[TYPO3-english] typo3 problem caused by mod_security

[J. Bakshi]

J. Bakshi wrote:
> Xavier Perseguers wrote:
>   
>> Hi জয়দীপ বক্সী,
>>
>>     
>>> Has anyone using typo3 along with apache mod_security ? I have installed
>>> and activated mod_security in a development server powered by debian
>>>       
>> Yes! But...
>>
>>     
>>> [...]
>>> Is there any rule sets which can allow
>>> typo3 working well with it ?
>>>       
>> http://typo3.org/waf.txt
>>
>> There's a dedicated mailing list for this project (typo3.projects.waf)
>> although I must admit I sent a message in a few days 1 year ago and it
>> got no answer ;-) Meaning, English seems the most appropriate list
>> anyway.
>>
>> Frankly speaking, as the waf.txt file is not maintained, I suggest you
>> simply deactivate ModSecurity for /typo3.
>>
>> If you wish to start updating waf.txt anyway (this would be really
>> great btw), just do it and get in touch with me (email) with your
>> changes, I'll be happy to review them and will see with other core
>> members to make sure this project gets "resurrected".
>>
>> Greets
>>
>>     
>
> Hello,
>
> Thanks a lot for your response and many many thanks for the link. I'll
> give it a try definitely.
> And yes I'll be happy too if the project will be activated again.
>
> Wish you a nice day.
>
>
>   

Hello Xavier,

Some feedback....

I prefer to include additional configuration in apache.conf with Include
directive. I have done the same here,

` ` `
# typo3 exception for mod_security
Include /etc/apache2/typo3_modsecurity.exception
` ` `

but found pages can't be moved as /typo3/move.php is triggering 
mod_security.  I have re-written the /typo3 exclusion as

` ` `
# Dont scan typo3 directory #
#############################
<Directory /typo3>
SecRuleEngine Off
</Directory>
` ` `
And now it is working fine.  So <Directory> should be used replacing
<Location> when the configuration is called by Include.

Hope the waf.txt will be modified to have more fine tuned rule sets.

-- 
জয়দীপ বক্সী