# enable mod_security SecRuleEngine On # access to request bodies SecRequestBodyAccess On #SecRequestBodyLimit 134217728 #SecRequestBodyInMemoryLimit 131072 # access to response bodies SecResponseBodyAccess Off #SecResponseBodyLimit 524288 SecResponseBodyMimeType (null) text/html text/plain text/xml #SecServerSignature "Apache/2.2.0 (Fedora)" SecUploadDir /tmp SecUploadKeepFiles Off # default action SecDefaultAction "log,auditlog,deny,status:406,phase:2" SecAuditEngine Off #SecAuditLogRelevantStatus "^[45]" # use only one log file SecAuditLogType Serial # audit log file SecAuditLog /var/log/apache2/modsec_audit.log # what is logged SecAuditLogParts "ABIFHZ" #SecArgumentSeparator "&" SecCookieFormat 0 SecDebugLog /var/log/apache2/modsec_debug.log SecDebugLogLevel 0 SecDataDir /tmp SecTmpDir /tmp ######### # RULES ######### # Removed because it does not play well with apache-itk # Can be removed when modsecurity 2.9.3 hits debian # See https://github.com/SpiderLabs/ModSecurity/issues/712 SecRuleRemoveById "910000-910999"