Testing with Apache mod_security
Posted: Sun Jan 13, 2013 1:38 pm
There's a new development in the world of PHP that's making life extremely tough for PHP developers. It's called Apache mod_security and it has bugs where it creates a lot of false positives. What will happen is your PHP will suddenly 404 or 403 without a clear understanding of what's wrong. If you never heard of mod_security, then those 404 or 403 errors would throw you for a loop like they did me for a couple weeks until HG tech support explained what's going on. This thing is super hard to install in my opinion on Linux, and unfortunately HostGator and a few other shared hosting plans are installing this.
I have Ubuntu Linux Desktop 10.04 LTS and I need to start getting used to Apache mod_security. I need to know how to install and configure it properly so that I can test all my PHP applications I code against it, and then if there's a false positive going on, I need to figure out what's the workaround or submit the false positive report to the mod_security team so that they can fix their rules.
I understand the premise of Apache mod_security, but the trouble is that so far its implementation of it seems clumsy to me with all its false positives. In fact, the guys who make WordPress are active on the mod_security mailing list, reporting all the false positives so that at least WordPress doesn't go nuts.
How do I properly install and configure Apache mod_security on Ubuntu Linux Desktop 10.04 LTS?
How do I troubleshoot to know what rule number it might be triggering on a false positive?
Have you been able to do any .htaccess tricks on HostGator shared hosting to completely turn off Apache mod_security?
I have Ubuntu Linux Desktop 10.04 LTS and I need to start getting used to Apache mod_security. I need to know how to install and configure it properly so that I can test all my PHP applications I code against it, and then if there's a false positive going on, I need to figure out what's the workaround or submit the false positive report to the mod_security team so that they can fix their rules.
I understand the premise of Apache mod_security, but the trouble is that so far its implementation of it seems clumsy to me with all its false positives. In fact, the guys who make WordPress are active on the mod_security mailing list, reporting all the false positives so that at least WordPress doesn't go nuts.
How do I properly install and configure Apache mod_security on Ubuntu Linux Desktop 10.04 LTS?
How do I troubleshoot to know what rule number it might be triggering on a false positive?
Have you been able to do any .htaccess tricks on HostGator shared hosting to completely turn off Apache mod_security?