Whitelist IP in mod security
Contents
How to Whitelist IP in Mod_security
ModSecurity, often called ModSec or mod_security, is a web application firewall (WAF) designed for real-time monitoring, logging, and controlling access to web applications (source: modsecurity.org). In simple terms, it actively detects and prevents malicious activities targeting the system. However, legitimate actions can sometimes unintentionally trigger these security rules, causing an IP to be blocked. This can disrupt access for you or your developer until the block is lifted. A common solution to prevent such interruptions is whitelisting, which allows specific IP addresses to bypass ModSecurity's restrictions and access the server without interference.
Whitelist by IP in ModSecurity
Basic rule for whitelisting an ip address in mod_security is:
SecRule REMOTE_ADDR "@ipMatch <IP>" "<actions>"
Components:
- SecRule: Defines a rule for ModSecurity to evaluate.
- REMOTE_ADDR: Matches the client's IP address.
- @ipMatch: Operator used to check if the request's IP matches the specified value(s).
- <IP>: Specific IP address to match.
Actions:
- phase:1: The rule is applied during the request's first processing phase.
- id:<number>: A unique identifier for the rule.
- nolog: Prevents logging of requests matching the rule.
- allow: Allows the request to bypass the usual security rules.
- ctl:ruleEngine=Off: Disables the ModSecurity rule engine for requests matching this rule.
Full example of whitelisting an ip address for mod_security:
SecRule REMOTE_ADDR "@ipMatch 111.111.111.110" "phase:1,id:200000001,nolog,allow,ctl:ruleEngine=Off" SecRule REMOTE_ADDR "@ipMatch 111.111.111.109" "phase:1,id:200000002,nolog,allow,ctl:ruleEngine=Off"
Practical Use Case:
- Whitelisting: These rules are often used to whitelist trusted IPs, such as internal systems, monitoring tools, or API clients that require unrestricted access to the server.
- Performance Optimization: Turning off ModSecurity for trusted IPs reduces overhead for requests from these sources.