Commit cad419e1 authored by ale's avatar ale
Browse files

Set up mod_security for web-users containers

parent 71a9e5db
Pipeline #7793 passed with stage
in 51 seconds
# Do not inspect the 'pwd' arg of wp-login.php requests (disable all
# CRS rules).
#
# Already included in the set of exceptions when tx.crs_exclusions_wordpress=1
# is set in crs-setup.conf.
#SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
# "id:1000,\
# phase:2,\
# pass,\
# nolog,\
# ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd"
# Disable all rules on antiwarsongs.org.
SecRule SERVER_NAME "@streq www.antiwarsongs.org" \
"id:1001,\
phase:1,\
pass,\
nolog,\
ctl:ruleEngine=off"
# Do not look into the 'content' arg for /admin.php pages (lahaine).
SecRule REQUEST_FILENAME "@endsWith /admin.php" \
"id:1003,\
phase:2,\
pass,\
nolog,\
ctl:ruleRemoveTargetByTag=CRS;ARGS:content"
# Drop XSS checks on /wp-json/ urls.
SecRule REQUEST_FILENAME "@beginsWith /wp-json/wp/v2/" \
"id:1004,\
phase:1,\
pass,\
nolog,\
ctl:ruleEngine=off"
# Disable mod_security rules in this file.
SecRuleRemoveById 960015
# Allow all request methods (otherwise Nextcloud breaks as it handles DAV).
SecRuleRemoveByID 911100
# Oracle error messages.
SecRuleRemoveById 951120
# Wordpress generates badly encoded mime/multipart uploads
# for its own file upload functionality...
# Drop the REQBODY_ERROR and MULTIPART_UNMATCHED_BOUNDARY rules.
SecRuleRemoveById 200002 200004
# Matches an Apache directory listing.
SecRuleRemoveById 950130
# XSS rules that have too many false positives.
SecRuleRemoveById 941160
SecRuleRemoveById 941180
# ModSec Rule Exclusion: 920273 : Invalid character in request (outside of very strict set)
# ModSec Rule Exclusion: 942432 : Restricted SQL Character Anomaly Detection (args):
# number of special characters exceeded (2) (severity: NONE/UNKOWN)
SecRuleRemoveById 920273
SecRuleRemoveById 942432
# Presence of PHP code in the output.
SecRuleRemoveByID 953110
SecRuleRemoveByID 953120
# Filters "dangerous" file extensions on the URL.
SecRuleRemoveByID 920440
This diff is collapsed.
......@@ -37,6 +37,18 @@
mode: "01777"
loop: "{{ apache_instances }}"
- name: Create apache2-instance modsecurity dir
file:
path: "/etc/apache2-instances/{{ item }}/modsecurity/crs"
state: directory
loop: "{{ apache_instances }}"
- name: Configure mod_security
copy:
src: "{{ item.0 }}"
dest: "/etc/apache2-instances/{{ item.1 }}/modsecurity/crs/"
loop: "{{ lookup('fileglob', 'files/modsecurity/*.conf') | product(apache_instances) | list }}"
- name: Configure web-users mail relay
template:
src: mail-relay.conf.j2
......
......@@ -54,6 +54,7 @@ web-users:
- /etc/apache2-instances/php56/virtualhosts: /etc/apache2/virtualhosts
- /etc/apache2-instances/mail-relay.conf: /etc/apache2/mail-relay.conf
- /etc/apache2-instances/php56/phprc: /etc/php/5.6/sites
- /etc/apache2-instances/php56/modsecurity/crs: /etc/modsecurity/crs
- /home/users/investici.org: /home/users/investici.org
- /var/run/mariadb-users: /var/run/mysql
- /var/lib/apache2-instances/tmp/php56: /tmp
......@@ -68,6 +69,7 @@ web-users:
- /etc/apache2-instances/php70/virtualhosts: /etc/apache2/virtualhosts
- /etc/apache2-instances/mail-relay.conf: /etc/apache2/mail-relay.conf
- /etc/apache2-instances/php70/phprc: /etc/php/7.0/sites
- /etc/apache2-instances/php70/modsecurity/crs: /etc/modsecurity/crs
- /home/users/investici.org: /home/users/investici.org
- /var/run/mariadb-users: /var/run/mysql
- /var/lib/apache2-instances/tmp/php70: /tmp
......@@ -82,6 +84,7 @@ web-users:
- /etc/apache2-instances/php73/virtualhosts: /etc/apache2/virtualhosts
- /etc/apache2-instances/mail-relay.conf: /etc/apache2/mail-relay.conf
- /etc/apache2-instances/php73/phprc: /etc/php/7.3/sites
- /etc/apache2-instances/php73/modsecurity/crs: /etc/modsecurity/crs
- /home/users/investici.org: /home/users/investici.org
- /var/run/mariadb-users: /var/run/mysql
- /var/lib/apache2-instances/tmp/php73: /tmp
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment