Whitelist IP for specific ModSecurity rule

For whitelisting an IP only for a specific ModSecurity rule, you can use the ruleRemovebyID option for the ctl action.

ctl description:

Description: Changes ModSecurity configuration on a transient, per-transaction basis. Any changes made using this action will affect only the transaction in which the action is executed. The default configuration, as well as the other transactions running in parallel, will be unaffected.

Reference Manual

The ruleRemoveById option:

ruleRemoveById – since this action is triggered at run time, it should be specified before the rule in which it is disabling.

Reference Manual

The rule will be:

SecRule REMOTE_ADDR "@ipMatch 11.22.33.44" "id:1010,phase:2,t:none,pass,nolog,ctl:ruleRemovebyID=xxxxxx"

xxxxxx is the ID of the rule for which you want to whitelist the IP 11.22.33.44.

Per the ModSecurity Reference Manual, the ID of local rules should be in the 1–99,999 range.

Related articles:
Whitelist IPs or URIs in mod_security
Configure mod_security for detection only

References:
ModSecurity IDs

Leave a Reply