Commit 54d5a8bb authored by mh's avatar mh
Browse files

adjust to new apache module style - make config tuneable by site module

parent f31e5959
......@@ -6,11 +6,11 @@ LoadModule unique_id_module modules/mod_unique_id.so
</ifDefine>
<IfModule mod_security2.c>
# This is the ModSecurity Core Rules Set.
# This is the ModSecurity Core Rules Set.
# Basic configuration goes in here
Include modsecurity.d/*.conf
Include modsecurity.d/activated_rules/*.conf
# Basic configuration goes in here
Include modsecurity.d/*.conf
Include modsecurity.d/activated_rules/*.conf
# Additional items taken from new minimal modsecurity conf
# Basic configuration options
......@@ -61,7 +61,30 @@ LoadModule unique_id_module modules/mod_unique_id.so
# you should reject the request (when deployed in blocking mode)
# or log a high-severity alert (when deployed in detection-only mode).
SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
# By default be strict with what we accept in the multipart/form-data
# request body. If the rule below proves to be too strict for your
# environment consider changing it to detection-only. You are encouraged
# _not_ to remove it altogether.
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_SEMICOLON_MISSING}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
# Did we see anything that might be a boundary?
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
# Some internal errors will set flags in TX and we will need to look for these.
# All of these are prefixed with "MSC_". The following flags currently exist:
......
class mod_security::centos inherits mod_security::base {
apache::config::global{'mod_security.conf':
source => "modules/mod_security/normal/${::operatingsystem}/mod_security.conf",
source => [ "puppet:///modules/site_mod_security/normal/${::fqdn}/mod_security.conf",
"puppet:///modules/site_mod_security/normal/${::domain}/mod_security.conf",
"puppet:///modules/site_mod_security/normal/mod_security.conf",
"puppet:///modules/mod_security/normal/${::operatingsystem}/mod_security.conf" ],
require => Package['mod_security'],
notify => Service['apache'],
}
......
class mod_security::itk_plus::centos inherits mod_security::centos {
Apache::Config::Global['mod_security.conf']{
source => "modules/mod_security/itk_plus/${::operatingsystem}/mod_security.conf",
source => [ "puppet:///modules/site_mod_security/itk_plus/${::fqdn}/mod_security.conf",
"puppet:///modules/site_mod_security/itk_plus/${::domain}/mod_security.conf",
'puppet:///modules/site_mod_security/itk_plus/mod_security.conf',
"puppet:///modules/mod_security/itk_plus/${::operatingsystem}/mod_security.conf" ],
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment