Mercurial Mercurial > corpus_parole / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
dev/provisioning/modules/apache/templates/mod/security.conf.erb
author ymh <ymh.work@gmail.com>
Tue, 20 Mar 2018 15:02:40 +0100
changeset 573 25f3d28f51b2
parent 28 b0b56e0f8c7f
permissions -rw-r--r--
Added tag 0.0.25 for changeset 190ae1dee68d

<IfModule mod_security2.c>
    # ModSecurity Core Rules Set configuration
<%- if scope.function_versioncmp([scope.lookupvar('::apache::apache_version'), '2.4']) >= 0 -%>
    IncludeOptional <%= @modsec_dir %>/*.conf
    IncludeOptional <%= @modsec_dir %>/activated_rules/*.conf
<%- else -%>
    Include <%= @modsec_dir %>/*.conf
    Include <%= @modsec_dir %>/activated_rules/*.conf
<%- end -%>

    # Default recommended configuration
    SecRuleEngine <%= @modsec_secruleengine %>
    SecRequestBodyAccess On
    SecRule REQUEST_HEADERS:Content-Type "text/xml" \
      "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
    SecRequestBodyLimit 13107200
    SecRequestBodyNoFilesLimit 131072
    SecRequestBodyInMemoryLimit 131072
    SecRequestBodyLimitAction Reject
    SecRule REQBODY_ERROR "!@eq 0" \
      "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
    SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
      "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body failed strict validation: \
      PE %{REQBODY_PROCESSOR_ERROR}, \
      BQ %{MULTIPART_BOUNDARY_QUOTED}, \
      BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
      DB %{MULTIPART_DATA_BEFORE}, \
      DA %{MULTIPART_DATA_AFTER}, \
      HF %{MULTIPART_HEADER_FOLDING}, \
      LF %{MULTIPART_LF_LINE}, \
      SM %{MULTIPART_MISSING_SEMICOLON}, \
      IQ %{MULTIPART_INVALID_QUOTING}, \
      IP %{MULTIPART_INVALID_PART}, \
      IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
      FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

    SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
      "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"

    SecPcreMatchLimit 1000
    SecPcreMatchLimitRecursion 1000

    SecRule TX:/^MSC_/ "!@streq 0" \
      "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

    SecResponseBodyAccess Off
    SecResponseBodyMimeType text/plain text/html text/xml
    SecResponseBodyLimit 524288
    SecResponseBodyLimitAction ProcessPartial
    SecDebugLogLevel 0
    SecAuditEngine RelevantOnly
    SecAuditLogRelevantStatus "^(?:5|4(?!04))"
    SecAuditLogParts ABIJDEFHZ
    SecAuditLogType Serial
    SecArgumentSeparator &
    SecCookieFormat 0
<%- if scope.lookupvar('::osfamily') == 'Debian' -%>
    SecDebugLog /var/log/apache2/modsec_debug.log
    SecAuditLog /var/log/apache2/modsec_audit.log
    SecTmpDir /var/cache/modsecurity
    SecDataDir /var/cache/modsecurity
    SecUploadDir /var/cache/modsecurity
<% else -%>
    SecDebugLog /var/log/httpd/modsec_debug.log
    SecAuditLog /var/log/httpd/modsec_audit.log
    SecTmpDir /var/lib/mod_security
    SecDataDir /var/lib/mod_security
    SecUploadDir /var/lib/mod_security
<% end -%>
    SecUploadKeepFiles Off
</IfModule>
corpus_parole