diff --git a/manifests/mod/php.pp b/manifests/mod/php.pp index 404af05559..37ed59e48a 100644 --- a/manifests/mod/php.pp +++ b/manifests/mod/php.pp @@ -32,7 +32,7 @@ Optional[String] $path = undef, Array $extensions = ['.php'], Optional[String] $content = undef, - String $template = 'apache/mod/php.conf.erb', + String $template = 'apache/mod/php.conf.epp', Optional[String] $source = undef, Optional[String] $root_group = $apache::params::root_group, Optional[String] $php_version = $apache::params::php_version, @@ -63,9 +63,9 @@ fail('apache::mod::php requires apache::mod::prefork or apache::mod::itk; please enable mpm_module => \'prefork\' or mpm_module => \'itk\' on Class[\'apache\']') } - if $source and ($content or $template != 'apache/mod/php.conf.erb') { + if $source and ($content or $template != 'apache/mod/php.conf.epp') { warning('source and content or template parameters are provided. source parameter will be used') - } elsif $content and $template != 'apache/mod/php.conf.erb' { + } elsif $content and $template != 'apache/mod/php.conf.epp' { warning('content and template parameters are provided. content parameter will be used') } diff --git a/manifests/mod/security.pp b/manifests/mod/security.pp index a64be57f8a..cee5a04865 100644 --- a/manifests/mod/security.pp +++ b/manifests/mod/security.pp @@ -316,49 +316,30 @@ } if $manage_security_crs { - # Template uses: - # - $_secdefaultaction - # - $critical_anomaly_score - # - $error_anomaly_score - # - $warning_anomaly_score - # - $notice_anomaly_score - # - $inbound_anomaly_threshold - # - $outbound_anomaly_threshold - # - $paranoia_level - # - $executing_paranoia_level - # - $allowed_methods - # - $content_types - # - $restricted_extensions - # - $restricted_headers - # - $secrequestmaxnumargs - # - $enable_dos_protection - # - $dos_burst_time_slice - # - $dos_counter_threshold - # - $dos_block_timeout $security_crs_parameters = { - '_secdefaultaction' => $_secdefaultaction, - 'critical_anomaly_score' => $critical_anomaly_score, - 'error_anomaly_score' => $error_anomaly_score, - 'warning_anomaly_score' => $warning_anomaly_score, - 'notice_anomaly_score' => $notice_anomaly_score, - 'inbound_anomaly_threshold' => $inbound_anomaly_threshold, - 'outbound_anomaly_threshold' => $outbound_anomaly_threshold, - 'secrequestmaxnumargs' => $secrequestmaxnumargs, - 'allowed_methods' => $allowed_methods, - 'content_types' => $content_types, - 'restricted_extensions' => $restricted_extensions, - 'restricted_headers' => $restricted_headers, - 'paranoia_level' => $paranoia_level, - 'executing_paranoia_level' => $executing_paranoia_level, - 'enable_dos_protection' => $enable_dos_protection, - 'dos_burst_time_slice' => $dos_burst_time_slice, - 'dos_counter_threshold' => $dos_counter_threshold, - 'dos_block_timeout' => $dos_block_timeout, + '_secdefaultaction' => $_secdefaultaction, + 'critical_anomaly_score' => $critical_anomaly_score, + 'error_anomaly_score' => $error_anomaly_score, + 'warning_anomaly_score' => $warning_anomaly_score, + 'notice_anomaly_score' => $notice_anomaly_score, + 'inbound_anomaly_threshold' => $inbound_anomaly_threshold, + 'outbound_anomaly_threshold' => $outbound_anomaly_threshold, + 'secrequestmaxnumargs' => $secrequestmaxnumargs, + 'allowed_methods' => $allowed_methods, + 'content_types' => $content_types, + 'restricted_extensions' => $restricted_extensions, + 'restricted_headers' => $restricted_headers, + 'paranoia_level' => $paranoia_level, + 'executing_paranoia_level' => $executing_paranoia_level, + 'enable_dos_protection' => $enable_dos_protection, + 'dos_burst_time_slice' => $dos_burst_time_slice, + 'dos_counter_threshold' => $dos_counter_threshold, + 'dos_block_timeout' => $dos_block_timeout, } file { "${modsec_dir}/security_crs.conf": ensure => file, - content => template('apache/mod/security_crs.conf.erb'), + content => epp('apache/mod/security_crs.conf.epp', $security_crs_parameters), require => File[$modsec_dir], notify => Class['apache::service'], } diff --git a/manifests/mod/status.pp b/manifests/mod/status.pp index cd6416fe73..0551713247 100644 --- a/manifests/mod/status.pp +++ b/manifests/mod/status.pp @@ -40,11 +40,17 @@ $requires_defaults = 'ip 127.0.0.1 ::1' # Template uses $extended_status, $status_path + $status_params = { + 'extended_status' => $extended_status, + 'status_path' => $status_path, + 'requires' => $requires, + 'requires_defaults' => $requires_defaults, + } file { 'status.conf': ensure => file, path => "${apache::mod_dir}/status.conf", mode => $apache::file_mode, - content => template('apache/mod/status.conf.erb'), + content => epp('apache/mod/status.conf.epp', $status_params), require => Exec["mkdir ${apache::mod_dir}"], before => File[$apache::mod_dir], notify => Class['apache::service'], diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 5f73f442d4..e2a88818c7 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -2335,7 +2335,7 @@ if $directory['provider'] and $directory['provider'] =~ 'location' and ('proxy_pass' in $directory or 'proxy_pass_match' in $directory) { include apache::mod::proxy_http - # To match processing in templates/vhost/_directories.erb + # To match processing in templates/vhost/_directories.epp if $directory['proxy_pass_match'] { Array($directory['proxy_pass_match']).each |$proxy| { if $proxy['url'] =~ /"h2c?:\/\// { @@ -2364,28 +2364,26 @@ } } - # Template uses: - # - $_directories - # - $docroot - # - $shibboleth_enabled - # - $cas_enabled unless empty($_directories) { + $directory_params = { + 'docroot' => $docroot, + 'directories' => $_directories, + 'shibboleth_enabled' => $shibboleth_enabled, + 'cas_enabled' => $cas_enabled, + } concat::fragment { "${name}-directories": target => "${priority_real}${filename}.conf", order => 60, - content => template('apache/vhost/_directories.erb'), + content => epp('apache/vhost/_directories.epp', $directory_params), } } } - # Template uses: - # - $additional_includes - # - $use_optional_includes if $additional_includes and ! empty($additional_includes) { concat::fragment { "${name}-additional_includes": target => "${priority_real}${filename}.conf", order => 70, - content => template('apache/vhost/_additional_includes.erb'), + content => epp('apache/vhost/_additional_includes.epp', { 'additional_includes' => $additional_includes, 'use_optional_includes' => $use_optional_includes }), } } @@ -2403,24 +2401,17 @@ } } - # Template uses no variables concat::fragment { "${name}-serversignature": target => "${priority_real}${filename}.conf", order => 90, content => " ServerSignature Off\n", } - # Template uses: - # - $_access_logs - # - $_access_log_env_var - # - $access_log_destination - # - $_access_log_format - # - $_access_log_env_var if !empty($_access_logs) { concat::fragment { "${name}-access_log": target => "${priority_real}${filename}.conf", order => 100, - content => template('apache/vhost/_access_log.erb'), + content => epp('apache/vhost/_access_log.epp', { 'access_logs' => $_access_logs, 'logroot' => $logroot, 'ssl' => $ssl, 'filename' => $filename }), } } @@ -2432,23 +2423,19 @@ } } - # Template uses: - # - $block if $block and ! empty($block) { concat::fragment { "${name}-block": target => "${priority_real}${filename}.conf", order => 120, - content => template('apache/vhost/_block.erb'), + content => epp('apache/vhost/_block.epp', { 'block' => $block }), } } - # Template uses: - # - $error_documents if $error_documents and ! empty($error_documents) { concat::fragment { "${name}-error_document": target => "${priority_real}${filename}.conf", order => 130, - content => template('apache/vhost/_error_document.erb'), + content => epp('apache/vhost/_error_document.epp', { 'error_documents' => $error_documents }), } } @@ -2496,7 +2483,7 @@ if ($proxy_dest or $proxy_pass or $proxy_pass_match or $proxy_dest_match or $proxy_preserve_host or ($proxy_add_headers =~ NotUndef)) and $ensure == 'present' { include apache::mod::proxy_http - # To match processing in templates/vhost/_proxy.erb + # To match processing in templates/vhost/_proxy.epp if $proxy_dest =~ Pattern[/^h2c?:\/\//] or $proxy_dest_match =~ Pattern[/^h2c?:\/\//] { include apache::mod::proxy_http2 } @@ -2505,49 +2492,57 @@ include apache::mod::proxy_http2 } } + $proxy_params = { + 'proxy_dest' => $proxy_dest, + 'proxy_pass' => $proxy_pass, + 'proxy_pass_match' => $proxy_pass_match, + 'proxy_dest_match' => $proxy_dest_match, + 'proxy_add_headers' => $proxy_add_headers, + 'proxy_requests' => $proxy_requests, + 'proxy_preserve_host' => $proxy_preserve_host, + 'proxy_error_override' => $proxy_error_override, + 'no_proxy_uris' => $no_proxy_uris, + 'no_proxy_uris_match' => $no_proxy_uris_match, + 'proxy_dest_reverse_match' => $proxy_dest_reverse_match, + } concat::fragment { "${name}-proxy": target => "${priority_real}${filename}.conf", order => 170, - content => template('apache/vhost/_proxy.erb'), - } - } - - # Template uses: - # - $redirect_source - # - $redirect_dest - # - $redirect_status - # - $redirect_dest_a - # - $redirect_source_a - # - $redirect_status_a - # - $redirectmatch_status - # - $redirectmatch_regexp - # - $redirectmatch_dest - # - $redirectmatch_status_a - # - $redirectmatch_regexp_a - # - $redirectmatch_dest + content => epp('apache/vhost/_proxy.epp', $proxy_params), + } + } + if (($redirect_source and $redirect_dest) or ($redirectmatch_regexp and $redirectmatch_dest)) and $ensure == 'present' { + $redirect_params = { + 'redirect_source' => $redirect_source, + 'redirect_dest' => $redirect_dest, + 'redirect_status' => $redirect_status, + 'redirectmatch_regexp' => $redirectmatch_regexp, + 'redirectmatch_dest' => $redirectmatch_dest, + 'redirectmatch_status' => $redirectmatch_status, + } include apache::mod::alias concat::fragment { "${name}-redirect": target => "${priority_real}${filename}.conf", order => 180, - content => template('apache/vhost/_redirect.erb'), + content => epp('apache/vhost/_redirect.epp', $redirect_params), } } - # Template uses: - # - $rewrites - # - $rewrite_inherit - # - $rewrite_base - # - $rewrite_rule - # - $rewrite_cond - # - $rewrite_map if (! empty($rewrites) or $rewrite_rule or $rewrite_inherit) and $ensure == 'present' { include apache::mod::rewrite + $rewrite_params = { + 'rewrites' => $rewrites, + 'rewrite_inherit' => $rewrite_inherit, + 'rewrite_base' => $rewrite_base, + 'rewrite_rule' => $rewrite_rule, + 'rewrite_cond' => $rewrite_cond, + } concat::fragment { "${name}-rewrite": target => "${priority_real}${filename}.conf", order => 190, - content => template('apache/vhost/_rewrite.erb'), + content => epp('apache/vhost/_rewrite.epp', $rewrite_params), } } @@ -2568,10 +2563,6 @@ } } - # Template uses: - # - $setenv - # - $setenvif - # - $setenvifnocase $use_env_mod = !empty($setenv) $use_setenvif_mod = !empty($setenvif) or !empty($setenvifnocase) if ($use_env_mod or $use_setenvif_mod) and $ensure == 'present' { @@ -2582,38 +2573,47 @@ include apache::mod::setenvif } + $setenv_params = { + 'setenv' => $setenv, + 'setenvif' => $setenvif, + 'setenvifnocase' => $setenvifnocase, + } concat::fragment { "${name}-setenv": target => "${priority_real}${filename}.conf", order => 220, - content => template('apache/vhost/_setenv.erb'), - } - } - - # Template uses: - # - $ssl - # - $ssl_cert - # - $ssl_key - # - $ssl_chain - # - $ssl_certs_dir - # - $ssl_ca - # - $ssl_crl_path - # - $ssl_crl - # - $ssl_crl_check - # - $ssl_protocol - # - $ssl_cipher - # - $_ssl_honorcipherorder - # - $ssl_verify_client - # - $ssl_verify_depth - # - $ssl_options - # - $ssl_openssl_conf_cmd - # - $ssl_stapling - # - $mdomain + content => epp('apache/vhost/_setenv.epp', $setenv_params), + } + } + if $ssl and $ensure == 'present' { include apache::mod::ssl + $ssl_params = { + 'ssl' => $ssl, + 'ssl_cert' => $ssl_cert, + 'ssl_key' => $ssl_key, + 'ssl_chain' => $ssl_chain, + 'ssl_certs_dir' => $ssl_certs_dir, + 'ssl_ca' => $ssl_ca, + 'ssl_crl_path' => $ssl_crl_path, + 'ssl_crl' => $ssl_crl, + 'ssl_crl_check' => $ssl_crl_check, + 'ssl_protocol' => $ssl_protocol, + 'ssl_cipher' => $ssl_cipher, + 'ssl_honorcipherorder' => $_ssl_honorcipherorder, + 'ssl_verify_client' => $ssl_verify_client, + 'ssl_verify_depth' => $ssl_verify_depth, + 'ssl_options' => $ssl_options, + 'ssl_openssl_conf_cmd' => $ssl_openssl_conf_cmd, + 'ssl_stapling' => $ssl_stapling, + 'ssl_stapling_timeout' => $ssl_stapling_timeout, + 'ssl_stapling_return_errors' => $ssl_stapling_return_errors, + 'ssl_user_name' => $ssl_user_name, + 'mdomain' => $mdomain, + } concat::fragment { "${name}-ssl": target => "${priority_real}${filename}.conf", order => 230, - content => template('apache/vhost/_ssl.erb'), + content => epp('apache/vhost/_ssl.epp', $ssl_params), } if $ssl_reload_on_change { @@ -2656,25 +2656,27 @@ } } - # Template uses: - # - $php_values - # - $php_flags if ($php_values and ! empty($php_values)) or ($php_flags and ! empty($php_flags)) { + $php_params = { + 'php_values' => $php_values, + 'php_flags' => $php_flags, + } concat::fragment { "${name}-php": target => "${priority_real}${filename}.conf", order => 240, - content => template('apache/vhost/_php.erb'), + content => epp('apache/vhost/_php.epp', $php_params), } } - # Template uses: - # - $php_admin_values - # - $php_admin_flags if ($php_admin_values and ! empty($php_admin_values)) or ($php_admin_flags and ! empty($php_admin_flags)) { + $php_admin_params = { + 'php_admin_values' => $php_admin_values, + 'php_admin_flags' => $php_admin_flags, + } concat::fragment { "${name}-php_admin": target => "${priority_real}${filename}.conf", order => 250, - content => template('apache/vhost/_php_admin.erb'), + content => epp('apache/vhost/_php_admin.epp', $php_admin_params), } } diff --git a/manifests/vhost/proxy.pp b/manifests/vhost/proxy.pp index 89a885d175..e9d3d3ef26 100644 --- a/manifests/vhost/proxy.pp +++ b/manifests/vhost/proxy.pp @@ -124,7 +124,7 @@ include apache::mod::proxy include apache::mod::proxy_http - # To match processing in templates/vhost/_proxy.erb + # To match processing in templates/vhost/_proxy.epp if $proxy_dest =~ Pattern[/^h2c?:\/\//] or $proxy_dest_match =~ Pattern[/^h2c?:\/\//] { include apache::mod::proxy_http2 } @@ -138,11 +138,25 @@ fail('At least one of proxy_dest, proxy_pass, proxy_pass_match or proxy_dest_match must be given') } + $proxy_params = { + 'proxy_dest' => $proxy_dest, + 'proxy_pass' => $proxy_pass, + 'proxy_pass_match' => $proxy_pass_match, + 'proxy_dest_match' => $proxy_dest_match, + 'proxy_add_headers' => $proxy_add_headers, + 'proxy_requests' => $proxy_requests, + 'proxy_preserve_host' => $proxy_preserve_host, + 'proxy_error_override' => $proxy_error_override, + 'no_proxy_uris' => $no_proxy_uris, + 'no_proxy_uris_match' => $no_proxy_uris_match, + 'proxy_dest_reverse_match' => $proxy_dest_reverse_match, + } + apache::vhost::fragment { "${name}-proxy": vhost => $vhost, port => $port, priority => $priority, order => $order, - content => template('apache/vhost/_proxy.erb'), + content => epp('apache/vhost/_proxy.epp', $proxy_params), } } diff --git a/spec/classes/mod/php_spec.rb b/spec/classes/mod/php_spec.rb index 8c4e774d63..14729221ed 100644 --- a/spec/classes/mod/php_spec.rb +++ b/spec/classes/mod/php_spec.rb @@ -310,7 +310,7 @@ context 'with template param' do let :params do - { template: 'apache/mod/php.conf.erb' } + { template: 'apache/mod/php.conf.epp' } end it { diff --git a/templates/fastcgi/server.erb b/templates/fastcgi/server.erb deleted file mode 100644 index bae56d48ef..0000000000 --- a/templates/fastcgi/server.erb +++ /dev/null @@ -1,22 +0,0 @@ -<% - timeout = " -idle-timeout #{@timeout}" - flush = "" - if @flush - flush = " -flush" - end - if @socket - host_or_socket = " -socket #{@socket}" - else - host_or_socket = " -host #{@host}" - end - - pass_header = "" - if @pass_header and ! @pass_header.empty? - pass_header = " -pass-header #{@pass_header}" - end - - options = timeout + flush + host_or_socket + pass_header --%> -FastCGIExternalServer <%= @faux_path %><%= options %> -Alias <%= @fcgi_alias %> <%= @faux_path %> -Action <%= @file_type %> <%= @fcgi_alias %> diff --git a/templates/mod/_require.epp b/templates/mod/_require.epp index 88443db572..56a22a4f86 100644 --- a/templates/mod/_require.epp +++ b/templates/mod/_require.epp @@ -1,5 +1,5 @@ -<% $_requires = if $requires { %>$requires<% } else {%>$requires_defaults<%} %> -<% if type($_requires, 'generalized') == String { %> +<% $_requires = if $requires { $requires } else { $requires_defaults} -%> +<% if type($_requires, 'generalized') == String { -%> <%- if !($_requires.downcase in ['', 'unmanaged']) { -%> Require <%= $_requires %> <%- } -%> diff --git a/templates/mod/_require.erb b/templates/mod/_require.erb deleted file mode 100644 index 404dcc4c26..0000000000 --- a/templates/mod/_require.erb +++ /dev/null @@ -1,33 +0,0 @@ -<% _requires = @requires != nil ? @requires : @requires_defaults -%> -<% if _requires.is_a?(String) -%> - <%- if ! ['', 'unmanaged'].include?_requires.downcase -%> - Require <%= _requires %> - <%- end -%> -<% elsif _requires.is_a?(Array) -%> - <%- _requires.each do |req| -%> - Require <%= req %> - <%- end -%> -<% elsif _requires.is_a?(Hash) -%> - <%- if _requires.has_key?('enforce') and ['all', 'none', 'any'].include?_requires['enforce'].downcase -%> - <%- enforce_str = "Require#{_requires['enforce'].capitalize}>\n" -%> - <%- enforce_open = " <#{enforce_str}" -%> - <%- enforce_close = " - <%- indentation = ' ' -%> - <%- else -%> - <%- if _requires.has_key?('enforce') -%> - <%- scope.function_warning(["Class #{@title}: Require can only be overwritten with all, none or any."]) -%> - <%- end -%> - <%- enforce_open = '' -%> - <%- enforce_close = '' -%> - <%- indentation = '' -%> - <%- end -%> - <%- if _requires.has_key?('requires') and _requires['requires'].is_a?(Array) -%> -<%# %><%= enforce_open -%> - <%- _requires['requires'].each do |req| -%> -<%# %> <%= indentation -%>Require <%= req %> - <%- end -%> -<%# %><%= enforce_close -%> - <%- else -%> - <%- scope.function_warning(["Class #{@title}: Require hash must have a key named \"requires\" with array value"]) -%> - <%- end -%> -<% end -%> diff --git a/templates/mod/php.conf.erb b/templates/mod/php.conf.epp similarity index 84% rename from templates/mod/php.conf.erb rename to templates/mod/php.conf.epp index 9e684fe6d0..c1298d441f 100644 --- a/templates/mod/php.conf.erb +++ b/templates/mod/php.conf.epp @@ -6,7 +6,7 @@ # # Cause the PHP interpreter to handle files with a .php extension. # -)$"> +)$"> SetHandler application/x-httpd-php diff --git a/templates/mod/security_crs.conf.erb b/templates/mod/security_crs.conf.erb deleted file mode 100644 index fb8dbff146..0000000000 --- a/templates/mod/security_crs.conf.erb +++ /dev/null @@ -1,1271 +0,0 @@ -<% if scope['facts']['os']['family'] == 'RedHat' and scope['facts']['os']['release']['major'].to_i <= 7 -%> -# --------------------------------------------------------------- -# Core ModSecurity Rule Set ver.2.2.9 -# Copyright (C) 2006-2012 Trustwave All rights reserved. -# -# The OWASP ModSecurity Core Rule Set is distributed under -# Apache Software License (ASL) version 2 -# Please see the enclosed LICENCE file for full details. -# --------------------------------------------------------------- - - -# -# -- [[ Recommended Base Configuration ]] ------------------------------------------------- -# -# The configuration directives/settings in this file are used to control -# the OWASP ModSecurity CRS. These settings do **NOT** configure the main -# ModSecurity settings such as: -# -# - SecRuleEngine -# - SecRequestBodyAccess -# - SecAuditEngine -# - SecDebugLog -# -# You should use the modsecurity.conf-recommended file that comes with the -# ModSecurity source code archive. -# -# Ref: https://github.com/SpiderLabs/ModSecurity/blob/master/modsecurity.conf-recommended -# - - -# -# -- [[ Rule Version ]] ------------------------------------------------------------------- -# -# Rule version data is added to the "Producer" line of Section H of the Audit log: -# -# - Producer: ModSecurity for Apache/2.7.0-rc1 (http://www.modsecurity.org/); OWASP_CRS/2.2.4. -# -# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature -# -SecComponentSignature "OWASP_CRS/2.2.9" - - -# -# -- [[ Modes of Operation: Self-Contained vs. Collaborative Detection ]] ----------------- -# -# Each detection rule uses the "block" action which will inherit the SecDefaultAction -# specified below. Your settings here will determine which mode of operation you use. -# -# -- [[ Self-Contained Mode ]] -- -# Rules inherit the "deny" disruptive action. The first rule that matches will block. -# -# -- [[ Collaborative Detection Mode ]] -- -# This is a "delayed blocking" mode of operation where each matching rule will inherit -# the "pass" action and will only contribute to anomaly scores. Transactional blocking -# can be applied -# -# -- [[ Alert Logging Control ]] -- -# You have three options - -# -# - To log to both the Apache error_log and ModSecurity audit_log file use: "log" -# - To log *only* to the ModSecurity audit_log file use: "nolog,auditlog" -# - To log *only* to the Apache error_log file use: "log,noauditlog" -# -# Ref: http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes.html -# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecDefaultAction -# -SecDefaultAction "phase:1,<%= @_secdefaultaction -%>" -SecDefaultAction "phase:2,<%= @_secdefaultaction -%>" - -# -# -- [[ Collaborative Detection Severity Levels ]] ---------------------------------------- -# -# These are the default scoring points for each severity level. You may -# adjust these to you liking. These settings will be used in macro expansion -# in the rules to increment the anomaly scores when rules match. -# -# These are the default Severity ratings (with anomaly scores) of the individual rules - -# -# - 2: Critical - Anomaly Score of 5. -# Is the highest severity level possible without correlation. It is -# normally generated by the web attack rules (40 level files). -# - 3: Error - Anomaly Score of 4. -# Is generated mostly from outbound leakage rules (50 level files). -# - 4: Warning - Anomaly Score of 3. -# Is generated by malicious client rules (35 level files). -# - 5: Notice - Anomaly Score of 2. -# Is generated by the Protocol policy and anomaly files. -# -SecAction \ - "id:'900001', \ - phase:1, \ - t:none, \ - setvar:tx.critical_anomaly_score=<%= @critical_anomaly_score -%>, \ - setvar:tx.error_anomaly_score=<%= @error_anomaly_score -%>, \ - setvar:tx.warning_anomaly_score=<%= @warning_anomaly_score -%>, \ - setvar:tx.notice_anomaly_score=<%= @notice_anomaly_score -%>, \ - nolog, \ - pass" - - -# -# -- [[ Collaborative Detection Scoring Initialization and Threshold Levels ]] ------------------------------ -# -# These variables are used in macro expansion in the 49 inbound blocking and 59 -# outbound blocking files. -# -# **MUST HAVE** ModSecurity v2.5.12 or higher to use macro expansion in numeric -# operators. If you have an earlier version, edit the 49/59 files directly to -# set the appropriate anomaly score levels. -# -# You should set the score level (rule 900003) to the proper threshold you -# would prefer. If set to "5" it will work similarly to previous Mod CRS rules -# and will create an event in the error_log file if there are any rules that -# match. If you would like to lessen the number of events generated in the -# error_log file, you should increase the anomaly score threshold to something -# like "20". This would only generate an event in the error_log file if there -# are multiple lower severity rule matches or if any 1 higher severity item matches. -# -SecAction \ - "id:'900002', \ - phase:1, \ - t:none, \ - setvar:tx.anomaly_score=0, \ - setvar:tx.sql_injection_score=0, \ - setvar:tx.xss_score=0, \ - setvar:tx.inbound_anomaly_score=0, \ - setvar:tx.outbound_anomaly_score=0, \ - nolog, \ - pass" - - -SecAction \ - "id:'900003', \ - phase:1, \ - t:none, \ - setvar:tx.inbound_anomaly_score_level=<%= @inbound_anomaly_threshold -%>, \ - setvar:tx.outbound_anomaly_score_level=<%= @outbound_anomaly_threshold -%>, \ - nolog, \ - pass" - - -# -# -- [[ Collaborative Detection Blocking ]] ----------------------------------------------- -# -# This is a collaborative detection mode where each rule will increment an overall -# anomaly score for the transaction. The scores are then evaluated in the following files: -# -# Inbound anomaly score - checked in the modsecurity_crs_49_inbound_blocking.conf file -# Outbound anomaly score - checked in the modsecurity_crs_59_outbound_blocking.conf file -# -# If you want to use anomaly scoring mode, then uncomment this line. -# -SecAction \ - "id:'900004', \ - phase:1, \ - t:none, \ - setvar:tx.anomaly_score_blocking=<%= @anomaly_score_blocking -%>, \ - nolog, \ - pass" - - -# -# -- [[ GeoIP Database ]] ----------------------------------------------------------------- -# -# There are some rulesets that need to inspect the GEO data of the REMOTE_ADDR data. -# -# You must first download the MaxMind GeoIP Lite City DB - -# -# http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz -# -# You then need to define the proper path for the SecGeoLookupDb directive -# -# Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html -# Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html -# -#SecGeoLookupDb /opt/modsecurity/lib/GeoLiteCity.dat - -# -# -- [[ Regression Testing Mode ]] -------------------------------------------------------- -# -# If you are going to run the regression testing mode, you should uncomment the -# following rule. It will enable DetectionOnly mode for the SecRuleEngine and -# will enable Response Header tagging so that the client testing script can see -# which rule IDs have matched. -# -# You must specify the your source IP address where you will be running the tests -# from. -# -#SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \ - "id:'900005', \ - phase:1, \ - t:none, \ - ctl:ruleEngine=DetectionOnly, \ - setvar:tx.regression_testing=1, \ - nolog, \ - pass" - - -# -# -- [[ HTTP Policy Settings ]] ---------------------------------------------------------- -# -# Set the following policy settings here and they will be propagated to the 23 rules -# file (modsecurity_common_23_request_limits.conf) by using macro expansion. -# If you run into false positives, you can adjust the settings here. -# -# Only the max number of args is uncommented by default as there are a high rate -# of false positives. Uncomment the items you wish to set. -# -# -# -- Maximum number of arguments in request limited -SecAction \ - "id:'900006', \ - phase:1, \ - t:none, \ - setvar:tx.max_num_args=<%= @secrequestmaxnumargs %>, \ - nolog, \ - pass" - -# -# -- Limit argument name length -#SecAction \ - "id:'900007', \ - phase:1, \ - t:none, \ - setvar:tx.arg_name_length=100, \ - nolog, \ - pass" - -# -# -- Limit value name length -#SecAction \ - "id:'900008', \ - phase:1, \ - t:none, \ - setvar:tx.arg_length=400, \ - nolog, \ - pass" - -# -# -- Limit arguments total length -#SecAction \ - "id:'900009', \ - phase:1, \ - t:none, \ - setvar:tx.total_arg_length=64000, \ - nolog, \ - pass" - -# -# -- Individual file size is limited -#SecAction \ - "id:'900010', \ - phase:1, \ - t:none, \ - setvar:tx.max_file_size=1048576, \ - nolog, \ - pass" - -# -# -- Combined file size is limited -#SecAction \ - "id:'900011', \ - phase:1, \ - t:none, \ - setvar:tx.combined_file_sizes=1048576, \ - nolog, \ - pass" - - -# -# Set the following policy settings here and they will be propagated to the 30 rules -# file (modsecurity_crs_30_http_policy.conf) by using macro expansion. -# If you run into false positves, you can adjust the settings here. -# -SecAction \ - "id:'900012', \ - phase:1, \ - t:none, \ - setvar:'tx.allowed_methods=<%= @allowed_methods -%>', \ - setvar:'tx.allowed_request_content_type=<%= @content_types -%>', \ - setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \ - setvar:'tx.restricted_extensions=<%= @restricted_extensions -%>', \ - setvar:'tx.restricted_headers=<%= @restricted_headers -%>', \ - nolog, \ - pass" - - -# -# -- [[ Content Security Policy (CSP) Settings ]] ----------------------------------------- -# -# The purpose of these settings is to send CSP response headers to -# Mozilla FireFox users so that you can enforce how dynamic content -# is used. CSP usage helps to prevent XSS attacks against your users. -# -# Reference Link: -# -# https://developer.mozilla.org/en/Security/CSP -# -# Uncomment this SecAction line if you want use CSP enforcement. -# You need to set the appropriate directives and settings for your site/domain and -# and activate the CSP file in the experimental_rules directory. -# -# Ref: http://blog.spiderlabs.com/2011/04/modsecurity-advanced-topic-of-the-week-integrating-content-security-policy-csp.html -# -#SecAction \ - "id:'900013', \ - phase:1, \ - t:none, \ - setvar:tx.csp_report_only=1, \ - setvar:tx.csp_report_uri=/csp_violation_report, \ - setenv:'csp_policy=allow \'self\'; img-src *.yoursite.com; media-src *.yoursite.com; style-src *.yoursite.com; frame-ancestors *.yoursite.com; script-src *.yoursite.com; report-uri %{tx.csp_report_uri}', \ - nolog, \ - pass" - - -# -# -- [[ Brute Force Protection ]] --------------------------------------------------------- -# -# If you are using the Brute Force Protection rule set, then uncomment the following -# lines and set the following variables: -# - Protected URLs: resources to protect (e.g. login pages) - set to your login page -# - Burst Time Slice Interval: time interval window to monitor for bursts -# - Request Threshold: request # threshold to trigger a burst -# - Block Period: temporary block timeout -# -#SecAction \ - "id:'900014', \ - phase:1, \ - t:none, \ - setvar:'tx.brute_force_protected_urls=#/login.jsp# #/partner_login.php#', \ - setvar:'tx.brute_force_burst_time_slice=60', \ - setvar:'tx.brute_force_counter_threshold=10', \ - setvar:'tx.brute_force_block_timeout=300', \ - nolog, \ - pass" - - -# -# -- [[ DoS Protection ]] ---------------------------------------------------------------- -# -# If you are using the DoS Protection rule set, then uncomment the following -# lines and set the following variables: -# - Burst Time Slice Interval: time interval window to monitor for bursts -# - Request Threshold: request # threshold to trigger a burst -# - Block Period: temporary block timeout -# -SecAction \ - "id:'900015', \ - phase:1, \ - t:none, \ - setvar:'tx.dos_burst_time_slice=60', \ - setvar:'tx.dos_counter_threshold=100', \ - setvar:'tx.dos_block_timeout=600', \ - nolog, \ - pass" - - -# -# -- [[ Check UTF enconding ]] ----------------------------------------------------------- -# -# We only want to apply this check if UTF-8 encoding is actually used by the site, otherwise -# it will result in false positives. -# -# Uncomment this line if your site uses UTF8 encoding -#SecAction \ - "id:'900016', \ - phase:1, \ - t:none, \ - setvar:tx.crs_validate_utf8_encoding=1, \ - nolog, \ - pass" - - -# -# -- [[ Enable XML Body Parsing ]] ------------------------------------------------------- -# -# The rules in this file will trigger the XML parser upon an XML request -# -# Initiate XML Processor in case of xml content-type -# -SecRule REQUEST_HEADERS:Content-Type "text/xml" \ - "id:'900017', \ - phase:1, \ - t:none,t:lowercase, \ - nolog, \ - pass, \ - chain" - SecRule REQBODY_PROCESSOR "!@streq XML" \ - "ctl:requestBodyProcessor=XML" - - -# -# -- [[ Global and IP Collections ]] ----------------------------------------------------- -# -# Create both Global and IP collections for rules to use -# There are some CRS rules that assume that these two collections -# have already been initiated. -# -SecRule REQUEST_HEADERS:User-Agent "^(.*)$" \ - "id:'900018', \ - phase:1, \ - t:none,t:sha1,t:hexEncode, \ - setvar:tx.ua_hash=%{matched_var}, \ - nolog, \ - pass" - - -SecRule REQUEST_HEADERS:x-forwarded-for "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b" \ - "id:'900019', \ - phase:1, \ - t:none, \ - capture, \ - setvar:tx.real_ip=%{tx.1}, \ - nolog, \ - pass" - - -SecRule &TX:REAL_IP "!@eq 0" \ - "id:'900020', \ - phase:1, \ - t:none, \ - initcol:global=global, \ - initcol:ip=%{tx.real_ip}_%{tx.ua_hash}, \ - nolog, \ - pass" - - -SecRule &TX:REAL_IP "@eq 0" \ - "id:'900021', \ - phase:1, \ - t:none, \ - initcol:global=global, \ - initcol:ip=%{remote_addr}_%{tx.ua_hash}, \ - setvar:tx.real_ip=%{remote_addr}, \ - nolog, \ - pass" -<% else -%> -# ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.2 -# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# -# The OWASP ModSecurity Core Rule Set is distributed under -# Apache Software License (ASL) version 2 -# Please see the enclosed LICENSE file for full details. -# ------------------------------------------------------------------------ - - -# -# -- [[ Introduction ]] -------------------------------------------------------- -# -# The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack -# detection rules that provide a base level of protection for any web -# application. They are written for the open source, cross-platform -# ModSecurity Web Application Firewall. -# -# See also: -# https://coreruleset.org/ -# https://github.com/SpiderLabs/owasp-modsecurity-crs -# https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project -# - - -# -# -- [[ System Requirements ]] ------------------------------------------------- -# -# CRS requires ModSecurity version 2.8.0 or above. -# We recommend to always use the newest ModSecurity version. -# -# The configuration directives/settings in this file are used to control -# the OWASP ModSecurity CRS. These settings do **NOT** configure the main -# ModSecurity settings (modsecurity.conf) such as SecRuleEngine, -# SecRequestBodyAccess, SecAuditEngine, SecDebugLog, and XML processing. -# -# The CRS assumes that modsecurity.conf has been loaded. It is bundled with -# ModSecurity. If you don't have it, you can get it from: -# 2.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v2/master/modsecurity.conf-recommended -# 3.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended -# -# The order of file inclusion in your webserver configuration should always be: -# 1. modsecurity.conf -# 2. crs-setup.conf (this file) -# 3. rules/*.conf (the CRS rule files) -# -# Please refer to the INSTALL file for detailed installation instructions. -# - - -# -# -- [[ Mode of Operation: Anomaly Scoring vs. Self-Contained ]] --------------- -# -# The CRS can run in two modes: -# -# -- [[ Anomaly Scoring Mode (default) ]] -- -# In CRS3, anomaly mode is the default and recommended mode, since it gives the -# most accurate log information and offers the most flexibility in setting your -# blocking policies. It is also called "collaborative detection mode". -# In this mode, each matching rule increases an 'anomaly score'. -# At the conclusion of the inbound rules, and again at the conclusion of the -# outbound rules, the anomaly score is checked, and the blocking evaluation -# rules apply a disruptive action, by default returning an error 403. -# -# -- [[ Self-Contained Mode ]] -- -# In this mode, rules apply an action instantly. This was the CRS2 default. -# It can lower resource usage, at the cost of less flexibility in blocking policy -# and less informative audit logs (only the first detected threat is logged). -# Rules inherit the disruptive action that you specify (i.e. deny, drop, etc). -# The first rule that matches will execute this action. In most cases this will -# cause evaluation to stop after the first rule has matched, similar to how many -# IDSs function. -# -# -- [[ Alert Logging Control ]] -- -# In the mode configuration, you must also adjust the desired logging options. -# There are three common options for dealing with logging. By default CRS enables -# logging to the webserver error log (or Event viewer) plus detailed logging to -# the ModSecurity audit log (configured under SecAuditLog in modsecurity.conf). -# -# - To log to both error log and ModSecurity audit log file, use: "log,auditlog" -# - To log *only* to the ModSecurity audit log file, use: "nolog,auditlog" -# - To log *only* to the error log file, use: "log,noauditlog" -# -# Examples for the various modes follow. -# You must leave one of the following options enabled. -# Note that you must specify the same line for phase:1 and phase:2. -# - -# Default: Anomaly Scoring mode, log to error log, log to ModSecurity audit log -# - By default, offending requests are blocked with an error 403 response. -# - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example -# and review section 'Changing the Disruptive Action for Anomaly Mode'. -# - In Apache, you can use ErrorDocument to show a friendly error page or -# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html -# -# SecDefaultAction "phase:1,log,auditlog,pass" -# SecDefaultAction "phase:2,log,auditlog,pass" - -# Example: Anomaly Scoring mode, log only to ModSecurity audit log -# - By default, offending requests are blocked with an error 403 response. -# - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example -# and review section 'Changing the Disruptive Action for Anomaly Mode'. -# - In Apache, you can use ErrorDocument to show a friendly error page or -# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html -# -# SecDefaultAction "phase:1,nolog,auditlog,pass" -# SecDefaultAction "phase:2,nolog,auditlog,pass" - -# Example: Self-contained mode, return error 403 on blocking -# - In this configuration the default disruptive action becomes 'deny'. After a -# rule triggers, it will stop processing the request and return an error 403. -# - You can also use a different error status, such as 404, 406, et cetera. -# - In Apache, you can use ErrorDocument to show a friendly error page or -# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html -# -# SecDefaultAction "phase:1,log,auditlog,deny,status:403" -# SecDefaultAction "phase:2,log,auditlog,deny,status:403" - -# Example: Self-contained mode, redirect back to homepage on blocking -# - In this configuration the 'tag' action includes the Host header data in the -# log. This helps to identify which virtual host triggered the rule (if any). -# - Note that this might cause redirect loops in some situations; for example -# if a Cookie or User-Agent header is blocked, it will also be blocked when -# the client subsequently tries to access the homepage. You can also redirect -# to another custom URL. -# SecDefaultAction "phase:1,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'" -# SecDefaultAction "phase:2,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'" - -SecDefaultAction "phase:1,<%= @_secdefaultaction -%>" -SecDefaultAction "phase:2,<%= @_secdefaultaction -%>" - -# -# -- [[ Paranoia Level Initialization ]] --------------------------------------- -# -# The Paranoia Level (PL) setting allows you to choose the desired level -# of rule checks that will add to your anomaly scores. -# -# With each paranoia level increase, the CRS enables additional rules -# giving you a higher level of security. However, higher paranoia levels -# also increase the possibility of blocking some legitimate traffic due to -# false alarms (also named false positives or FPs). If you use higher -# paranoia levels, it is likely that you will need to add some exclusion -# rules for certain requests and applications receiving complex input. -# -# - A paranoia level of 1 is default. In this level, most core rules -# are enabled. PL1 is advised for beginners, installations -# covering many different sites and applications, and for setups -# with standard security requirements. -# At PL1 you should face FPs rarely. If you encounter FPs, please -# open an issue on the CRS GitHub site and don't forget to attach your -# complete Audit Log record for the request with the issue. -# - Paranoia level 2 includes many extra rules, for instance enabling -# many regexp-based SQL and XSS injection protections, and adding -# extra keywords checked for code injections. PL2 is advised -# for moderate to experienced users desiring more complete coverage -# and for installations with elevated security requirements. -# PL2 comes with some FPs which you need to handle. -# - Paranoia level 3 enables more rules and keyword lists, and tweaks -# limits on special characters used. PL3 is aimed at users experienced -# at the handling of FPs and at installations with a high security -# requirement. -# - Paranoia level 4 further restricts special characters. -# The highest level is advised for experienced users protecting -# installations with very high security requirements. Running PL4 will -# likely produce a very high number of FPs which have to be -# treated before the site can go productive. -# -# All rules will log their PL to the audit log; -# example: [tag "paranoia-level/2"]. This allows you to deduct from the -# audit log how the WAF behavior is affected by paranoia level. -# -# It is important to also look into the variable -# tx.enforce_bodyproc_urlencoded (Enforce Body Processor URLENCODED) -# defined below. Enabling it closes a possible bypass of CRS. -# -# Uncomment this rule to change the default: -# -SecAction \ - "id:900000,\ - phase:1,\ - nolog,\ - pass,\ - t:none,\ - setvar:tx.paranoia_level=<%= @paranoia_level -%>" - - -# It is possible to execute rules from a higher paranoia level but not include -# them in the anomaly scoring. This allows you to take a well-tuned system on -# paranoia level 1 and add rules from paranoia level 2 without having to fear -# the new rules would lead to false positives that raise your score above the -# threshold. -# This optional feature is enabled by uncommenting the following rule and -# setting the tx.executing_paranoia_level. -# Technically, rules up to the level defined in tx.executing_paranoia_level -# will be executed, but only the rules up to tx.paranoia_level affect the -# anomaly scores. -# By default, tx.executing_paranoia_level is set to tx.paranoia_level. -# tx.executing_paranoia_level must not be lower than tx.paranoia_level. -# -# Please notice that setting tx.executing_paranoia_level to a higher paranoia -# level results in a performance impact that is equally high as setting -# tx.paranoia_level to said level. -# -SecAction \ - "id:900001,\ - phase:1,\ - nolog,\ - pass,\ - t:none,\ - setvar:tx.executing_paranoia_level=<%= @executing_paranoia_level -%>" - - -# -# -- [[ Enforce Body Processor URLENCODED ]] ----------------------------------- -# -# ModSecurity selects the body processor based on the Content-Type request -# header. But clients are not always setting the Content-Type header for their -# request body payloads. This will leave ModSecurity with limited vision into -# the payload. The variable tx.enforce_bodyproc_urlencoded lets you force the -# URLENCODED body processor in these situations. This is off by default, as it -# implies a change of the behaviour of ModSecurity beyond CRS (the body -# processor applies to all rules, not only CRS) and because it may lead to -# false positives already on paranoia level 1. However, enabling this variable -# closes a possible bypass of CRS so it should be considered. -# -# Uncomment this rule to change the default: -# -#SecAction \ -# "id:900010,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.enforce_bodyproc_urlencoded=1" - - -# -# -- [[ Anomaly Mode Severity Levels ]] ---------------------------------------- -# -# Each rule in the CRS has an associated severity level. -# These are the default scoring points for each severity level. -# These settings will be used to increment the anomaly score if a rule matches. -# You may adjust these points to your liking, but this is usually not needed. -# -# - CRITICAL severity: Anomaly Score of 5. -# Mostly generated by the application attack rules (93x and 94x files). -# - ERROR severity: Anomaly Score of 4. -# Generated mostly from outbound leakage rules (95x files). -# - WARNING severity: Anomaly Score of 3. -# Generated mostly by malicious client rules (91x files). -# - NOTICE severity: Anomaly Score of 2. -# Generated mostly by the protocol rules (92x files). -# -# In anomaly mode, these scores are cumulative. -# So it's possible for a request to hit multiple rules. -# -# (Note: In this file, we use 'phase:1' to set CRS configuration variables. -# In general, 'phase:request' is used. However, we want to make absolutely sure -# that all configuration variables are set before the CRS rules are processed.) -# -SecAction \ - "id:900100,\ - phase:1,\ - nolog,\ - pass,\ - t:none,\ - setvar:tx.critical_anomaly_score=<%= @critical_anomaly_score -%>, \ - setvar:tx.error_anomaly_score=<%= @error_anomaly_score -%>, \ - setvar:tx.warning_anomaly_score=<%= @warning_anomaly_score -%>, \ - setvar:tx.notice_anomaly_score=<%= @notice_anomaly_score -%>" - - -# -# -- [[ Anomaly Mode Blocking Threshold Levels ]] ------------------------------ -# -# Here, you can specify at which cumulative anomaly score an inbound request, -# or outbound response, gets blocked. -# -# Most detected inbound threats will give a critical score of 5. -# Smaller violations, like violations of protocol/standards, carry lower scores. -# -# [ At default value ] -# If you keep the blocking thresholds at the defaults, the CRS will work -# similarly to previous CRS versions: a single critical rule match will cause -# the request to be blocked and logged. -# -# [ Using higher values ] -# If you want to make the CRS less sensitive, you can increase the blocking -# thresholds, for instance to 7 (which would require multiple rule matches -# before blocking) or 10 (which would require at least two critical alerts - or -# a combination of many lesser alerts), or even higher. However, increasing the -# thresholds might cause some attacks to bypass the CRS rules or your policies. -# -# [ New deployment strategy: Starting high and decreasing ] -# It is a common practice to start a fresh CRS installation with elevated -# anomaly scoring thresholds (>100) and then lower the limits as your -# confidence in the setup grows. You may also look into the Sampling -# Percentage section below for a different strategy to ease into a new -# CRS installation. -# -# [ Anomaly Threshold / Paranoia Level Quadrant ] -# -# High Anomaly Limit | High Anomaly Limit -# Low Paranoia Level | High Paranoia Level -# -> Fresh Site | -> Experimental Site -# ------------------------------------------------------ -# Low Anomaly Limit | Low Anomaly Limit -# Low Paranoia Level | High Paranoia Level -# -> Standard Site | -> High Security Site -# -# Uncomment this rule to change the defaults: -# -SecAction \ - "id:900110,\ - phase:1,\ - nolog,\ - pass,\ - t:none,\ - setvar:tx.inbound_anomaly_score_threshold=<%= @inbound_anomaly_threshold -%>, \ - setvar:tx.outbound_anomaly_score_threshold=<%= @outbound_anomaly_threshold -%>" - -# -# -- [[ Application Specific Rule Exclusions ]] ---------------------------------------- -# -# Some well-known applications may undertake actions that appear to be -# malicious. This includes actions such as allowing HTML or Javascript within -# parameters. In such cases the CRS aims to prevent false positives by allowing -# administrators to enable prebuilt, application specific exclusions on an -# application by application basis. -# These application specific exclusions are distinct from the rules that would -# be placed in the REQUEST-900-EXCLUSION-RULES-BEFORE-CRS configuration file as -# they are prebuilt for specific applications. The 'REQUEST-900' file is -# designed for users to add their own custom exclusions. Note, using these -# application specific exclusions may loosen restrictions of the CRS, -# especially if used with an application they weren't designed for. As a result -# they should be applied with care. -# To use this functionality you must specify a supported application. To do so -# uncomment rule 900130. In addition to uncommenting the rule you will need to -# specify which application(s) you'd like to enable exclusions for. Only a -# (very) limited set of applications are currently supported, please use the -# filenames prefixed with 'REQUEST-903' to guide you in your selection. -# Such filenames use the following convention: -# REQUEST-903.9XXX-{APPNAME}-EXCLUSIONS-RULES.conf -# -# It is recommended if you run multiple web applications on your site to limit -# the effects of the exclusion to only the path where the excluded webapp -# resides using a rule similar to the following example: -# SecRule REQUEST_URI "@beginsWith /wordpress/" setvar:tx.crs_exclusions_wordpress=1 - -# -# Modify and uncomment this rule to select which application: -# -#SecAction \ -# "id:900130,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.crs_exclusions_cpanel=1,\ -# setvar:tx.crs_exclusions_drupal=1,\ -# setvar:tx.crs_exclusions_dokuwiki=1,\ -# setvar:tx.crs_exclusions_nextcloud=1,\ -# setvar:tx.crs_exclusions_wordpress=1,\ -# setvar:tx.crs_exclusions_xenforo=1" - -# -# -- [[ HTTP Policy Settings ]] ------------------------------------------------ -# -# This section defines your policies for the HTTP protocol, such as: -# - allowed HTTP versions, HTTP methods, allowed request Content-Types -# - forbidden file extensions (e.g. .bak, .sql) and request headers (e.g. Proxy) -# -# These variables are used in the following rule files: -# - REQUEST-911-METHOD-ENFORCEMENT.conf -# - REQUEST-912-DOS-PROTECTION.conf -# - REQUEST-920-PROTOCOL-ENFORCEMENT.conf - -# HTTP methods that a client is allowed to use. -# Default: GET HEAD POST OPTIONS -# Example: for RESTful APIs, add the following methods: PUT PATCH DELETE -# Example: for WebDAV, add the following methods: CHECKOUT COPY DELETE LOCK -# MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK -# Uncomment this rule to change the default. -SecAction \ - "id:900200,\ - phase:1,\ - nolog,\ - pass,\ - t:none,\ - setvar:'tx.allowed_methods=<%= @allowed_methods -%>'" - -# Content-Types that a client is allowed to send in a request. -# Default: |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| -# |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| -# |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| -# |application/csp-report| |application/xss-auditor-report| |text/plain| -# Uncomment this rule to change the default. -SecAction \ - "id:900220,\ - phase:1,\ - nolog,\ - pass,\ - t:none,\ - setvar:'tx.allowed_request_content_type=<%= @content_types -%>'" - -# Allowed HTTP versions. -# Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 -# Example for legacy clients: HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 -# Note that some web server versions use 'HTTP/2', some 'HTTP/2.0', so -# we include both version strings by default. -# Uncomment this rule to change the default. -#SecAction \ -# "id:900230,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'" - -# Forbidden file extensions. -# Guards against unintended exposure of development/configuration files. -# Default: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/ -# Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .rdb/ .sql/ -# Uncomment this rule to change the default. -SecAction \ - "id:900240,\ - phase:1,\ - nolog,\ - pass,\ - t:none,\ - setvar:'tx.restricted_extensions=<%= @restricted_extensions -%>'" - -# Forbidden request headers. -# Header names should be lowercase, enclosed by /slashes/ as delimiters. -# Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org -# Default: /proxy/ /lock-token/ /content-range/ /if/ -# Uncomment this rule to change the default. -SecAction \ - "id:900250,\ - phase:1,\ - nolog,\ - pass,\ - t:none,\ - setvar:'tx.restricted_headers=<%= @restricted_headers -%>'" - -# File extensions considered static files. -# Extensions include the dot, lowercase, enclosed by /slashes/ as delimiters. -# Used in DoS protection rule. See section "Anti-Automation / DoS Protection". -# Default: /.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/ -# Uncomment this rule to change the default. -#SecAction \ -# "id:900260,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'" - -# Content-Types charsets that a client is allowed to send in a request. -# Default: utf-8|iso-8859-1|iso-8859-15|windows-1252 -# Uncomment this rule to change the default. -# Use "|" to separate multiple charsets like in the rule defining -# tx.allowed_request_content_type. -#SecAction \ -# "id:900280,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'" - -# -# -- [[ HTTP Argument/Upload Limits ]] ----------------------------------------- -# -# Here you can define optional limits on HTTP get/post parameters and uploads. -# This can help to prevent application specific DoS attacks. -# -# These values are checked in REQUEST-920-PROTOCOL-ENFORCEMENT.conf. -# Beware of blocking legitimate traffic when enabling these limits. -# - -# Block request if number of arguments is too high -# Default: unlimited -# Example: 255 -# Uncomment this rule to set a limit. -SecAction \ - "id:900300,\ - phase:1,\ - nolog,\ - pass,\ - t:none,\ - setvar:tx.max_num_args=<%= @secrequestmaxnumargs %>" - -# Block request if the length of any argument name is too high -# Default: unlimited -# Example: 100 -# Uncomment this rule to set a limit. -#SecAction \ -# "id:900310,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.arg_name_length=100" - -# Block request if the length of any argument value is too high -# Default: unlimited -# Example: 400 -# Uncomment this rule to set a limit. -#SecAction \ -# "id:900320,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.arg_length=400" - -# Block request if the total length of all combined arguments is too high -# Default: unlimited -# Example: 64000 -# Uncomment this rule to set a limit. -#SecAction \ -# "id:900330,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.total_arg_length=64000" - -# Block request if the file size of any individual uploaded file is too high -# Default: unlimited -# Example: 1048576 -# Uncomment this rule to set a limit. -#SecAction \ -# "id:900340,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.max_file_size=1048576" - -# Block request if the total size of all combined uploaded files is too high -# Default: unlimited -# Example: 1048576 -# Uncomment this rule to set a limit. -#SecAction \ -# "id:900350,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.combined_file_sizes=1048576" - - -# -# -- [[ Easing In / Sampling Percentage ]] ------------------------------------- -# -# Adding the Core Rule Set to an existing productive site can lead to false -# positives, unexpected performance issues and other undesired side effects. -# -# It can be beneficial to test the water first by enabling the CRS for a -# limited number of requests only and then, when you have solved the issues (if -# any) and you have confidence in the setup, to raise the ratio of requests -# being sent into the ruleset. -# -# Adjust the percentage of requests that are funnelled into the Core Rules by -# setting TX.sampling_percentage below. The default is 100, meaning that every -# request gets checked by the CRS. The selection of requests, which are going -# to be checked, is based on a pseudo random number generated by ModSecurity. -# -# If a request is allowed to pass without being checked by the CRS, there is no -# entry in the audit log (for performance reasons), but an error log entry is -# written. If you want to disable the error log entry, then issue the -# following directive somewhere after the inclusion of the CRS -# (E.g., RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf). -# -# SecRuleUpdateActionById 901150 "nolog" -# -# ATTENTION: If this TX.sampling_percentage is below 100, then some of the -# requests will bypass the Core Rules completely and you lose the ability to -# protect your service with ModSecurity. -# -# Uncomment this rule to enable this feature: -# -#SecAction "id:900400,\ -# phase:1,\ -# pass,\ -# nolog,\ -# setvar:tx.sampling_percentage=100" - - -# -# -- [[ Project Honey Pot HTTP Blacklist ]] ------------------------------------ -# -# Optionally, you can check the client IP address against the Project Honey Pot -# HTTPBL (dnsbl.httpbl.org). In order to use this, you need to register to get a -# free API key. Set it here with SecHttpBlKey. -# -# Project Honeypot returns multiple different malicious IP types. -# You may specify which you want to block by enabling or disabling them below. -# -# Ref: https://www.projecthoneypot.org/httpbl.php -# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecHttpBlKey -# -# Uncomment these rules to use this feature: -# -#SecHttpBlKey XXXXXXXXXXXXXXXXX -#SecAction "id:900500,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.block_search_ip=1,\ -# setvar:tx.block_suspicious_ip=1,\ -# setvar:tx.block_harvester_ip=1,\ -# setvar:tx.block_spammer_ip=1" - - -# -# -- [[ GeoIP Database ]] ------------------------------------------------------ -# -# There are some rulesets that inspect geolocation data of the client IP address -# (geoLookup). The CRS uses geoLookup to implement optional country blocking. -# -# To use geolocation, we make use of the MaxMind GeoIP database. -# This database is not included with the CRS and must be downloaded. -# -# There are two formats for the GeoIP database. ModSecurity v2 uses GeoLite (.dat files), -# and ModSecurity v3 uses GeoLite2 (.mmdb files). -# -# If you use ModSecurity 3, MaxMind provides a binary for updating GeoLite2 files, -# see https://github.com/maxmind/geoipupdate. -# -# Download the package for your OS, and read https://dev.maxmind.com/geoip/geoipupdate/ -# for configuration options. -# -# Warning: GeoLite (not GeoLite2) databases are considered legacy, and not being updated anymore. -# See https://support.maxmind.com/geolite-legacy-discontinuation-notice/ for more info. -# -# Therefore, if you use ModSecurity v2, you need to regenerate updated .dat files -# from CSV files first. -# -# You can achieve this using https://github.com/sherpya/geolite2legacy -# Pick the zip files from maxmind site: -# https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip -# -# Follow the guidelines for installing the tool and run: -# ./geolite2legacy.py -i GeoLite2-Country-CSV.zip \ -# -f geoname2fips.csv -o /usr/share/GeoliteCountry.dat -# -# Update the database regularly, see Step 3 of the configuration link above. -# -# By default, when you execute `sudo geoipupdate` on Linux, files from the free database -# will be downloaded to `/usr/share/GeoIP` (both v1 and v2). -# -# Then choose from: -# - `GeoLite2-Country.mmdb` (if you are using ModSecurity v3) -# - `GeoLiteCountry.dat` (if you are using ModSecurity v2) -# -# Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html -# Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html -# -# Uncomment only one of the next rules here to use this feature. -# Choose the one depending on the ModSecurity version you are using, and change the path accordingly: -# -# For ModSecurity v3: -#SecGeoLookupDB /usr/share/GeoIP/GeoLite2-Country.mmdb -# For ModSecurity v2 (points to the converted one): -#SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat - -# -# -=[ Block Countries ]=- -# -# Rules in the IP Reputation file can check the client against a list of high -# risk country codes. These countries have to be defined in the variable -# tx.high_risk_country_codes via their ISO 3166 two-letter country code: -# https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements -# -# If you are sure that you are not getting any legitimate requests from a given -# country, then you can disable all access from that country via this variable. -# The rule performing the test has the rule id 910100. -# -# This rule requires SecGeoLookupDB to be enabled and the GeoIP database to be -# downloaded (see the section "GeoIP Database" above.) -# -# By default, the list is empty. A list used by some sites was the following: -# setvar:'tx.high_risk_country_codes=UA ID YU LT EG RO BG TR RU PK MY CN'" -# -# Uncomment this rule to use this feature: -# -#SecAction \ -# "id:900600,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:'tx.high_risk_country_codes='" - - -# -# -- [[ Anti-Automation / DoS Protection ]] ------------------------------------ -# -# Optional DoS protection against clients making requests too quickly. -# -# When a client is making more than 100 requests (excluding static files) within -# 60 seconds, this is considered a 'burst'. After two bursts, the client is -# blocked for 600 seconds. -# -# Requests to static files are not counted towards DoS; they are listed in the -# 'tx.static_extensions' setting, which you can change in this file (see -# section "HTTP Policy Settings"). -# -# For a detailed description, see rule file REQUEST-912-DOS-PROTECTION.conf. -# -# Uncomment this rule to use this feature: -# -<% if @enable_dos_protection -%> -SecAction \ - "id:900700,\ - phase:1,\ - nolog,\ - pass,\ - t:none,\ - setvar:'tx.dos_burst_time_slice=<%= @dos_burst_time_slice %>',\ - setvar:'tx.dos_counter_threshold=<%= @dos_counter_threshold %>',\ - setvar:'tx.dos_block_timeout=<%= @dos_block_timeout %>'" -<% end -%> - -# -# -- [[ Check UTF-8 encoding ]] ------------------------------------------------ -# -# The CRS can optionally check request contents for invalid UTF-8 encoding. -# We only want to apply this check if UTF-8 encoding is actually used by the -# site; otherwise it will result in false positives. -# -# Uncomment this rule to use this feature: -# -#SecAction \ -# "id:900950,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.crs_validate_utf8_encoding=1" - - -# -# -- [[ Blocking Based on IP Reputation ]] ------------------------------------ -# -# Blocking based on reputation is permanent in the CRS. Unlike other rules, -# which look at the individual request, the blocking of IPs is based on -# a persistent record in the IP collection, which remains active for a -# certain amount of time. -# -# There are two ways an individual client can become flagged for blocking: -# - External information (RBL, GeoIP, etc.) -# - Internal information (Core Rules) -# -# The record in the IP collection carries a flag, which tags requests from -# individual clients with a flag named IP.reput_block_flag. -# But the flag alone is not enough to have a client blocked. There is also -# a global switch named tx.do_reput_block. This is off by default. If you set -# it to 1 (=On), requests from clients with the IP.reput_block_flag will -# be blocked for a certain duration. -# -# Variables -# ip.reput_block_flag Blocking flag for the IP collection record -# ip.reput_block_reason Reason (= rule message) that caused to blocking flag -# tx.do_reput_block Switch deciding if we really block based on flag -# tx.reput_block_duration Setting to define the duration of a block -# -# It may be important to know, that all the other core rules are skipped for -# requests, when it is clear that they carry the blocking flag in question. -# -# Uncomment this rule to use this feature: -# -#SecAction \ -# "id:900960,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.do_reput_block=1" -# -# Uncomment this rule to change the blocking time: -# Default: 300 (5 minutes) -# -#SecAction \ -# "id:900970,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.reput_block_duration=300" - - -# -# -- [[ Collection timeout ]] -------------------------------------------------- -# -# Set the SecCollectionTimeout directive from the ModSecurity default (1 hour) -# to a lower setting which is appropriate to most sites. -# This increases performance by cleaning out stale collection (block) entries. -# -# This value should be greater than or equal to: -# tx.reput_block_duration (see section "Blocking Based on IP Reputation") and -# tx.dos_block_timeout (see section "Anti-Automation / DoS Protection"). -# -# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecCollectionTimeout - -# Please keep this directive uncommented. -# Default: 600 (10 minutes) -SecCollectionTimeout 600 - - -# -# -- [[ End of setup ]] -------------------------------------------------------- -# -# The CRS checks the tx.crs_setup_version variable to ensure that the setup -# has been loaded. If you are not planning to use this setup template, -# you must manually set the tx.crs_setup_version variable before including -# the CRS rules/* files. -# -# The variable is a numerical representation of the CRS version number. -# E.g., v3.0.0 is represented as 300. -# -SecAction \ - "id:900990,\ - phase:1,\ - nolog,\ - pass,\ - t:none,\ - setvar:tx.crs_setup_version=332" -<% end -%> - diff --git a/templates/mod/status.conf.epp b/templates/mod/status.conf.epp index b7031956ed..50e440b8cf 100644 --- a/templates/mod/status.conf.epp +++ b/templates/mod/status.conf.epp @@ -1,10 +1,6 @@ > SetHandler server-status - <%# From Puppet 4.2 up, replace: -%> - <%# "scope.function_template(["apache/mod/