当我们直接使用ip访问时,拦截信息如下(注意红色标记地方,规则id与规则message)grep -R 960017 ../modsecurity_crs_21_protocol_anomalies.conf:SecRule REQUEST_HEADERS:Host "^[\d.:]+$" "phase:2,rev:'2.2.5',t:none,block,msg:'Host header is a numeric IP address', severity:'2',id:'960017',tag:'PROTOCOL_VIOLATION/IP_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',tag:'http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-POLICY/IP_HOST-%{matched_var_name}=%{matched_var}"
vim /etc/apache2/sites-available/default
方法一、SecRuleRemoveById 指令:通过Rule ID禁用指定规则
#waf whitelist
<LocationMatch .*>
SecRuleRemoveById 960017 #allow Host Header is a IP address
</LocationMatch>
方法二、SecRuleRemoveByMsg指令:通过Rule Msg禁用指定规则
#waf whitelist
<LocationMatch .*>
SecRuleRemoveByMsg "Host header is a numeric IP address"
</LocationMatch>
方法三、url加白 :对指定路径关闭WAF检测/或只记录不拦截
<LocationMatch /xss.php>
SecRuleEngine DetectionOnly(或者Off)
</LocationMatch>
service apache2 reload
