This is now the 2nd time that this has happened, have added exclusions to the appropriate place saved, restarted apache. Cleared any Joomla cache & browser cache, done the same operation and still get dropped, when I check the logs it’s dropping me for the rule I added to the exclusion list earlier.
The only work around I have is to disable CWAF do the change/update save then reactivate it again.
Is anyone else having issues with exclusion manager not excluding the rules ?
Installed the new install script this morning, the exclusion list entries didn’t get wiped BUT it doesn’t exclude the rules entered for example I have the following in the exclusion list:
But when you check the logs you still see WAF processing the rule rather than excluding it
xxx.xxx.xxx.xxx 211528 [24/Jan/2014:14:12:01 +1300]
Match of “rx ://%{SERVER_NAME}/” against “REQUEST_URI:/url/” required. [file “/var/cpanel/cwaf/rules/cwaf_01.conf”] [line “6610”] [id “211528”] [msg “COMODO WAF: Blocking remote inclusion in arguments”] [data “/administrator/index.php?option=com_installer&view=install”] [severity “CRITICAL”]
Now the 211528 rule is a real pain in the ■■■■…it drops Joomla when you try to save any changes to the global config. On a fresh install when you try to activate the “Install from Web” tab it bombs out, after disabling then reactivating CWAF to activate this in Joomla, I try installing JCK, plus several other modules/plugins every time you click the “Install” button CWAF bombs joomla making it a real pain to install anything.
Why isn’t the exclusion manager not working properly ?
Can you remove the rule 211528 for now so at least Joomla becomes workable again or sort the rule so it stops bombing Joomla out
EDIT
I have: Include /usr/local/apache/conf/modsec2.whitelist.conf in my modsec2.usr.conf, I’ve added the 211528 to that, saved and restarted http yet it still doesn’t exclude that rule, joomla still gets 403’s So basically if I try to exclude a list via CWAF Exclusion manager or the whitelist it doesn’t
If you have used our installation script, your current configuration is not included into your “modsec2.usr.conf”, so your “modsec2.whitelist.conf” don’t work
Install script makes backup and create a new mod_security configuration file /usr/local/apache/conf/modsec2.conf
So, first you may look to this file and see includes. If you didn’t change it manually, it should have only one include:
Include "/var/cpanel/cwaf/etc/cwaf.conf"
Then you may look to /var/cpanel/cwaf/etc/cwaf.conf. If you didn’t change it manually, it should have:
Include /var/cpanel/cwaf/rules/*.conf Include /var/cpanel/cwaf/etc/httpd/global/*.conf
Standard cpanel install with no change to any of your installation scripts or configs…the only thing that changed PRIOR to my initial install of CWAF was the call to the ASL Delay rules folder
The exclude file does not exist in that folder as it hasn’t been created in the installation, the zzz_exclude_global.conf can be found in: /var/cpanel/cwaf/etc/httpd/global
So which path is correct ? I have already mention where this file resides in other posts. If I change the path to /var/cpanel/cwaf/etc/httpd/global/zzz_exclude_global.conf , then save I get an error message stating it cannot find the conf file !!!
All I know is that whatever rules I add to the exclusion list they are not being read and those rules are still being processed by modsec and causing 403’s, making joomla a pain in the ■■■■ to use.
Don’t need to change path to exclude list, because it’s specified as a relative, so “etc/httpd/global/zzz_exclude_global.conf” it’s correct path. Full path is really “/var/cpanel/cwaf/etc/httpd/global/zzz_exclude_global.conf”
Please restore default path to exclude list to: “etc/httpd/global/zzz_exclude_global.conf”. Then try to edit exclude list through plugin in such way:
I figured out the path was relative (silly me), have modified the CWAF Exclusion list manager with the additional <LocationMatch .*> & plus added Include “/usr/local/apache/conf/modsec2.user.conf” to the modsec2.conf and all seems to be working fine now…thank you very much