ModSecurity: SecPcreMatchLimit not allowed in VirtualHost

[itbuiductai]

I try to configure modsecurity with a virtual host in apache then it alerted the error: "ModSecurity: SecPcreMatchLimit not allowed in VirtualHost". Why SecPcreMatchLimit was not allowed in Virtual host? any option of mod_sec is same that.

[victorhora]

Hi @itbuiductai,

Yes, indeed there are a few directives that aren't allowed to be placed inside VirtualHost configurations, namely:

• SecPcreMatchLimit

• SecPcreMatchLimitRecursion

• SecChrootDir

• SecDataDir

• SecGuardianLog

• SecServerSignature

You should place these inside your global server-wide (not per VirtualHost) configuration. Normally this will be placed inside your modsecurity.conf configuration file.

[victorhora]

I've added notes on the reference manual to make this limitation clearer:

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecPcreMatchLimit

[itbuiductai]

Hi @victorhora
yes, i see.
But then we can only use a modsecurity.conf template per webserver.
do you know anyway to configure modsecurity.conf per virtualhost?
what is important of SecPcreMatchLimit?
Thanks

[victorhora]

You should be able to safely set different VirtualHosts just fine with your ModSecurity configuration. As long as your "template" don't use any of the directives mentioned above inside your VirtualHost context and just have this one directive set globally.

You might have a legitimate reason for needing to set different SecPcreMatchLimit values for different web applications, but you should be able to get away with it by just setting the value globally.

You can learn about SecPcreMatchLimit on the reference manual: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#SecPcreMatchLimit

[itbuiductai]

Thanks @victorhora ,
I hope you received my message. Pls, contact with me as soon as you agree,
best regard!