如何在.htaccess中禁用mod

本文介绍了如何在.htaccess中禁用mod_security和mod_security2的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我创建了一个Wordpress插件，该插件很受欢迎，但是我收到很多抱怨，称它不起作用。登录许多用户的WP网站后（询问管理员密码后），我注意到我无法轻易解决的最后一个问题是mod_security和mod_security2阻止了一些AJAX请求或.htaccess，这在某些配置上导致500错误。

I've created a Wordpress plugin which became popular but I'm getting lots of complaints that it's not working. After logging in to many user's WP websites(after asking for admin password) I noticed that the last problem I can't easily solve is mod_security and mod_security2 blocking some AJAX requests or .htaccess which is causing 500 error on some configurations.

首先，为什么这段代码会导致某些服务器返回500错误

So first of all why is this piece of code causing some servers to return 500 error

<IfModule mod_security2.c> SecRuleRemoveById 300015 SecRuleRemoveById 300016 SecRuleRemoveById 300017 SecRuleRemoveById 950907 SecRuleRemoveById 950005 SecRuleRemoveById 950006 SecRuleRemoveById 960008 SecRuleRemoveById 960011 SecRuleRemoveById 960904 SecRuleRemoveById phpids-17 SecRuleRemoveById phpids-20 SecRuleRemoveById phpids-21 SecRuleRemoveById phpids-30 SecRuleRemoveById phpids-61

在其他服务器上通过id删除规则会导致500错误：

on other servers removing rules by id this way is causing 500 error:

<IfModule mod_security.c> SecRuleRemoveById 300015 ... SecRuleRemoveById phpids-61 </IfModule>

因此，目前唯一不会导致任何服务器崩溃的工作是

so for now the only working thing which is not causing any server to crash is

<IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule>

但是对于具有mod_security2的服务器来说还不够！

but it's not enough for servers with mod_security2 !

如何编写跨服务器.htaccess文件，我应该添加哪些IF条件以在任何适用的位置禁用mod_security和mod_security2并且在其他配置上不会引起500错误？

How to write a cross-server .htaccess file, and what IF conditions should I add to disable mod_security and mod_security2 anywhere where it applies and not cause 500 errors on other configurations?

编辑：不仅在Apache中。在任何使用.htaccess的地方。

Not only in Apache. Anywhere where .htaccess is used.

推荐答案

显示告诉联系服务器管理员的消息将是最后要做的事情。首先，我将尝试使用以下解决方案之一来自动创建配置：

Displaying a message telling to contact server administrator will be the last thing to do. First of all I'll try one of this solutions for automatic config creation:

在子文件夹中创建2-3个沙盒化的.htaccess配置

Create 2-3 sandboxed .htaccess configs in subfolders

在插件激活测试过程中，使用模拟的远程AJAX测试逐一配置

从最佳常规设置子文件夹开始

在此文件夹中检查AJAX代理脚本调用以及图像，样式等文件的访问权限

找到成功（取消阻止且不崩溃）的配置后，保存选定的.htaccess文件到包含AJAX代理PHP文件的文件夹中

如果所有配置（或内置的wordpress AJAX脚本-不太可靠）都无法正常运行，则会显示错误，提示您联系服务器管理员以允许htaccess对于给定的文件夹

During plugin activation test configs one by one with simulated remote AJAX test

Start from the best general settings config subfolder

Check for AJAX proxy script calls and image, style etc. files access in this folder

After finding successful(unblocking and not crashing) config, save selected .htaccess file to the folder containing AJAX proxy PHP file

If none of the configs (or built-in wordpress AJAX script - not very reliable) is functional display an error telling to contact server admin to allow htaccess for given folder

OR

检查仅当使用mod_security2来防止基本mod_security崩溃时，才使用PHP加载的模块

添加SecRuleRemoveById id