How to Disable ModSecurity for a Specific Directory (phpMyAdmin Example)


2 views

When running phpMyAdmin under ModSecurity 2.5.x, you might encounter false positives that block legitimate SQL queries. The proper way to handle this isn't to disable ModSecurity entirely, but to create targeted exceptions.

Your current approach has two issues:

# Problem 1: Syntax inconsistency
<LocationMatch "^/phpMA/">
    SecRuleEngine Off
</LocationMatch>

# Problem 2: Rules might load in wrong order
<LocationMatch '^/phpMA/*'>
    SecRuleRemoveById 950004
    ...
</LocationMatch>

Create a dedicated configuration file:

# /etc/httpd/conf.d/modsecurity_phpmyadmin.conf
<Directory "/var/www/html/phpMA">
    SecRuleEngine DetectionOnly
    SecRuleRemoveById 950004 950005 950006 960010 960012
    SecAuditEngine Off
    SecRequestBodyAccess Off
</Directory>

After making changes:

apachectl configtest
service httpd graceful
tail -f /var/log/modsec_audit.log

For more granular control:

SecRule REQUEST_URI "@beginsWith /phpMA" \
    "id:1000,phase:1,nolog,pass,ctl:ruleRemoveById=950004-950006"

Disabling rules is better than turning off the engine completely. The DetectionOnly mode still logs events while allowing traffic.

When running phpMyAdmin under Apache with ModSecurity enabled, you'll frequently encounter false positives from security rules. These rules (like 950004, 950005, etc.) often block legitimate SQL queries or administrative operations.

The issue with your current setup appears to be in the pattern matching. Here's the corrected version:

# /etc/httpd/modsecurity.d/phpmyadmin_exclusion.conf
<LocationMatch "^/phpMA(/.*)?$">
    SecRuleEngine Off
    SecRuleRemoveById 950004 950005 950006 960010 960012
</LocationMatch>
  • Combined both configurations into a single file for better maintenance
  • Fixed the regex pattern to properly match all subdirectories
  • Simplified rule management by putting all directives in one block

After implementing these changes:

sudo apachectl configtest
sudo apachectl graceful

Check your error logs for ModSecurity activity:

tail -f /var/log/httpd/error_log | grep ModSecurity

If regex patterns aren't working, try the Directory directive:

<Directory "/var/www/html/phpMA">
    SecRuleEngine Off
    SecRuleRemoveByTag "OWASP_CRS"
</Directory>

While disabling ModSecurity for phpMyAdmin can solve immediate problems, consider these security measures:

  • Restrict phpMyAdmin access via IP whitelisting
  • Implement HTTP authentication
  • Use HTTPS exclusively
  • Consider moving phpMyAdmin to a non-standard port

If rules persist despite your configuration:

  1. Check for duplicate ModSecurity inclusions
  2. Verify the load order of your configuration files
  3. Ensure there are no conflicting .htaccess rules
  4. Test with complete ModSecurity disable first (SecRuleEngine Off globally) to isolate the issue