitAction Reject

# Configures the maximum request body size that ModSecurity will store in memory.
# When a multipart/form-data request is being processed, once the in-memory limit is reached,
# the request body will start to be streamed into a temporary file on disk.

SecRequestBodyInMemoryLimit 131072

# file uploads. "413 Request Entity Too Large error"

SecRequestBodyLimit 15728640

# limits the size of POST data (不是 upload file 的 data)

SecRequestBodyNoFilesLimit 131072

# Enable XML request body parser.
# Initiate XML Processor in case of xml content-type

SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \

# Enable JSON request body parser.
# Initiate JSON Processor in case of JSON content-type; change accordingly
# if your application does not use 'application/json'

SecRule REQUEST_HEADERS:Content-Type "application/json" \

# As a rule of thumb, when failing to process a request body
# you should reject the request (when deployed in blocking mode)
# or log a high-severity alert (when deployed in detection-only mode).

SecRule REQBODY_ERROR "!@eq 0" \
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"

File uploads

The location where ModSecurity stores intercepted uploaded files

SecUploadDir /opt/modsecurity/var/upload

# allow group access the file

SecUploadFileMode 0660

# By default, only keep the files that were determined to be unusual in some way

#SecUploadKeepFiles RelevantOnly


SecResponseBodyAccess Off

PCRE library

# Sets the match limit in the PCRE library.

SecPcreMatchLimit 1000

SecPcreMatchLimitRecursion 1000


log location

SecDebugLog /var/log/httpd/modsec_debug.log

log level

# 1–3 are always copied to the Apache error log.
# 4: details of how transactions are handled

SecDebugLogLevel 0


# On / Off / RelevantOnly
# RelevantOnly: only the log transactions that have triggered a warning or an error

SecAuditEngine RelevantOnly

# Serial: Audit log entries will be stored in a single file
# Concurrent: One file per transaction is used for audit logging

SecAuditLogType Serial

# Configures which response status code is to be considered relevant for the purpose of audit logging.
# Must have SecAuditEngine set to RelevantOnly.
# The example provided would log all 5xx and 4xx level status codes, except for 404s.

SecAuditLogRelevantStatus "^(?:5|4(?!04))"

# Defines which parts of each transaction are going to be recorded in the audit log.
# A: Audit log header
# B: Request headers
# ...

SecAuditLogParts ABIJDEFHZ

# audit log Location

SecAuditLog /var/log/httpd/modsec_audit.log


# The location specified needs to be writable by the Apache user process.
# for stores temporary files

SecTmpDir /var/lib/mod_security

# Path where persistent data (e.g., IP address data, session data, and so on)

SecDataDir /var/lib/mod_security

# character to use as the separator for application/x-www-form- urlencoded content.

SecArgumentSeparator &











# A collection of all of the request headers


# Contains the status of the request body processor
# 0 (no error) or 1 (error)


# This is the transient transaction collection, which is used to store pieces of data

# ModSecurity processing flags


# Block the transactions whose scores are too high

SecRule TX:SCORE "@gt 20" "phase:2,id:83,log,deny"


# This variable holds the full name of the variable that was matched against.


Whitelist an IP address


# uninterrupted access (log rule alerts only)

SecRule REMOTE_ADDR "^192\.168\.1\100$" \
  id:2001 phase:1,nolog,allow,ctl:ruleEngine=DetectionOnly

# disable both the rule and audit engines

SecRule REMOTE_ADDR "^192\.168\.1\100$" \
  id:2002 phase:1,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off


Whitelist by URL


SecRule REQUEST_URI "@beginsWith /favicon.ico" \
  "id:2003, phase:1, pass, nolog, ctl:ruleEngine=Off"