Disable modsecurity For a Specific Directory

Solution 1:

SecRuleEngine Off must work . Have you tried to put SecRuleEngine inside Directory:

<Directory /var/www/site/phpMA>
SecRuleEngine Off
</Directory>

instead of LocationMatch ?

Solution 2:

On some servers and web hosts, it's possible to disable ModSecurity via .htaccess, but only in its entirety (not individual rules).

To limit this to specific URLs you can specify a regex in the <If> statement below...

### DISABLE mod_security firewall
### Some rules are currently too strict and are blocking legitimate users
### We only disable it for URLs that contain the regex below
### The regex below should be placed between "m#" and "#" 
### (this syntax is required when the string contains forward slashes)
<IfModule mod_security.c>
  <If "%{REQUEST_URI} =~ m#/admin/#">
    SecFilterEngine Off
    SecFilterScanPOST Off
  </If>
</IfModule>

---

Solution 3:

Never disable all rules !! This could cause serious security issues !

You need to check the logfile of modsecurity with

tail -f /var/log/apache2/modsec_audit.log

and exclude each rule one by one reproducing the errors on the phpmyadmin interface.

Next, add :

<Directory /path/to/phpmyadmin>
    <IfModule security2_module>
        SecRuleRemoveByTag "WEB_ATTACK/SQL_INJECTION"
        {And other rules you need to disable ...}
    </IfModule>
</Directory>

to /etc/apache2/mods-enabled/modsecurity.conf

The tag you need to remove will be in the log file like this. For a full description of removing rules for a particular folder, see the Github wiki of the project.