How do I allow https through modsecurity?
Posted on 2014-08-14
I installed ISPConfig 3 and then got a StartSSL free certificate for it.
It works fine on port 8080 in https mode and the SSL certificate is recognized.
I access it using: https://www.mydomain.com:8080
Before I installed the SSL certificate I had a self-signed certificate which allowed ISP Config to work as above (there used to be a red line diagonally across the word "https" before because the certificate was not related to that domain) but also my domain to load as: http://www.mydomain.com
But since I installed the StartSSL certificate, I can only access the ISPConfig but not my normal site anymore.
I believe that sine the self-signed certificate was made out to my FQDN it did not cause any conflicts but now that the new Startssl certificate is made out to www.mydomain.com it is causing all this.
Now when I access my domain I get this error: Forbidden. You don't have permission to access / on this server.
The culprit behind it all is modsecurity which has the SecRuleEngine On. If I turn that Off everything works fine, but with it on I don't really know how to make the right modifications in the apache.conf, my virtualhost's conf file or any other file that I do not know about.
What should I do? I need the two things to work, with mod-security turned on, as before:
https://www.mydomain.com:8080 -> ISPConfig (working, the https does not have any red line striking through anymore)
http://www.mydomain.com -> my website (at present not working)
I temporarily tried turning the SecRuleEngine to Off and everything started working again, but that was a scenario which I would not like to keep. I need mod_security to be on and the sites to work at the same time.
thanks in advance