With the built-in security now in MailWatch and sgwi, mod_security may be redundant, and it is causing problems for many eFa users.
Considering mass disabling mod_security in next update....please cast a vote.
Ditch mod_security?
- shawniverson
- Posts: 3650
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: Ditch mod_security?
Fuck yes!
I am constantly getting "invalid security tokens" for no apparent reasons. Mailwatch has gone from being usable to unusable.
Also, the damn timeouts are still a problem. Even after I changed the session timeouts to 10 times longer in the code, I am still getting timeouts, even when I leave the tab active on the "recent messages" page. I can't stand it, and I want to have a way to turn this security "feature" off.
Yes, yes, I know it's more secure this way, but the best security is of no use if the software becomes useless in the process.
I am constantly getting "invalid security tokens" for no apparent reasons. Mailwatch has gone from being usable to unusable.
Also, the damn timeouts are still a problem. Even after I changed the session timeouts to 10 times longer in the code, I am still getting timeouts, even when I leave the tab active on the "recent messages" page. I can't stand it, and I want to have a way to turn this security "feature" off.
Yes, yes, I know it's more secure this way, but the best security is of no use if the software becomes useless in the process.
Re: Ditch mod_security?
Maybe ditch mod_security and upgrade to latest PHP version, like php 5.7 and not on php 5.3, also for apache...
Re: Ditch mod_security?
YES PLEASE
I can't seem to cast a vote so +1 on yes.
I've been putting up with the errors and refreshing pages to make them appear, if there's a quick way to disable this on my current appliance could someone either describe it here or link me to it?
I can't seem to cast a vote so +1 on yes.
I've been putting up with the errors and refreshing pages to make them appear, if there's a quick way to disable this on my current appliance could someone either describe it here or link me to it?
Re: Ditch mod_security?
I can't vote either but you have my YES.
Also, any particula reason for using Apache? Could it not be replaced by nginx with php5_fpm?
Also, any particula reason for using Apache? Could it not be replaced by nginx with php5_fpm?
Re: Ditch mod_security?
@ovizii
I'd imagine the reason for Apache may be through inheritance from the original project...
There's an eFa v4 thread around here...it'd be a good idea to through it in there.
From my perspective, I'm more experienced and would be much happier with that platform too...I'd also like Debian or Ubuntu but I think I've been outvoted on that one
I'd imagine the reason for Apache may be through inheritance from the original project...
There's an eFa v4 thread around here...it'd be a good idea to through it in there.
From my perspective, I'm more experienced and would be much happier with that platform too...I'd also like Debian or Ubuntu but I think I've been outvoted on that one
Re: Ditch mod_security?
That'll be up to MailWatch, I'd expect.
7.x may still need some shakeout time anyway. We shall see.
7.x may still need some shakeout time anyway. We shall see.
- shawniverson
- Posts: 3650
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: Ditch mod_security?
Modsecurity is now configurable to enable/disable via EFA-Configure under Apache Settings