How to Whitelist an IP Address Using Mod_Security
By Ben Richard
If your business has a website, you may be familiar with the mod_security module for Apache Web servers. ModSecurity is a firewall module for Apache servers that blocks malicious programs, scripts and injections, helping to keep your website more secure. Occasionally, you might need to bypass the module filters to accommodate a testing environment or to allow access for a particular IP address, such as for a developer working at home. Whitelisting is a straightforward task that you can accomplish with a simple text editor.
Browse to your website's root directory, which should be the top directory on your server. On a local server, the default is "C:\Apache(version)\htdocs\", which is the same as http://localhost. On a Linux server, the root directory is usually "/usr/local/apache/htdocs/". On a hosted server, this will generally be the directory with your Web page name, such as "http://www.mywebsite.com/".
Open the ".htaccess" file in the root directory with your preferred text editor.
Add the following line before any of the mod_security rules are called (near the top is easiest):
SetEnvIfNoCase REMOTE_ADDR ^22.214.171.124$ MODSEC_ENABLE=Off
Replace the IP address shown in the above example with the IP address that you want to whitelist.
Browse to your "mod_security.conf" file. This should be at "C:\Apache(version)\conf\mod_security.conf" or within your "httpd.conf" file in the same directory. For Linux, this is usually "/etc/httpd/modsecurity.d/modsecurity.conf". Note that this method only works on servers where you have access to the core server files.
Open the configuration file with your preferred text editor.
Add the following to disable mod_security for a particular IP address, replacing the IP address in the example with the one that you want to whitelist:
SecRule REMOTE_ADDR "^115.100.121\176$" phase:1,nolog,allow,ctl:ruleEngine=Off
Always be careful when whitelisting as you are making your server less secure. Only do this when necessary and for IP addresses you trust.
Ben Richard began writing in 1996. He is compiling an anthology of poetry as well as a nonfiction book. Richard studied philosophy and English at Texas A&M University. Richard writes on technology and specializes in web design.