# ModSecurity
ModSecurity (opens new window) can be enabled/disabled on Apache and Nginx web servers in your Enhance cluster. Once enabled all website with their application role placed on that server can enable ModSecurity on a per domain basis.
The OWASP® ModSecurity Core Rule Set (CRS) are applied by default and custom configurations can be made on a per server basis. It is also possible to manually update the OWASP versions through the Enhance panel.
# Enabling ModSecurity on a webserver
WARNING
ModSecurity can only be enabled on Apache and Nginx web servers. Once enabled ModSecurity is enabled by default on all domains.
To enable ModSecurity on a web server:
- Open Servers in the left sidebar
- Select the server you would like to enable ModSecurity on (this must be Apache or Nginx)
- On the server management page scroll to Roles, select Application and then Settings
- On the application management page scroll to ModSecurity
- Toggle ModSecurity on
# ModSecurity configuration
The ModSecurity configuration file can be configure on a per server basis. All rules will automatically be inherited by websites running on that application server.
The OWASP® ModSecurity Core Rule Set (CRS) are applied by default.
DANGER
Entering invalid syntax in the ModSecurity configuration file will break your web server and sites will be offline.
If you are editing the file on your control panel server, the panel will be inaccessible. To recover from this manually restore the file at /etc/modsecurity.d/modsecurity.customisations.conf.
On all other servers you can recover by clicking the 'Reset to default' button.
To edit the ModSecurity configuration for a server:
- Open Servers in the left sidebar
- Select the server you would like to edit ModSecurity config on (this must be Apache or Nginx)
- On the server management page scroll to Roles, select Application and then Settings
- On the application management page scroll to ModSecurity
- Click Edit configuration
- Make your changes and click save
You can add custom rules, override existing rules and disable the OWASP rule set in this config file. If you would like to include another file, place it into /etc/modsecurity.d and reference it in the main config.
TIP
Custom configurations will need to be manually applied to each web server.
# Enabling/disabling ModSecurity on a per domain basis
WARNING
To disable/enable ModSecurity on a per website basis you must first enable ModSecurity on the server where the website's application role is placed.
To disable/enable ModSecurity on a per domain basis:
- Open Websites in the left sidebar
- Select the website you would like to ebable ModSecurity on
- On the website dashboard select Security
- Scroll to ModSecurity
- Toggle ModSecurity off/on