1 class apache::mod::security (

     2   $crs_package           = $::apache::params::modsec_crs_package,

     3   $activated_rules       = $::apache::params::modsec_default_rules,

     4   $modsec_dir            = $::apache::params::modsec_dir,

     5   $modsec_secruleengine  = $::apache::params::modsec_secruleengine,

     6   $allowed_methods       = 'GET HEAD POST OPTIONS',

     7   $content_types         = 'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf',

     8   $restricted_extensions = '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/',

     9   $restricted_headers    = '/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/',

    10 ){

    11 

    12   if $::osfamily == 'FreeBSD' {

    13     fail('FreeBSD is not currently supported')

    14   }

    15 

    16   ::apache::mod { 'security':

    17     id  => 'security2_module',

    18     lib => 'mod_security2.so',

    19   }

    20 

    21   ::apache::mod { 'unique_id_module':

    22     id  => 'unique_id_module',

    23     lib => 'mod_unique_id.so',

    24   }

    25 

    26   if $crs_package  {

    27     package { $crs_package:

    28       ensure => 'latest',

    29       before => File['security.conf'],

    30     }

    31   }

    32 

    33   # Template uses:

    34   # - $modsec_dir

    35   file { 'security.conf':

    36     ensure  => file,

    37     content => template('apache/mod/security.conf.erb'),

    38     path    => "${::apache::mod_dir}/security.conf",

    39     owner   => $::apache::params::user,

    40     group   => $::apache::params::group,

    41     require => Exec["mkdir ${::apache::mod_dir}"],

    42     before  => File[$::apache::mod_dir],

    43     notify  => Class['apache::service'],

    44   }

    45 

    46   file { $modsec_dir:

    47     ensure  => directory,

    48     owner   => $::apache::params::user,

    49     group   => $::apache::params::group,

    50     mode    => '0555',

    51     purge   => true,

    52     force   => true,

    53     recurse => true,

    54   }

    55 

    56   file { "${modsec_dir}/activated_rules":

    57     ensure  => directory,

    58     owner   => $::apache::params::user,

    59     group   => $::apache::params::group,

    60     mode    => '0555',

    61     purge   => true,

    62     force   => true,

    63     recurse => true,

    64     notify  => Class['apache::service'],

    65   }

    66 

    67   file { "${modsec_dir}/security_crs.conf":

    68     ensure  => file,

    69     content => template('apache/mod/security_crs.conf.erb'),

    70     require => File[$modsec_dir],

    71     notify  => Class['apache::service'],

    72   }

    73 

    74   apache::security::rule_link { $activated_rules: }

    75 

    76 }