Exclude IP addresses from rules checking (bypass)

Dear support,
Thank you for creating nice product. You are the bests. I have one question. Is the possibility to exclude several IP from threats checking? Or even exclude rule? I use NGINX with mod_security and Comodo rules. I’ve used Memberium plugin for Wordpress and sometimes IP addresses from Memberium plugin servers were blocked. I see that in audit_log. I will also generate False Positive bug report in specifical thread. Thanks guys and have a nice day!

On Apache, what I do is whitelist the IP addresses I don’t want Modsecurity to block on the firewall itself, that way I can continue to use all the CWAF rules–and test if I need to–without getting my own or other IP addresses blocked.

Using CWAF on Apache without a plugin and the scripts included, I can disable rules, groups, or categories of rules, but not whitelist IPs unless you write a custom rule.

Once you have CWAF installed, you can run the following command from a terminal to see what your options are:

<your path to cwaf>/cwaf/scripts/cwaf-cli.pl -h

A lot of thanks linux4me for this info! I used NGINX with mod_security module. I guess, link for write a custom rule will help me. :rocks:

Unfortunately, a custom rule sample write a custom rule contains error: SecRule REMOTE_ADDR “^$” phase:1,log,allow,ctl:ruleEngine=Off,id:999900 - gave me - Line: 1. Column: 90. Expecting an action, got: ,log,allow,ctl:ruleEngine=Off,id:999900 in log. I really don’t have experience with rule creation. Maybe you know how to find info about that? I’ve even found special file - userdata_wl_IPs in the rules pack but looks like this file is in lower priority than the main rules. Thanks in advance.

I’m not an expert, but I just tested that rule on my Apache server:

SecRule REMOTE_ADDR "^192\.168\.50\.1$" phase:1,log,allow,ctl:ruleEngine=Off,id:999900

and it didn’t give any syntax errors.

Maybe it’s different for NGINX? I did a little googling and didn’t find anything specific to ModSecurity and NGINX with whitelisting IPs. The ModSecurity docs suggest using a little bit different approach:

SecRule REMOTE_ADDR "@IPMatch" "id:1,ctl:ruleEngine=Off"

The main differences are that they’re using “IPMatch” instead of a regular expression, and they’re not logging, which makes sense. Note that when you add custom rules, you need to use a unique “id” for the rule. That’s why Oleg used “999900” for his, and the ModSecurity example uses “1”. You’ll need to use something that is unique to your installation. I think all the CWAF rules are in the 2xxxxx range.

If you’re going to try to learn this stuff, you will find the ModSecurity Documentation site really helpful to decipher all the elements of a command.

Looks like you using modsecurity3 and nginx - there are some syntax differences and not all modsecurity directives are supported.



is unnecessary

SecRule REMOTE_ADDR "^192\.168\.50\.1$" "phase:1,log,allow,id:999900"

should work w/o errors

Dear Cwaf_Team,
Excuse me for the last response, yes I’m really using modsecurity3 and nginx.

Your correction: SecRule REMOTE_ADDR “^$” “phase:1,log,allow,id:999900” - not showed any errors in nginx error.log, but I still have 403 response when choose for example:


In the error.log I see:
[client] ModSecurity: Access denied with code 403 (phase 1). Matched "Operator PmFromFile' with parameter bl_URLs’ against variable REQUEST_URI' (Value: /wp-config.bak’ ) [file “/etc/nginx/modsec/rules/02_Global_Generic.conf”] [line “136”] [id “210492”] [rev “3”] [msg “”] [data “”] [severity “2”] [ver “”] [maturity “0”] [accuracy “0”] [tag “CWAF”] [tag “Generic”] [hostname “”] [uri “/wp-config.bak”] [unique_id “1600082137”] [ref “o1,13v4,14”], client:, server: localhost, request: “GET /wp-config.bak HTTP/1.1”, host: “localhost”.

Looks like there are 2 variants:

  1. My custom rule doesn’t work as expected.
  2. CWAF rules have highest priority than my custom rule.

It looks like I’ve figured it out how it works. Previously I’ve created:

  1. Custom_User_Rules.conf with string rule - SecRule REMOTE_ADDR “^$” “phase:1,log,allow,id:999900”
  2. Added string - “Include Custom_User_Rules.conf” at the end of the file rules.conf.main.

But I noticed that in error.log "Matched “Operator PmFromFile' with parameter bl_URLs’ against variable” was in 02_Global_Generic.conf.

So, I just added string rule - SecRule REMOTE_ADDR “^$” “phase:1,log,allow,id:999900” to the 02_Global_Generic.conf and it works for me. I don’t see 403 response. A lot of thanks Cwaf_Team!!!

I naively thought that the file I created with my rule would exclude validation from all rules. Unfortunately, this is not the case. Perhaps it is possible to exclude the IP address from all checks by specifying it in one place? Thanks!

You should include your custom custom rule before file 02_Global_Generic.conf.
Rules from phase:1 first processed from cwaf files and after this will be processed from your custom file.

Dear Cwaf_Team,

Great, it really works for me. Absolutely professional and logical answer. A lot of thanks! The issue has been resolved, I guess the topic can be closed. :BNC :love: