corpus_parole: dev/provisioning/modules/apache/templates/mod/security.conf.erb@25f3d28f51b2 (annotated)

28 b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	1	<IfModule mod_security2.c>
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	2	# ModSecurity Core Rules Set configuration
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	3	<%- if scope.function_versioncmp([scope.lookupvar('::apache::apache_version'), '2.4']) >= 0 -%>
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	4	IncludeOptional <%= @modsec_dir %>/*.conf
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	5	IncludeOptional <%= @modsec_dir %>/activated_rules/*.conf
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	6	<%- else -%>
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	7	Include <%= @modsec_dir %>/*.conf
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	8	Include <%= @modsec_dir %>/activated_rules/*.conf
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	9	<%- end -%>
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	10
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	11	# Default recommended configuration
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	12	SecRuleEngine <%= @modsec_secruleengine %>
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	13	SecRequestBodyAccess On
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	14	SecRule REQUEST_HEADERS:Content-Type "text/xml" \
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	15	"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	16	SecRequestBodyLimit 13107200
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	17	SecRequestBodyNoFilesLimit 131072
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	18	SecRequestBodyInMemoryLimit 131072
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	19	SecRequestBodyLimitAction Reject
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	20	SecRule REQBODY_ERROR "!@eq 0" \
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	21	"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	22	SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	23	"id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body failed strict validation: \
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	24	PE %{REQBODY_PROCESSOR_ERROR}, \
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	25	BQ %{MULTIPART_BOUNDARY_QUOTED}, \
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	26	BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	27	DB %{MULTIPART_DATA_BEFORE}, \
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	28	DA %{MULTIPART_DATA_AFTER}, \
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	29	HF %{MULTIPART_HEADER_FOLDING}, \
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	30	LF %{MULTIPART_LF_LINE}, \
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	31	SM %{MULTIPART_MISSING_SEMICOLON}, \
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	32	IQ %{MULTIPART_INVALID_QUOTING}, \
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	33	IP %{MULTIPART_INVALID_PART}, \
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	34	IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	35	FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	36
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	37	SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	38	"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	39
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	40	SecPcreMatchLimit 1000
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	41	SecPcreMatchLimitRecursion 1000
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	42
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	43	SecRule TX:/^MSC_/ "!@streq 0" \
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	44	"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	45
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	46	SecResponseBodyAccess Off
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	47	SecResponseBodyMimeType text/plain text/html text/xml
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	48	SecResponseBodyLimit 524288
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	49	SecResponseBodyLimitAction ProcessPartial
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	50	SecDebugLogLevel 0
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	51	SecAuditEngine RelevantOnly
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	52	SecAuditLogRelevantStatus "^(?:5\|4(?!04))"
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	53	SecAuditLogParts ABIJDEFHZ
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	54	SecAuditLogType Serial
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	55	SecArgumentSeparator &
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	56	SecCookieFormat 0
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	57	<%- if scope.lookupvar('::osfamily') == 'Debian' -%>
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	58	SecDebugLog /var/log/apache2/modsec_debug.log
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	59	SecAuditLog /var/log/apache2/modsec_audit.log
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	60	SecTmpDir /var/cache/modsecurity
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	61	SecDataDir /var/cache/modsecurity
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	62	SecUploadDir /var/cache/modsecurity
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	63	<% else -%>
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	64	SecDebugLog /var/log/httpd/modsec_debug.log
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	65	SecAuditLog /var/log/httpd/modsec_audit.log
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	66	SecTmpDir /var/lib/mod_security
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	67	SecDataDir /var/lib/mod_security
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	68	SecUploadDir /var/lib/mod_security
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	69	<% end -%>
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	70	SecUploadKeepFiles Off
b0b56e0f8c7f Add contributor edition ymh <ymh.work@gmail.com> parents: diff changeset	71	</IfModule>

author	ymh <ymh.work@gmail.com>
	Tue, 20 Mar 2018 15:02:40 +0100
changeset 573	25f3d28f51b2
parent 28	b0b56e0f8c7f
permissions	-rw-r--r--