Allow opt-out of "enhanced web security"

[NReilingh]

I keep running into 403 errors caused by various mod_security rules. This may be indicative of a different issue, but whatever the case, the Dreamhost panel allows you to opt out of "enhanced web security" if you choose which would bypasses the issue in the first place.

I think there's an argument for just having it turned off by default if it's not easy to introduce a user setting in the Vagrantfile somehow, since generally development environments are "anything goes" (no root password, etc.). Of course I do see the value in replicating this aspect of the server configuration, but I don't believe the current set of rules works for an accurate representation of the dreamhost environment.

Aside: what I'm doing when running into these 403 errors is trying to use the Wordpress Duplicator plugin install script to restore a wordpress archive to the dreambox. I'm 99% sure I've done this successfully in Dreamhost with enhanced web security turned on, but when I tried in dreambox, I hit a mod_security rule, then I bypassed this rule in the vhost directive and hit a DIFFERENT rule, so eventually I just commented out the apache activated_rules/*.conf include line entirely and had no further problems.

Right now I just want to turn these off, but later I'll try to identify specific differences in rule trigger conditions, since I have a hunch that the weirdness of the vagrant environment is causing them to "misfire".

[goodguyry]

I've got mixed feelings about the mod_security setup.

At first I was just having fun trying to replicate the Dreamhost setup. But since then, I see it as overkill for a development environment, and issues such as the one you're describing (and #4) are reason enough to ditch it altogether.

Is there a solid reason to keep it?

[NReilingh]

I think ditch it for now; maybe later when this project is more mature it might be worth looking into as an optional feature.

[goodguyry]

Thanks for the input 😃