Mod security - Having problems with mod security: Difference between revisions From Online Manual

Jump to: navigation, search
(Removing the first-person tense.)
No edit summary
 
(21 intermediate revisions by 7 users not shown)
Line 1: Line 1:
Some hosts have begun to install something called mod_security.  This filters posts and URLs for certain key words, and, if they are found, displays an errorMany people are experiencing problems because of this.  Problems include weird "403" or access denied errors, login problems, and similar.
Some hosts have something called mod_security installed on their server.  This is a module added to the server application which is supposed to provide additional back-end security checks on the other software running on the server.  While it can be useful, when properly configured, many hosts do not configure it correctlyAs a result, it triggers security protocols on standard actions which should be allowed, causing errors which include "403" or "Access denied" errors, 404 errors, login problems, difficulties with modifying categories and boards, or similar issues.


For example, if one was to post this: ''Have you ever used cURL?  You can find information about it at http://curl.haxx.se/.  More specifically, libcurl is useful for accessing URLs in a program - it could be helpful if you're a programmer.''
The following is an example of a post which would generate an error if mod_security is enabled on a server: ''Have you ever used cURL?  You can find information about it at http://curl.haxx.se/.  More specifically, libcurl is useful for accessing URLs in a program.  It could be helpful if you're a programmer.''


On a server with mod_security enabled, the poster would get an error.  This error is unpreventable by SMF, because it's created by the server and Apache, before SMF even gets a say in anything.
SMF cannot prevent this error, because it is created by the server and Apache, before SMF even gets a say in anything.  However, depending on your host, it may be possible to disable this unnecessary and unwanted behaviour.  Since SMF is able to filter requests without resorting to grasping blindly at keywords, disabling mod_security should be completely safe.  It is recommended that you talk to your host about having the mod_security filtering rules changed.


However, depending on your host, it may be possible to disable this unnecessary and unwanted behavior.  Since SMF is able to (properly) filter requests without resorting to blindly grasping at keywords, doing so should be completely safeIt is recommended that you talk to your host about having the mod_security filtering rules changed.
To try to disable it, you need a file called .htaccess.  If you already have a file with that name, you need to open it with a decent text editor such as Notepad++, and add the code below to it (at the top or at the bottom).  Make sure, however, to create a backup before overwriting anything.  If you do not already have this file, create itIf your desktop PC will not allow you to edit a file called .htaccess, create the file with another name, such as .htaccess.txt.  You can rename it after you load it up to the server. Put the following in the htaccess file:
 
To try to disable it, create a file with the name "htaccess.txt" and put the following in it:
{{code|<IfModule mod_security.c>
{{code|<IfModule mod_security.c>
# Turn off mod_security filtering.  SMF is a big boy, it doesn't need its hands held.
# Turn off mod_security filtering.
SecFilterEngine Off
SecFilterEngine Off


# The below probably isn't needed, but better safe than sorry.
# The next part below probably is not needed, but better safe than sorry.
SecFilterScanPOST Off
SecFilterScanPOST Off
</IfModule>}}
</IfModule>}}


Upload it to your server, and then rename it to ''.htaccess'' (that's right, it starts with a dot.) If you already have a file with that name, you'll want to open it with a text editor such as Notepad, and add the above to it (top or bottom.) Create a backup, though, before overwriting anything.
Upload this to your server.  If you used a different name, delete the .htaccess file on the server and rename the new file .htaccess.
 
If your host does not allow you to disable mod_security, the forum may no longer load. If this happens, just remove the code which was added or replace the file with the backup you made earlier.  If you have to do this it means that you cannot disable mod_security filtering.  Instead, you can ask your host if they can disable mod_security for you.  If they will not disable it, and you do not wish to continue to have problems with your forum which mod_security causes, you can seek out a new hostNote, in addition, that problems with mod_security occur frequently with oversold hosts.


[[How do I modify files|How do I modify files?]]
----


If your host doesn't allow you to disable mod_security, the forum will no longer loadDon't fret if this happens, just delete the .htaccess file or replace it with the backup you made. However, if this happens, you will not be able to disable mod_security's filtering.
If your issue with mod_security is generating a 403 (forbidden) or a 406 (not acceptable) error page, or just returning you to the forum index, when you try to create or edit a category, please try this only if using SMF 2.0.* [http://www.simplemachines.org/community/index.php?action=dlattach;topic=530729.0;attach=237949 patch file].  It has been successful in several instances thus far. If it continues to be reported as successful (please report your findings [http://www.simplemachines.org/community/index.php?topic=530729.0 here]), we will incorporate it into future versions of SMF 2.0.


[[category:FAQ]]
[[category:FAQ]]

Latest revision as of 20:21, 31 May 2015

Some hosts have something called mod_security installed on their server. This is a module added to the server application which is supposed to provide additional back-end security checks on the other software running on the server. While it can be useful, when properly configured, many hosts do not configure it correctly. As a result, it triggers security protocols on standard actions which should be allowed, causing errors which include "403" or "Access denied" errors, 404 errors, login problems, difficulties with modifying categories and boards, or similar issues.

The following is an example of a post which would generate an error if mod_security is enabled on a server: Have you ever used cURL? You can find information about it at http://curl.haxx.se/. More specifically, libcurl is useful for accessing URLs in a program. It could be helpful if you're a programmer.

SMF cannot prevent this error, because it is created by the server and Apache, before SMF even gets a say in anything. However, depending on your host, it may be possible to disable this unnecessary and unwanted behaviour. Since SMF is able to filter requests without resorting to grasping blindly at keywords, disabling mod_security should be completely safe. It is recommended that you talk to your host about having the mod_security filtering rules changed.

To try to disable it, you need a file called .htaccess. If you already have a file with that name, you need to open it with a decent text editor such as Notepad++, and add the code below to it (at the top or at the bottom). Make sure, however, to create a backup before overwriting anything. If you do not already have this file, create it. If your desktop PC will not allow you to edit a file called .htaccess, create the file with another name, such as .htaccess.txt. You can rename it after you load it up to the server. Put the following in the htaccess file:

<IfModule mod_security.c>
	# Turn off mod_security filtering.
	SecFilterEngine Off

	# The next part below probably is not needed, but better safe than sorry.
	SecFilterScanPOST Off
</IfModule>

Upload this to your server. If you used a different name, delete the .htaccess file on the server and rename the new file .htaccess.

If your host does not allow you to disable mod_security, the forum may no longer load. If this happens, just remove the code which was added or replace the file with the backup you made earlier. If you have to do this it means that you cannot disable mod_security filtering. Instead, you can ask your host if they can disable mod_security for you. If they will not disable it, and you do not wish to continue to have problems with your forum which mod_security causes, you can seek out a new host. Note, in addition, that problems with mod_security occur frequently with oversold hosts.


If your issue with mod_security is generating a 403 (forbidden) or a 406 (not acceptable) error page, or just returning you to the forum index, when you try to create or edit a category, please try this only if using SMF 2.0.* patch file. It has been successful in several instances thus far. If it continues to be reported as successful (please report your findings here), we will incorporate it into future versions of SMF 2.0.



Advertisement: