下边是推荐的mod_security最小配置。这只是一个设计用来避免给你带来急性头痛的起点。你应该观察它,在可能的地方加强这个配置
# Only inspect
dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS
AS EXPECTED)
SecFilterEngine DynamicOnly
# Reject requests with status 403
SecFilterDefaultAction
"deny,log,status:403"
# Some sane
defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat Off
SecFilterCheckUnicodeEncoding Off
# Accept almost all byte values
SecFilterForceByteRange 1
255
# Server masking is optional
# SecServerSignature
"Microsoft-IIS/5.0"
SecUploadDir /tmp
SecUploadKeepFiles Off
# Only record
the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog
logs/audit_log
# You normally
won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog
logs/modsec_debug_log
# Only accept
request encodings we know how to handle
# we exclude
GET requests from this because some (automated)
# clients
supply "text/html" as Content-Type
SecFilterSelective
REQUEST_METHOD "!^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Type \
"!(^application/x-www-form-urlencoded$|^multipart/form-data;)"
# Require
Content-Length to be provided with
# every POST
request
SecFilterSelective
REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Don't accept
transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"