Regarding URL Rewrite & ModSecurity SecServerSignature

  • Resolved prtksng

    (@prtksng)


    3 years, 6 months ago

    Hello,

    After the installation of ModSecurity on my server, I set SecServerSignature to ” ” in security2.conf file(created by ModSecurity during installation) as recommended, which means my web server software(apache/nginx/etc) would be undetectable and won’t be visible to the public. It’s a good security measure. Of not much value and ability though.

    However, the w3tc compatibility check is detecting URL Rewrite to be disabled and removing the mentioned rule from security2.conf put it back as enabled for the compatibility check.

    Does adding this rule actually interrupt w3tc’s ability to use URL Rewrite or is it just because of the plugin’s inability to detect the server software due to this new rule added and consequently URL Rewrite’s staus?

    Currently, the rule is not there in the file and URL Rewrite is showing enabled. But, I’d want to add it if it doesn’t compromise the stable and uninterrupted functioning of plugin after your response.

    Do you think it actually stops w3tc from using URL Rewrite?

    One more thing, In the install tab, the .htaccess rules for w3tc are not there but comes back after removing the SecServerSignature rule.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Contributor Marko Vasiljevic

    (@vmarko)

    3 years, 6 months ago

    Hello @prtksng

    Thank you for your inquiry and I am happy to answer this.
    Not detected means you don’t use mod_php mode, so you probably use php-fpm. We cannot detect Apache modules in that case, but that doesn’t mean it is not installed/active.
    So you can continue using it and the rewrite will continue to work of course.
    Thanks!

    Thread Starter prtksng

    (@prtksng)

    3 years, 6 months ago

    Yes, I use php-fpm. But the URL Rewrite does not show not-detected. It shows disabled.
    And when I remove the rule from security2.conf, it shows enabled again.
    It means w3tc plugin is able to detect the URL Rewrite even with php-fpm.
    But why does it shows disabled when the rule is added in security2.conf? Does it actually disable URL Rewrite?

    Plugin Contributor Marko Vasiljevic

    (@vmarko)

    3 years, 6 months ago

    Hello @prtksng

    Thank you for the information and sorry I misunderstood your question.
    It appears that it disables the URL rewrite. W3 Total Cache check if the URL rewrite is enabled as a WordPress Resource.
    If the URL rewrite is disabled after the code is added, it means that you should whitelist the rewrite rules.
    This is not specifically related to W3 Total Cache but with core wp rewrite.
    Thanks!

    Thread Starter prtksng

    (@prtksng)

    3 years, 6 months ago

    Alright @vmarko
    Thanks a lot for the help.
    I’d try to find a workaround.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Regarding URL Rewrite & ModSecurity SecServerSignature’ is closed to new replies.