Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
litespeed_wiki:config:understanding_500 [2019/04/08 15:00] Jackson Zhang |
litespeed_wiki:config:understanding_500 [2019/10/16 12:31] Jackson Zhang [OWASP ModSecurity rule set may trigger 500 when using Imunify360 together] |
||
|---|---|---|---|
| Line 76: | Line 76: | ||
| It should be: | It should be: | ||
| Options -Indexes | Options -Indexes | ||
| + | |||
| + | ==== Example 6 ==== | ||
| + | ''php_value'' and ''php_flag'' are for mod_php handler. Most of the time php-fpm or lsphp will be used and mod_php has been deprecated most of the time. When you use ''php_value'' or ''php_flag'', Apache will return 500 error. However, lsphp supports php override in .htaccess without any problem and there is no 500 error when running LSWS. | ||
| ===== Different level of Rewrite rules misplaced to the wrong level ===== | ===== Different level of Rewrite rules misplaced to the wrong level ===== | ||
| Line 264: | Line 267: | ||
| </code> | </code> | ||
| You can check the example [[https://users.cs.cf.ac.uk/Dave.Marshall/PERL/node196.html|here]]. | You can check the example [[https://users.cs.cf.ac.uk/Dave.Marshall/PERL/node196.html|here]]. | ||
| + | |||
| + | ===== OWASP ModSecurity rule set may trigger 500 when using Imunify360 together ===== | ||
| + | If you use LSWS ealier than 5.4.1 build 7, you may see 500 error when both OWASP and Imunify360 used at the same time. LSWS 5.4.1 and above version should have fixed this issue and LiteSpeed user can use both rule sets at the same time. | ||
| + | |||
| + | OWASP rule set may conflict with the Imunify360 default rule set on a server running LiteSpeed Web Server. Please choose only one mod_security rule set. | ||
| + | |||
| + | For OWASP rulesets, in crs-setup.conf: | ||
| + | SecAction "id:900990, phase:1, nolog, pass, t:none, setvar:tx.crs_setup_version=302" | ||
| + | | ||
| + | in /etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-901-INITIALIZATION.conf | ||
| + | SecRule &TX:crs_setup_version "@eq 0" "id:901001, phase:1, auditlog, log, deny, status:500, severity:CRITICAL, msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions.'" | ||
| + | |||
| + | crs-setup.conf has to be loaded first then the rest of rules including REQUEST-901-INITIALIZATION.conf. | ||
| + | |||
| + | Imunify360 could break the loading order of the above rule set and lead to "500" errors. | ||
| + | | ||
| + | |||