Change default IIS setting for overrideModeDefault in applicationHost.config

[brianclark]

Hello,

In the 2.8.0 version of the ModSecurity for IIS installer, it adds a line like the one below to the applicationHost.config file (which governs the global IIS configuration for that host--all websites on the host):

<section name="ModSecurity" overrideModeDefault="Deny" allowDefinition="Everywhere" /></sectionGroup>

The effect of this configuration is preventing individual websites running on the host from being able to disable ModSecurity (at the site level). I propose changing the IIS Installer's default overrideModeDefault to "Allow" which would allow individual websites the ability to include a ModSecurity enabled="FALSE", thereby disabling ModSecurity for that site.

Thank you,
Brian Clark

[default-kramer]

Yes please! I just lost 2+ hours trying to figure out why, as soon as I added the <ModSecurity ...> element to my config file it just stopped working. Especially confusing when the installed readme (gets intalled to C:\Program Files\ModSecurity IIS\README.TXT) says that this should work!

Looks like a very easy change to make at https://github.com/SpiderLabs/ModSecurity/blob/caadf97524a4861456be176a8cb91dcbb76b97e4/iis/installer.wxs#L349

I'm willing to make a PR if you want.

[victorhora]

Hi @default-kramer,

Thanks for your input here. I didn't had the time to test this yet, but if you have confirmed that this works for you as well, please go ahead and make a PR and I'll review it and hopefully be able to put it out before 2.9.3 to help others facing similar issues.

[zimmerle]

Merged! Thanks!