Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
litespeed_wiki:config:understanding_500 [2019/04/03 15:57] Jackson Zhang [Bad PHP Code] |
litespeed_wiki:config:understanding_500 [2019/10/15 13:43] Jackson Zhang [OWASP ModSecurity rule set may trigger 500 when using Imunify360 together] |
||
---|---|---|---|
Line 71: | Line 71: | ||
The correct syntax is the following and it should fix the 500 error for Apache: | The correct syntax is the following and it should fix the 500 error for Apache: | ||
Header always set Strict-Transport-Security: "max-age=63072000; includeSubDomains; preload" | Header always set Strict-Transport-Security: "max-age=63072000; includeSubDomains; preload" | ||
+ | ==== Example 5 ==== | ||
+ | Syntax wrong for the following: | ||
+ | Options All –Indexes | ||
+ | It should be: | ||
+ | Options -Indexes | ||
+ | ==== Example 6 ==== | ||
+ | ''php_value'' and ''php_flag'' are for mod_php handler. Most of the time php-fpm or lsphp will be used and mod_php has been deprecated most of the time. When you use ''php_value'' or ''php_flag'', Apache will return 500 error. However, lsphp supports php override in .htaccess without any problem and there is no 500 error when running LSWS. | ||
+ | |||
===== Different level of Rewrite rules misplaced to the wrong level ===== | ===== Different level of Rewrite rules misplaced to the wrong level ===== | ||
Line 259: | Line 267: | ||
</code> | </code> | ||
You can check the example [[https://users.cs.cf.ac.uk/Dave.Marshall/PERL/node196.html|here]]. | You can check the example [[https://users.cs.cf.ac.uk/Dave.Marshall/PERL/node196.html|here]]. | ||
+ | |||
+ | ===== OWASP ModSecurity rule set may trigger 500 when using Imunify360 together ===== | ||
+ | OWASP rule set may conflict with Imunify360 default rule set on a server running LiteSpeed Web Server. Please choose only one mod_security rule set. | ||
+ | |||
+ | For OWASP rulesets, in crs-setup.conf: | ||
+ | SecAction "id:900990, phase:1, nolog, pass, t:none, setvar:tx.crs_setup_version=302" | ||
+ | | ||
+ | in /etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-901-INITIALIZATION.conf | ||
+ | SecRule &TX:crs_setup_version "@eq 0" "id:901001, phase:1, auditlog, log, deny, status:500, severity:CRITICAL, msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions.'" | ||
+ | | ||
+ | Imunify360 could break the loading order of the above rule set and lead to "500" errors. | ||
+ | | ||
+ |