Disable domains - not working


This is not the first time I have seen that disable domains are not working so I want to report it.
The server I’m on now is using your WHM plugin, Cloudlinux/cPanel/Litespeed 5.0.13 version.

Is this something you could check and fix in the next agent release?

We will check this issue and get back here…


Please, check, if there is a file /var/cpanel/cwaf/etc/httpd/domains/000_exclude_domain.name:port_number.conf or not.

We have experienced the same issue, running the same server, Litespeed, Cloudlinux with the following rules:

Current rules version: 1.39 Rules
CWAF plugin version: 2.16 (Latest version)
Web Platform: LiteSpeed
LiteSpeed version: 5.0.13 Enterprise
Mod_security compatible: yes
Mod_security loaded: yes

I have replaced the actual domain with domain.co.za and the IP address with xx.xx.xx.xx. The file that you mentioned, does exist, and it appears in my list of blocked domains:

./cwaf-cli.pl -dl
list of disabled domains:

The account still gets flagged:

[Sat Feb 27 11:13:56 2016] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 403, [Rule: 'ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:/content/|!ARGS:/description/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:html_message|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/' '(?i:[\"'].{0,}?[,].{0,}(((v|(\\\\u0076)|(\\166)|(\\x76))[^a-z0-9]{0,}(a|(\\\\u0061)|(\\141)|(\\x61))[^a-z0-9]{0,}(l|(\\\\u006C)|(\\154)|(\\x6C))[^a-z0-9]{0,}(u|(\\\\u0075)|(\\165)|(\\x75))[^a-z0-9]{0,}(e|(\\\\u0065)|(\\145)|(\\x65))[^a-z0-9]{0,}(O|(\\\\u004F)|(\\117)|(\\x4F))[^a-z0-9]{0,}(f|(\\\\u0066)|(\\146)|(\\x66)))|((t|(\\\\u0074)|(\\164)|(\\x74))[^a-z0-9]{0,}(o|(\\\\u006F)|(\\157)|(\\x6F))[^a-z0-9]{0,}(S|(\\\\u0053)|(\\123)|(\\x53))[^a-z0-9]{0,}(t|(\\\\u0074)|(\\164)|(\\x74))[^a-z0-9]{0,}(r|(\\\\u0072)|(\\162)|(\\x72))[^a-z0-9]{0,}(i|(\\\\u0069)|(\\151)|(\\x69))[^a-z0-9]{0,}(n|(\\\\u006E)|(\\156)|(\\x6E))[^a-z0-9]{0,}(g|(\\\\u0067)|(\\147)|(\\x67)))).{0,}?:)'] [id "213020"] [msg "COMODO WAF: IE XSS Filters - Attack Detected."]
2016-02-27 11:13:56.363 [NOTICE] [xx.xx.xx.xx:63146] Content len: 16702, Request line: 'POST /includes/create/save-campaign.php?i=38 HTTP/1.1'
2016-02-27 11:13:56.363 [INFO] [xx.xx.xx.xx:63146] Cookie len: 197, PHPSESSID=f11f60bae735be4af77b8654201b59c4; logged_in=b03d45fef0a905f0bd89bc12c442915aa1a1b4a5293e043b81e1e7e28ee501136378bb131ad7fa7d44740e915e627d4aa4de13e655c4e2a6c3e3d1b3622d2a4d; version=2.0.7

This occurred while the user was posting a new campaign in his Email Marketing software using Sendy. We keep having to whitelist Comodo rules as they trigger due to some word or phrase that gets used in his campaign.


Yes, files are there. Both for subdomain and main domain.
But still we had to disable the rule on the whole server :frowning:


We reproduced this issue on our server and found that when virtual domain is managed by Apache domain exclude works,
but when we turned to LiteSpeed it doesn’t.

So we need to be consulted with cPanel or LiteSpeed support.

Ok, great.
So you will contact them and get this fixed?

I made a topic:

Please, check it. Am I right or made some mistakes in definitions?

Seems right and they did respond to you:

Add vhost include file, then add SecRuleEngine Off

Is this something you can get fixed for your Litespeed rule/agent so we can disable/enable domains?

Would really appriciate a fix for this since there are so many false positives on LiteSpeed rules that we currently cannot use CWAF on LiteSpeed.
So therefore it would be great to be able to disable rules on domains from customers that are having issues.

I also recommend that you setup a LiteSpeed test server and fix all the false positives. Or if you need you can get access to one of my servers and fix them once and for all!

TDmitry: Any update on LiteSpeed? I’m on skype if I can help you with something in order to get a solution on this problem.

Logically all CWAF rules are fine and domain exclusion should work on LS, but due to LS’s internal limitations it doesn’t work. Currently we have no plans to fix LiteSpeed’s ModSecurity limited support. But “cWatch Web Application Security” should solve this issue, so watch for news.

OK. But those disable domain work if you add CWAF as vendor in WHM?
I think OWASP rules provided by cPanel does work with LS. So then your rules should too?

COMODO WAF rules also works in LS. Your question isn’t clear for me.

Sorry for that.
I mean is it possible to disable a domain if we use your rules as a vendor in WHM and not use your CWAF plugin?

The same thing happens in WHM operating on LiteSpeed.


aren’t processed correctly so you can’t disable domains on LiteSpeed using WHM.

You can use pure Apache Web Server to achieve your goal.