Disable ModSecurity for a domain

In this article I’ll show you how you can disable ModSecurity for a domain on your VPS (Virtual Private Server) or dedicated server. ModSecurity is used to block certain types of web requests that can help prevent you from possible attacks. However certain times a legitmate request could be getting blocked by ModSecurity, so knowing how to disable it is good knowledge.

If you’re on a shared server and experiencing problem with 406 errors caused by ModSecurity you can follow my guide on how to disable ModSecurity via cPanel Modsec Manager.

In order to follow along with this guide, you’ll need to have root access to your VPS or dedicated server so that you can create the required ModSecurity file on the server, and modify the Apache configuration file.

Enable ModSecurity include in httpd.conf

Following the steps below I’ll walk you through how to modify your Apache httpd.conf configuration file so that you can include a ModSecurity rules file for the domain you’d like to disable ModSecurity for.

Login to your server via SSH as the root user.
Make a backup of your Apache configuration with the following command: cp -frp /usr/local/apache/conf/httpd.conf{,-BAK}
Edit your Apache httpd.conf file with the vim editor with this command: vim /usr/local/apache/conf/httpd.conf
Once in vim you can type in a forward slash / to enter search mode, you can then enter in the name of the domain you’d like to disable ModSecurity for and hit Enter to be dropped to that line.You should be at a <VirtualHost entry that looks something like this:
<VirtualHost 123.123.123.123:80> ServerName example.com ServerAlias www.example.com DocumentRoot /home/userna5/public_html ServerAdmin [email protected] UseCanonicalName Off CustomLog /usr/local/apache/domlogs/example.com combined CustomLog /usr/local/apache/domlogs/example.com-bytes_log "%{%s}t %I .n%{%s}t %O ." ## User userna5 # Needed for Cpanel::ApacheConf <IfModule mod_suphp.c> suPHP_UserGroup userna5 userna5 </IfModule> <IfModule !mod_disable_suexec.c> <IfModule !mod_ruid2.c> SuexecUserGroup userna5 userna5 </IfModule> </IfModule> <IfModule mod_ruid2.c> RUidGid userna5 userna5 </IfModule> ScriptAlias /cgi-bin/ /home/userna5/public_html/cgi-bin/ # To customize this VirtualHost use an include file at the following location # Include "/usr/local/apache/conf/userdata/std/2/userna5/example.com/*.conf" </VirtualHost>

You’ll want to un-comment the Include line by removing the pound # symbol from the beginning of the line at the bottom. You can do this by navigating with the arrow keys till your cursor is over the # symbol, then just hit Delete on your keyboard:
# Include "/usr/local/apache/conf/userdata/std/2/userna5/example.com/*.conf"
So it should end up looking like this:
Include "/usr/local/apache/conf/userdata/std/2/userna5/example.com/*.conf"
Now to save the file, simply hold down Shift and hit ZZ on the keyboard, you should get this confirmation:
"/usr/local/apache/conf/httpd.conf" 785L, 30554C written
Finally run the cPanel Apache configuration distiller, to ensure your includes remain after future cPanel updates:
/usr/local/cpanel/bin/apache_conf_distiller --update
After running that you should get back:
info [apache_conf_distiller] 'local' datastore in use (/var/cpanel/conf/apache/local) Distilled successfully

Create ModSecurity configuration file

Now that you’ve setup Apache to include a ModSecurity configuration file, you’ll next want to create the appropriate directory and file that it’s trying to load. Following the steps below I’ll show you how to accomplish this.

Run the following command to create the directory where we’ll be placing our ModSecurity configuration file:
mkdir -p /usr/local/apache/conf/userdata/std/2/userna5/example.com/
Next use the following rule to create a ModSecurity configuration file with the SecRuleEngine option set to Off which disables ModSecurity completely for the domain:
echo "SecRuleEngine Off" > /usr/local/apache/conf/userdata/std/2/userna5/example.com/modsec.conf
Finally to make the new ModSecurity configuration file active, you need to restart the Apache service gracefully with the following command:
service httpd graceful
Now that Apache has been gracefully restarted the new ModSecurity configuration settings should be getting loaded, and in this case ModSecurity is completely disabled for our example.com domain now.

You should now understand how to completely disable ModSecurity for a domain on your VPS or dedicated server. If you wanted to leave ModSecurity enabled, but only wanted to disable certain ModSecurity rules that are getting triggered, then you can read my guide on how to find and disable specific ModSecurity rules.

Share this Article

4 thoughts on “Disable ModSecurity for a domain”

This info seems at least partially out of date. At least on my VPS account there are no “distiller” scripts anymore and the more recent cPanel docs recommend using this script:

/usr/local/cpanel/scripts/rebuildhttpdconf

The script they use in their example for restarting apache is this:

/usr/local/cpanel/scripts/restartsrv_httpd

also for those that dont regularly edit apache virtual hosts remember that you will have a separate entry in the file for the ssl and non-ssl versions of the site and you must edit both to do the include.

There is more info on the cPanel support site here: https://support.cpanel.net/hc/en-us/articles/360052925073

Once I followed that I was able to get this working.

John-Paul Briones says:

February 20, 2023 at 9:05 am

Thank you for sharing, we will review this guide and update the scripts as needed.

Comments are closed.

Need More Help?