modsecuity禁用指定规则解除403返回

1.modsecuity默认日志路径，/var/log/modsec_audit.log

查看日志，违反了哪条规则，然后禁用，比如：

ModSecurity: Warning. Matched "Operator `Rx' with parameter `^[\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `IP:PORT' ) [file "/etc/nginx/modsecurity/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "722"] [id "920350"] [rev ""] [msg "Host header is a numeric IP address"] [data "IP:PORT"] [severity "4"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "192.168.22.163"] [uri "/common/js/vue.min.js"] [unique_id "16566542606.086001"] [ref "o0,18v41,18"]

上述日志表示 IP:PORT 这个ip端口的请求违反了 /etc/nginx/modsecurity/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf  配置文件中的 id 为 920350 的规则，位于配置文件722行，

规则描述：请求头中的host为ip地址

---lIGbRidu---H--
ModSecurity: Warning. Matched "Operator `Rx' with parameter `^[\w/.+-]+(?:\s?;\s?(?:action|boundary|charset|type|start(?:-info)?)\s?=\s?['\"\w.()+,/:=?<>@-]+)*$' against variable `REQUEST_HEADERS:Content-Type' (Value: `application/json;' ) [file "/etc/nginx/modsecurity/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "901"] [id "920470"] [rev ""] [msg "Illegal Content-Type header"] [data "application/json;"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/CONTENT_TYPE"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] [hostname "192.168.22.163"] [uri "/2fa/getQRCode"] [unique_id "16566557539.331352"] [ref "v301,17t:lowercase"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/modsecurity/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "192.168.22.163"] [uri "/2fa/getQRCode"] [unique_id "16566557539.331352"] [ref ""]

---lIGbRidu---Z--

上述日志表示这个请求违反了 /etc/nginx/modsecurity/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf  配置文件中的 id 为 920470 的规则，位于配置文件901行，以及

/etc/nginx/modsecurity/rules/REQUEST-949-BLOCKING-EVALUATION.conf  配置文件中的 id 为 949110 的规则，位于配置文件80行，

规则描述：Inbound Anomaly Score Exceeded (Total Score: 5)

2.禁用指定id的规则：

全局禁用：

在/etc/nginx/modsecurity/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf配置文件中加上配置：

#禁用ID为920350、920470/949110的规则
SecRuleRemoveById 920350 920470 949110

参考modsecuity中文官方网站

ref：ModSecurity误拦截处理方法（ModSecurity白名单）_应用实战_ModSecurity-应用实践