From ae3632a356fbaed0c4ffe75b6fa726ad52fb5f32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Romain=20Tarti=C3=A8re?= Date: Sun, 5 May 2024 07:32:34 -1000 Subject: [PATCH 1/8] Add missing line breaks This code section is weird. My guess is someone unexpectedly pressed `J` in vi and joined multiple lines. --- spec/acceptance/vhost_spec.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/spec/acceptance/vhost_spec.rb b/spec/acceptance/vhost_spec.rb index 0152d5b7f..197e08092 100644 --- a/spec/acceptance/vhost_spec.rb +++ b/spec/acceptance/vhost_spec.rb @@ -1155,10 +1155,12 @@ class { 'apache': } { rewrite_rule => [ '^index\\.php$ - [L]' ] }, { rewrite_cond => [ '%{REQUEST_FILENAME} !-f', - '%{REQUEST_FILENAME} !-d', ], rewrite_rule => [ '. /index.php [L]' ], } + '%{REQUEST_FILENAME} !-d', ], + rewrite_rule => [ '. /index.php [L]' ], + } ], }, - ], + ], } MANIFEST it 'applies cleanly' do From b2b0350e8710bb4f0a55a8313af59d4ec60a0323 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Romain=20Tarti=C3=A8re?= Date: Fri, 3 May 2024 10:57:49 -1000 Subject: [PATCH 2/8] Remove unused file --- spec/fixtures/templates/negotiation.conf.erb | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 spec/fixtures/templates/negotiation.conf.erb diff --git a/spec/fixtures/templates/negotiation.conf.erb b/spec/fixtures/templates/negotiation.conf.erb deleted file mode 100644 index 557502246..000000000 --- a/spec/fixtures/templates/negotiation.conf.erb +++ /dev/null @@ -1,4 +0,0 @@ -# This is a template only for spec testing - -LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW -ForceLanguagePriority Prefer Fallback From e3320a5641e282b24f3145ffaee4ad097e92f725 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Romain=20Tarti=C3=A8re?= Date: Fri, 3 May 2024 16:59:09 -1000 Subject: [PATCH 3/8] Fix apache::vhost::error_documents data type The template in templates/vhost/_error_document.erb is only functionnal if we pass an array of hashes. This is going to be simplified in a future commit so only accept values that produce working configuration and reject configuration that is invalid and ignored. --- manifests/vhost.pp | 2 +- spec/defines/vhost_spec.rb | 7 ++++++- types/errordocument.pp | 5 +++++ 3 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 types/errordocument.pp diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 7414a6f16..5f73f442d 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -1798,7 +1798,7 @@ Optional[Variant[String, Boolean]] $modsec_audit_log = undef, Optional[String] $modsec_audit_log_file = undef, Optional[String] $modsec_audit_log_pipe = undef, - Variant[Array[Hash], String] $error_documents = [], + Array[Apache::Errordocument] $error_documents = [], Optional[Variant[Stdlib::Absolutepath, Enum['disabled']]] $fallbackresource = undef, Optional[String] $scriptalias = undef, Optional[Integer] $limitreqfieldsize = undef, diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb index f448b8ca5..1bcea27ad 100644 --- a/spec/defines/vhost_spec.rb +++ b/spec/defines/vhost_spec.rb @@ -340,7 +340,12 @@ 'error_log_file' => 'httpd_error_log', 'error_log_syslog' => true, 'error_log_format' => ['[%t] [%l] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i'], - 'error_documents' => 'true', + 'error_documents' => [ + { + 'error_code' => '500', + 'document' => '/server-error.html', + }, + ], 'fallbackresource' => '/index.php', 'scriptalias' => '/usr/lib/cgi-bin', 'limitreqfieldsize' => 8190, diff --git a/types/errordocument.pp b/types/errordocument.pp new file mode 100644 index 000000000..ca3ef689f --- /dev/null +++ b/types/errordocument.pp @@ -0,0 +1,5 @@ +# @summary A mapping for an error code and a document +type Apache::Errordocument = Struct[ + error_code => Variant[String[3, 3], Integer[400, 599]], + document => String[1], +] From ce290225223d0fb72866e57e72ff9e3852dc6eb4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Romain=20Tarti=C3=A8re?= Date: Sun, 5 May 2024 07:15:40 -1000 Subject: [PATCH 4/8] Make sure we still support ERB templates when provided `apache::mod::php` allows to pass an ERB template, switching the default template to EPP will require us to change the default value of the `template` parameter which is generally a breaking change. Users who rely on this parameter to provide a custom template are currently using an ERB template, so we must preserve the legacy behavior for them, and detect if the template should be processed as ERB or EPP. For this purpose, we check the file extension in a conservative way (any template whose filename does not end with `.epp` is assumbed to be an ERB template). As a result, this change is backwards-compatible for end-users. --- manifests/mod/php.pp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/manifests/mod/php.pp b/manifests/mod/php.pp index 2d10e02b4..404af0555 100644 --- a/manifests/mod/php.pp +++ b/manifests/mod/php.pp @@ -71,7 +71,10 @@ $manage_content = $source ? { undef => $content ? { - undef => template($template), + undef => $template ? { + /\.epp\z/ => epp($template, { 'extensions' => $extensions }), + default => template($template), + }, default => $content, }, default => undef, From adb5b1a82faca05bed3a514047815903df2d8bf3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Romain=20Tarti=C3=A8re?= Date: Fri, 3 May 2024 20:48:39 -1000 Subject: [PATCH 5/8] Switch last templates to EPP A lot of work was done to convert the module templates form ERB to EPP, but a few templates where still to be converted. Along with various benefits, EPP templates offer better detection for access to undefined variables. This refactoring therefore fix a few issues that where reported while converting. Also a bunch of outdated comments about which template use which variable where removed no that this usage is explicit. The extensive test suite helped ensure the conversion was not introducing regressions. --- manifests/mod/php.pp | 6 +- manifests/mod/security.pp | 57 +- manifests/mod/status.pp | 9 +- manifests/vhost.pp | 178 +-- manifests/vhost/proxy.pp | 18 +- spec/classes/mod/php_spec.rb | 2 +- templates/fastcgi/server.erb | 22 - templates/mod/_require.epp | 4 +- templates/mod/_require.erb | 33 - templates/mod/{php.conf.erb => php.conf.epp} | 2 +- templates/mod/security_crs.conf.erb | 1271 ------------------ templates/mod/status.conf.epp | 6 +- templates/mod/status.conf.erb | 14 - templates/vhost/_access_log.epp | 29 + templates/vhost/_access_log.erb | 21 - templates/vhost/_additional_includes.epp | 9 + templates/vhost/_additional_includes.erb | 9 - templates/vhost/{_block.erb => _block.epp} | 8 +- templates/vhost/_directories.epp | 559 ++++++++ templates/vhost/_directories.erb | 561 -------- templates/vhost/_error_document.epp | 3 + templates/vhost/_error_document.erb | 7 - templates/vhost/_php.epp | 16 + templates/vhost/_php.erb | 16 - templates/vhost/_php_admin.epp | 12 + templates/vhost/_php_admin.erb | 12 - templates/vhost/_proxy.epp | 90 ++ templates/vhost/_proxy.erb | 90 -- templates/vhost/_redirect.epp | 35 + templates/vhost/_redirect.erb | 35 - templates/vhost/_require.epp | 22 + templates/vhost/_require.erb | 24 - templates/vhost/_rewrite.epp | 47 + templates/vhost/_rewrite.erb | 51 - templates/vhost/_scriptalias.erb | 2 - templates/vhost/_setenv.epp | 17 + templates/vhost/_setenv.erb | 17 - templates/vhost/_ssl.epp | 68 + templates/vhost/_ssl.erb | 68 - 39 files changed, 1051 insertions(+), 2399 deletions(-) delete mode 100644 templates/fastcgi/server.erb delete mode 100644 templates/mod/_require.erb rename templates/mod/{php.conf.erb => php.conf.epp} (84%) delete mode 100644 templates/mod/security_crs.conf.erb delete mode 100644 templates/mod/status.conf.erb create mode 100644 templates/vhost/_access_log.epp delete mode 100644 templates/vhost/_access_log.erb create mode 100644 templates/vhost/_additional_includes.epp delete mode 100644 templates/vhost/_additional_includes.erb rename templates/vhost/{_block.erb => _block.epp} (63%) create mode 100644 templates/vhost/_directories.epp delete mode 100644 templates/vhost/_directories.erb create mode 100644 templates/vhost/_error_document.epp delete mode 100644 templates/vhost/_error_document.erb create mode 100644 templates/vhost/_php.epp delete mode 100644 templates/vhost/_php.erb create mode 100644 templates/vhost/_php_admin.epp delete mode 100644 templates/vhost/_php_admin.erb create mode 100644 templates/vhost/_proxy.epp delete mode 100644 templates/vhost/_proxy.erb create mode 100644 templates/vhost/_redirect.epp delete mode 100644 templates/vhost/_redirect.erb create mode 100644 templates/vhost/_require.epp delete mode 100644 templates/vhost/_require.erb create mode 100644 templates/vhost/_rewrite.epp delete mode 100644 templates/vhost/_rewrite.erb delete mode 100644 templates/vhost/_scriptalias.erb create mode 100644 templates/vhost/_setenv.epp delete mode 100644 templates/vhost/_setenv.erb create mode 100644 templates/vhost/_ssl.epp delete mode 100644 templates/vhost/_ssl.erb diff --git a/manifests/mod/php.pp b/manifests/mod/php.pp index 404af0555..37ed59e48 100644 --- a/manifests/mod/php.pp +++ b/manifests/mod/php.pp @@ -32,7 +32,7 @@ Optional[String] $path = undef, Array $extensions = ['.php'], Optional[String] $content = undef, - String $template = 'apache/mod/php.conf.erb', + String $template = 'apache/mod/php.conf.epp', Optional[String] $source = undef, Optional[String] $root_group = $apache::params::root_group, Optional[String] $php_version = $apache::params::php_version, @@ -63,9 +63,9 @@ fail('apache::mod::php requires apache::mod::prefork or apache::mod::itk; please enable mpm_module => \'prefork\' or mpm_module => \'itk\' on Class[\'apache\']') } - if $source and ($content or $template != 'apache/mod/php.conf.erb') { + if $source and ($content or $template != 'apache/mod/php.conf.epp') { warning('source and content or template parameters are provided. source parameter will be used') - } elsif $content and $template != 'apache/mod/php.conf.erb' { + } elsif $content and $template != 'apache/mod/php.conf.epp' { warning('content and template parameters are provided. content parameter will be used') } diff --git a/manifests/mod/security.pp b/manifests/mod/security.pp index a64be57f8..cee5a0486 100644 --- a/manifests/mod/security.pp +++ b/manifests/mod/security.pp @@ -316,49 +316,30 @@ } if $manage_security_crs { - # Template uses: - # - $_secdefaultaction - # - $critical_anomaly_score - # - $error_anomaly_score - # - $warning_anomaly_score - # - $notice_anomaly_score - # - $inbound_anomaly_threshold - # - $outbound_anomaly_threshold - # - $paranoia_level - # - $executing_paranoia_level - # - $allowed_methods - # - $content_types - # - $restricted_extensions - # - $restricted_headers - # - $secrequestmaxnumargs - # - $enable_dos_protection - # - $dos_burst_time_slice - # - $dos_counter_threshold - # - $dos_block_timeout $security_crs_parameters = { - '_secdefaultaction' => $_secdefaultaction, - 'critical_anomaly_score' => $critical_anomaly_score, - 'error_anomaly_score' => $error_anomaly_score, - 'warning_anomaly_score' => $warning_anomaly_score, - 'notice_anomaly_score' => $notice_anomaly_score, - 'inbound_anomaly_threshold' => $inbound_anomaly_threshold, - 'outbound_anomaly_threshold' => $outbound_anomaly_threshold, - 'secrequestmaxnumargs' => $secrequestmaxnumargs, - 'allowed_methods' => $allowed_methods, - 'content_types' => $content_types, - 'restricted_extensions' => $restricted_extensions, - 'restricted_headers' => $restricted_headers, - 'paranoia_level' => $paranoia_level, - 'executing_paranoia_level' => $executing_paranoia_level, - 'enable_dos_protection' => $enable_dos_protection, - 'dos_burst_time_slice' => $dos_burst_time_slice, - 'dos_counter_threshold' => $dos_counter_threshold, - 'dos_block_timeout' => $dos_block_timeout, + '_secdefaultaction' => $_secdefaultaction, + 'critical_anomaly_score' => $critical_anomaly_score, + 'error_anomaly_score' => $error_anomaly_score, + 'warning_anomaly_score' => $warning_anomaly_score, + 'notice_anomaly_score' => $notice_anomaly_score, + 'inbound_anomaly_threshold' => $inbound_anomaly_threshold, + 'outbound_anomaly_threshold' => $outbound_anomaly_threshold, + 'secrequestmaxnumargs' => $secrequestmaxnumargs, + 'allowed_methods' => $allowed_methods, + 'content_types' => $content_types, + 'restricted_extensions' => $restricted_extensions, + 'restricted_headers' => $restricted_headers, + 'paranoia_level' => $paranoia_level, + 'executing_paranoia_level' => $executing_paranoia_level, + 'enable_dos_protection' => $enable_dos_protection, + 'dos_burst_time_slice' => $dos_burst_time_slice, + 'dos_counter_threshold' => $dos_counter_threshold, + 'dos_block_timeout' => $dos_block_timeout, } file { "${modsec_dir}/security_crs.conf": ensure => file, - content => template('apache/mod/security_crs.conf.erb'), + content => epp('apache/mod/security_crs.conf.epp', $security_crs_parameters), require => File[$modsec_dir], notify => Class['apache::service'], } diff --git a/manifests/mod/status.pp b/manifests/mod/status.pp index cd6416fe7..b6d6c5960 100644 --- a/manifests/mod/status.pp +++ b/manifests/mod/status.pp @@ -39,12 +39,17 @@ $requires_defaults = 'ip 127.0.0.1 ::1' - # Template uses $extended_status, $status_path + $status_params = { + 'extended_status' => $extended_status, + 'status_path' => $status_path, + 'requires' => $requires, + 'requires_defaults' => $requires_defaults, + } file { 'status.conf': ensure => file, path => "${apache::mod_dir}/status.conf", mode => $apache::file_mode, - content => template('apache/mod/status.conf.erb'), + content => epp('apache/mod/status.conf.epp', $status_params), require => Exec["mkdir ${apache::mod_dir}"], before => File[$apache::mod_dir], notify => Class['apache::service'], diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 5f73f442d..e2a88818c 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -2335,7 +2335,7 @@ if $directory['provider'] and $directory['provider'] =~ 'location' and ('proxy_pass' in $directory or 'proxy_pass_match' in $directory) { include apache::mod::proxy_http - # To match processing in templates/vhost/_directories.erb + # To match processing in templates/vhost/_directories.epp if $directory['proxy_pass_match'] { Array($directory['proxy_pass_match']).each |$proxy| { if $proxy['url'] =~ /"h2c?:\/\// { @@ -2364,28 +2364,26 @@ } } - # Template uses: - # - $_directories - # - $docroot - # - $shibboleth_enabled - # - $cas_enabled unless empty($_directories) { + $directory_params = { + 'docroot' => $docroot, + 'directories' => $_directories, + 'shibboleth_enabled' => $shibboleth_enabled, + 'cas_enabled' => $cas_enabled, + } concat::fragment { "${name}-directories": target => "${priority_real}${filename}.conf", order => 60, - content => template('apache/vhost/_directories.erb'), + content => epp('apache/vhost/_directories.epp', $directory_params), } } } - # Template uses: - # - $additional_includes - # - $use_optional_includes if $additional_includes and ! empty($additional_includes) { concat::fragment { "${name}-additional_includes": target => "${priority_real}${filename}.conf", order => 70, - content => template('apache/vhost/_additional_includes.erb'), + content => epp('apache/vhost/_additional_includes.epp', { 'additional_includes' => $additional_includes, 'use_optional_includes' => $use_optional_includes }), } } @@ -2403,24 +2401,17 @@ } } - # Template uses no variables concat::fragment { "${name}-serversignature": target => "${priority_real}${filename}.conf", order => 90, content => " ServerSignature Off\n", } - # Template uses: - # - $_access_logs - # - $_access_log_env_var - # - $access_log_destination - # - $_access_log_format - # - $_access_log_env_var if !empty($_access_logs) { concat::fragment { "${name}-access_log": target => "${priority_real}${filename}.conf", order => 100, - content => template('apache/vhost/_access_log.erb'), + content => epp('apache/vhost/_access_log.epp', { 'access_logs' => $_access_logs, 'logroot' => $logroot, 'ssl' => $ssl, 'filename' => $filename }), } } @@ -2432,23 +2423,19 @@ } } - # Template uses: - # - $block if $block and ! empty($block) { concat::fragment { "${name}-block": target => "${priority_real}${filename}.conf", order => 120, - content => template('apache/vhost/_block.erb'), + content => epp('apache/vhost/_block.epp', { 'block' => $block }), } } - # Template uses: - # - $error_documents if $error_documents and ! empty($error_documents) { concat::fragment { "${name}-error_document": target => "${priority_real}${filename}.conf", order => 130, - content => template('apache/vhost/_error_document.erb'), + content => epp('apache/vhost/_error_document.epp', { 'error_documents' => $error_documents }), } } @@ -2496,7 +2483,7 @@ if ($proxy_dest or $proxy_pass or $proxy_pass_match or $proxy_dest_match or $proxy_preserve_host or ($proxy_add_headers =~ NotUndef)) and $ensure == 'present' { include apache::mod::proxy_http - # To match processing in templates/vhost/_proxy.erb + # To match processing in templates/vhost/_proxy.epp if $proxy_dest =~ Pattern[/^h2c?:\/\//] or $proxy_dest_match =~ Pattern[/^h2c?:\/\//] { include apache::mod::proxy_http2 } @@ -2505,49 +2492,57 @@ include apache::mod::proxy_http2 } } + $proxy_params = { + 'proxy_dest' => $proxy_dest, + 'proxy_pass' => $proxy_pass, + 'proxy_pass_match' => $proxy_pass_match, + 'proxy_dest_match' => $proxy_dest_match, + 'proxy_add_headers' => $proxy_add_headers, + 'proxy_requests' => $proxy_requests, + 'proxy_preserve_host' => $proxy_preserve_host, + 'proxy_error_override' => $proxy_error_override, + 'no_proxy_uris' => $no_proxy_uris, + 'no_proxy_uris_match' => $no_proxy_uris_match, + 'proxy_dest_reverse_match' => $proxy_dest_reverse_match, + } concat::fragment { "${name}-proxy": target => "${priority_real}${filename}.conf", order => 170, - content => template('apache/vhost/_proxy.erb'), - } - } - - # Template uses: - # - $redirect_source - # - $redirect_dest - # - $redirect_status - # - $redirect_dest_a - # - $redirect_source_a - # - $redirect_status_a - # - $redirectmatch_status - # - $redirectmatch_regexp - # - $redirectmatch_dest - # - $redirectmatch_status_a - # - $redirectmatch_regexp_a - # - $redirectmatch_dest + content => epp('apache/vhost/_proxy.epp', $proxy_params), + } + } + if (($redirect_source and $redirect_dest) or ($redirectmatch_regexp and $redirectmatch_dest)) and $ensure == 'present' { + $redirect_params = { + 'redirect_source' => $redirect_source, + 'redirect_dest' => $redirect_dest, + 'redirect_status' => $redirect_status, + 'redirectmatch_regexp' => $redirectmatch_regexp, + 'redirectmatch_dest' => $redirectmatch_dest, + 'redirectmatch_status' => $redirectmatch_status, + } include apache::mod::alias concat::fragment { "${name}-redirect": target => "${priority_real}${filename}.conf", order => 180, - content => template('apache/vhost/_redirect.erb'), + content => epp('apache/vhost/_redirect.epp', $redirect_params), } } - # Template uses: - # - $rewrites - # - $rewrite_inherit - # - $rewrite_base - # - $rewrite_rule - # - $rewrite_cond - # - $rewrite_map if (! empty($rewrites) or $rewrite_rule or $rewrite_inherit) and $ensure == 'present' { include apache::mod::rewrite + $rewrite_params = { + 'rewrites' => $rewrites, + 'rewrite_inherit' => $rewrite_inherit, + 'rewrite_base' => $rewrite_base, + 'rewrite_rule' => $rewrite_rule, + 'rewrite_cond' => $rewrite_cond, + } concat::fragment { "${name}-rewrite": target => "${priority_real}${filename}.conf", order => 190, - content => template('apache/vhost/_rewrite.erb'), + content => epp('apache/vhost/_rewrite.epp', $rewrite_params), } } @@ -2568,10 +2563,6 @@ } } - # Template uses: - # - $setenv - # - $setenvif - # - $setenvifnocase $use_env_mod = !empty($setenv) $use_setenvif_mod = !empty($setenvif) or !empty($setenvifnocase) if ($use_env_mod or $use_setenvif_mod) and $ensure == 'present' { @@ -2582,38 +2573,47 @@ include apache::mod::setenvif } + $setenv_params = { + 'setenv' => $setenv, + 'setenvif' => $setenvif, + 'setenvifnocase' => $setenvifnocase, + } concat::fragment { "${name}-setenv": target => "${priority_real}${filename}.conf", order => 220, - content => template('apache/vhost/_setenv.erb'), - } - } - - # Template uses: - # - $ssl - # - $ssl_cert - # - $ssl_key - # - $ssl_chain - # - $ssl_certs_dir - # - $ssl_ca - # - $ssl_crl_path - # - $ssl_crl - # - $ssl_crl_check - # - $ssl_protocol - # - $ssl_cipher - # - $_ssl_honorcipherorder - # - $ssl_verify_client - # - $ssl_verify_depth - # - $ssl_options - # - $ssl_openssl_conf_cmd - # - $ssl_stapling - # - $mdomain + content => epp('apache/vhost/_setenv.epp', $setenv_params), + } + } + if $ssl and $ensure == 'present' { include apache::mod::ssl + $ssl_params = { + 'ssl' => $ssl, + 'ssl_cert' => $ssl_cert, + 'ssl_key' => $ssl_key, + 'ssl_chain' => $ssl_chain, + 'ssl_certs_dir' => $ssl_certs_dir, + 'ssl_ca' => $ssl_ca, + 'ssl_crl_path' => $ssl_crl_path, + 'ssl_crl' => $ssl_crl, + 'ssl_crl_check' => $ssl_crl_check, + 'ssl_protocol' => $ssl_protocol, + 'ssl_cipher' => $ssl_cipher, + 'ssl_honorcipherorder' => $_ssl_honorcipherorder, + 'ssl_verify_client' => $ssl_verify_client, + 'ssl_verify_depth' => $ssl_verify_depth, + 'ssl_options' => $ssl_options, + 'ssl_openssl_conf_cmd' => $ssl_openssl_conf_cmd, + 'ssl_stapling' => $ssl_stapling, + 'ssl_stapling_timeout' => $ssl_stapling_timeout, + 'ssl_stapling_return_errors' => $ssl_stapling_return_errors, + 'ssl_user_name' => $ssl_user_name, + 'mdomain' => $mdomain, + } concat::fragment { "${name}-ssl": target => "${priority_real}${filename}.conf", order => 230, - content => template('apache/vhost/_ssl.erb'), + content => epp('apache/vhost/_ssl.epp', $ssl_params), } if $ssl_reload_on_change { @@ -2656,25 +2656,27 @@ } } - # Template uses: - # - $php_values - # - $php_flags if ($php_values and ! empty($php_values)) or ($php_flags and ! empty($php_flags)) { + $php_params = { + 'php_values' => $php_values, + 'php_flags' => $php_flags, + } concat::fragment { "${name}-php": target => "${priority_real}${filename}.conf", order => 240, - content => template('apache/vhost/_php.erb'), + content => epp('apache/vhost/_php.epp', $php_params), } } - # Template uses: - # - $php_admin_values - # - $php_admin_flags if ($php_admin_values and ! empty($php_admin_values)) or ($php_admin_flags and ! empty($php_admin_flags)) { + $php_admin_params = { + 'php_admin_values' => $php_admin_values, + 'php_admin_flags' => $php_admin_flags, + } concat::fragment { "${name}-php_admin": target => "${priority_real}${filename}.conf", order => 250, - content => template('apache/vhost/_php_admin.erb'), + content => epp('apache/vhost/_php_admin.epp', $php_admin_params), } } diff --git a/manifests/vhost/proxy.pp b/manifests/vhost/proxy.pp index 89a885d17..e9d3d3ef2 100644 --- a/manifests/vhost/proxy.pp +++ b/manifests/vhost/proxy.pp @@ -124,7 +124,7 @@ include apache::mod::proxy include apache::mod::proxy_http - # To match processing in templates/vhost/_proxy.erb + # To match processing in templates/vhost/_proxy.epp if $proxy_dest =~ Pattern[/^h2c?:\/\//] or $proxy_dest_match =~ Pattern[/^h2c?:\/\//] { include apache::mod::proxy_http2 } @@ -138,11 +138,25 @@ fail('At least one of proxy_dest, proxy_pass, proxy_pass_match or proxy_dest_match must be given') } + $proxy_params = { + 'proxy_dest' => $proxy_dest, + 'proxy_pass' => $proxy_pass, + 'proxy_pass_match' => $proxy_pass_match, + 'proxy_dest_match' => $proxy_dest_match, + 'proxy_add_headers' => $proxy_add_headers, + 'proxy_requests' => $proxy_requests, + 'proxy_preserve_host' => $proxy_preserve_host, + 'proxy_error_override' => $proxy_error_override, + 'no_proxy_uris' => $no_proxy_uris, + 'no_proxy_uris_match' => $no_proxy_uris_match, + 'proxy_dest_reverse_match' => $proxy_dest_reverse_match, + } + apache::vhost::fragment { "${name}-proxy": vhost => $vhost, port => $port, priority => $priority, order => $order, - content => template('apache/vhost/_proxy.erb'), + content => epp('apache/vhost/_proxy.epp', $proxy_params), } } diff --git a/spec/classes/mod/php_spec.rb b/spec/classes/mod/php_spec.rb index 8c4e774d6..14729221e 100644 --- a/spec/classes/mod/php_spec.rb +++ b/spec/classes/mod/php_spec.rb @@ -310,7 +310,7 @@ context 'with template param' do let :params do - { template: 'apache/mod/php.conf.erb' } + { template: 'apache/mod/php.conf.epp' } end it { diff --git a/templates/fastcgi/server.erb b/templates/fastcgi/server.erb deleted file mode 100644 index bae56d48e..000000000 --- a/templates/fastcgi/server.erb +++ /dev/null @@ -1,22 +0,0 @@ -<% - timeout = " -idle-timeout #{@timeout}" - flush = "" - if @flush - flush = " -flush" - end - if @socket - host_or_socket = " -socket #{@socket}" - else - host_or_socket = " -host #{@host}" - end - - pass_header = "" - if @pass_header and ! @pass_header.empty? - pass_header = " -pass-header #{@pass_header}" - end - - options = timeout + flush + host_or_socket + pass_header --%> -FastCGIExternalServer <%= @faux_path %><%= options %> -Alias <%= @fcgi_alias %> <%= @faux_path %> -Action <%= @file_type %> <%= @fcgi_alias %> diff --git a/templates/mod/_require.epp b/templates/mod/_require.epp index 88443db57..56a22a4f8 100644 --- a/templates/mod/_require.epp +++ b/templates/mod/_require.epp @@ -1,5 +1,5 @@ -<% $_requires = if $requires { %>$requires<% } else {%>$requires_defaults<%} %> -<% if type($_requires, 'generalized') == String { %> +<% $_requires = if $requires { $requires } else { $requires_defaults} -%> +<% if type($_requires, 'generalized') == String { -%> <%- if !($_requires.downcase in ['', 'unmanaged']) { -%> Require <%= $_requires %> <%- } -%> diff --git a/templates/mod/_require.erb b/templates/mod/_require.erb deleted file mode 100644 index 404dcc4c2..000000000 --- a/templates/mod/_require.erb +++ /dev/null @@ -1,33 +0,0 @@ -<% _requires = @requires != nil ? @requires : @requires_defaults -%> -<% if _requires.is_a?(String) -%> - <%- if ! ['', 'unmanaged'].include?_requires.downcase -%> - Require <%= _requires %> - <%- end -%> -<% elsif _requires.is_a?(Array) -%> - <%- _requires.each do |req| -%> - Require <%= req %> - <%- end -%> -<% elsif _requires.is_a?(Hash) -%> - <%- if _requires.has_key?('enforce') and ['all', 'none', 'any'].include?_requires['enforce'].downcase -%> - <%- enforce_str = "Require#{_requires['enforce'].capitalize}>\n" -%> - <%- enforce_open = " <#{enforce_str}" -%> - <%- enforce_close = " - <%- indentation = ' ' -%> - <%- else -%> - <%- if _requires.has_key?('enforce') -%> - <%- scope.function_warning(["Class #{@title}: Require can only be overwritten with all, none or any."]) -%> - <%- end -%> - <%- enforce_open = '' -%> - <%- enforce_close = '' -%> - <%- indentation = '' -%> - <%- end -%> - <%- if _requires.has_key?('requires') and _requires['requires'].is_a?(Array) -%> -<%# %><%= enforce_open -%> - <%- _requires['requires'].each do |req| -%> -<%# %> <%= indentation -%>Require <%= req %> - <%- end -%> -<%# %><%= enforce_close -%> - <%- else -%> - <%- scope.function_warning(["Class #{@title}: Require hash must have a key named \"requires\" with array value"]) -%> - <%- end -%> -<% end -%> diff --git a/templates/mod/php.conf.erb b/templates/mod/php.conf.epp similarity index 84% rename from templates/mod/php.conf.erb rename to templates/mod/php.conf.epp index 9e684fe6d..c1298d441 100644 --- a/templates/mod/php.conf.erb +++ b/templates/mod/php.conf.epp @@ -6,7 +6,7 @@ # # Cause the PHP interpreter to handle files with a .php extension. # -)$"> +)$"> SetHandler application/x-httpd-php diff --git a/templates/mod/security_crs.conf.erb b/templates/mod/security_crs.conf.erb deleted file mode 100644 index fb8dbff14..000000000 --- a/templates/mod/security_crs.conf.erb +++ /dev/null @@ -1,1271 +0,0 @@ -<% if scope['facts']['os']['family'] == 'RedHat' and scope['facts']['os']['release']['major'].to_i <= 7 -%> -# --------------------------------------------------------------- -# Core ModSecurity Rule Set ver.2.2.9 -# Copyright (C) 2006-2012 Trustwave All rights reserved. -# -# The OWASP ModSecurity Core Rule Set is distributed under -# Apache Software License (ASL) version 2 -# Please see the enclosed LICENCE file for full details. -# --------------------------------------------------------------- - - -# -# -- [[ Recommended Base Configuration ]] ------------------------------------------------- -# -# The configuration directives/settings in this file are used to control -# the OWASP ModSecurity CRS. These settings do **NOT** configure the main -# ModSecurity settings such as: -# -# - SecRuleEngine -# - SecRequestBodyAccess -# - SecAuditEngine -# - SecDebugLog -# -# You should use the modsecurity.conf-recommended file that comes with the -# ModSecurity source code archive. -# -# Ref: https://github.com/SpiderLabs/ModSecurity/blob/master/modsecurity.conf-recommended -# - - -# -# -- [[ Rule Version ]] ------------------------------------------------------------------- -# -# Rule version data is added to the "Producer" line of Section H of the Audit log: -# -# - Producer: ModSecurity for Apache/2.7.0-rc1 (http://www.modsecurity.org/); OWASP_CRS/2.2.4. -# -# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature -# -SecComponentSignature "OWASP_CRS/2.2.9" - - -# -# -- [[ Modes of Operation: Self-Contained vs. Collaborative Detection ]] ----------------- -# -# Each detection rule uses the "block" action which will inherit the SecDefaultAction -# specified below. Your settings here will determine which mode of operation you use. -# -# -- [[ Self-Contained Mode ]] -- -# Rules inherit the "deny" disruptive action. The first rule that matches will block. -# -# -- [[ Collaborative Detection Mode ]] -- -# This is a "delayed blocking" mode of operation where each matching rule will inherit -# the "pass" action and will only contribute to anomaly scores. Transactional blocking -# can be applied -# -# -- [[ Alert Logging Control ]] -- -# You have three options - -# -# - To log to both the Apache error_log and ModSecurity audit_log file use: "log" -# - To log *only* to the ModSecurity audit_log file use: "nolog,auditlog" -# - To log *only* to the Apache error_log file use: "log,noauditlog" -# -# Ref: http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes.html -# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecDefaultAction -# -SecDefaultAction "phase:1,<%= @_secdefaultaction -%>" -SecDefaultAction "phase:2,<%= @_secdefaultaction -%>" - -# -# -- [[ Collaborative Detection Severity Levels ]] ---------------------------------------- -# -# These are the default scoring points for each severity level. You may -# adjust these to you liking. These settings will be used in macro expansion -# in the rules to increment the anomaly scores when rules match. -# -# These are the default Severity ratings (with anomaly scores) of the individual rules - -# -# - 2: Critical - Anomaly Score of 5. -# Is the highest severity level possible without correlation. It is -# normally generated by the web attack rules (40 level files). -# - 3: Error - Anomaly Score of 4. -# Is generated mostly from outbound leakage rules (50 level files). -# - 4: Warning - Anomaly Score of 3. -# Is generated by malicious client rules (35 level files). -# - 5: Notice - Anomaly Score of 2. -# Is generated by the Protocol policy and anomaly files. -# -SecAction \ - "id:'900001', \ - phase:1, \ - t:none, \ - setvar:tx.critical_anomaly_score=<%= @critical_anomaly_score -%>, \ - setvar:tx.error_anomaly_score=<%= @error_anomaly_score -%>, \ - setvar:tx.warning_anomaly_score=<%= @warning_anomaly_score -%>, \ - setvar:tx.notice_anomaly_score=<%= @notice_anomaly_score -%>, \ - nolog, \ - pass" - - -# -# -- [[ Collaborative Detection Scoring Initialization and Threshold Levels ]] ------------------------------ -# -# These variables are used in macro expansion in the 49 inbound blocking and 59 -# outbound blocking files. -# -# **MUST HAVE** ModSecurity v2.5.12 or higher to use macro expansion in numeric -# operators. If you have an earlier version, edit the 49/59 files directly to -# set the appropriate anomaly score levels. -# -# You should set the score level (rule 900003) to the proper threshold you -# would prefer. If set to "5" it will work similarly to previous Mod CRS rules -# and will create an event in the error_log file if there are any rules that -# match. If you would like to lessen the number of events generated in the -# error_log file, you should increase the anomaly score threshold to something -# like "20". This would only generate an event in the error_log file if there -# are multiple lower severity rule matches or if any 1 higher severity item matches. -# -SecAction \ - "id:'900002', \ - phase:1, \ - t:none, \ - setvar:tx.anomaly_score=0, \ - setvar:tx.sql_injection_score=0, \ - setvar:tx.xss_score=0, \ - setvar:tx.inbound_anomaly_score=0, \ - setvar:tx.outbound_anomaly_score=0, \ - nolog, \ - pass" - - -SecAction \ - "id:'900003', \ - phase:1, \ - t:none, \ - setvar:tx.inbound_anomaly_score_level=<%= @inbound_anomaly_threshold -%>, \ - setvar:tx.outbound_anomaly_score_level=<%= @outbound_anomaly_threshold -%>, \ - nolog, \ - pass" - - -# -# -- [[ Collaborative Detection Blocking ]] ----------------------------------------------- -# -# This is a collaborative detection mode where each rule will increment an overall -# anomaly score for the transaction. The scores are then evaluated in the following files: -# -# Inbound anomaly score - checked in the modsecurity_crs_49_inbound_blocking.conf file -# Outbound anomaly score - checked in the modsecurity_crs_59_outbound_blocking.conf file -# -# If you want to use anomaly scoring mode, then uncomment this line. -# -SecAction \ - "id:'900004', \ - phase:1, \ - t:none, \ - setvar:tx.anomaly_score_blocking=<%= @anomaly_score_blocking -%>, \ - nolog, \ - pass" - - -# -# -- [[ GeoIP Database ]] ----------------------------------------------------------------- -# -# There are some rulesets that need to inspect the GEO data of the REMOTE_ADDR data. -# -# You must first download the MaxMind GeoIP Lite City DB - -# -# http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz -# -# You then need to define the proper path for the SecGeoLookupDb directive -# -# Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html -# Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html -# -#SecGeoLookupDb /opt/modsecurity/lib/GeoLiteCity.dat - -# -# -- [[ Regression Testing Mode ]] -------------------------------------------------------- -# -# If you are going to run the regression testing mode, you should uncomment the -# following rule. It will enable DetectionOnly mode for the SecRuleEngine and -# will enable Response Header tagging so that the client testing script can see -# which rule IDs have matched. -# -# You must specify the your source IP address where you will be running the tests -# from. -# -#SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \ - "id:'900005', \ - phase:1, \ - t:none, \ - ctl:ruleEngine=DetectionOnly, \ - setvar:tx.regression_testing=1, \ - nolog, \ - pass" - - -# -# -- [[ HTTP Policy Settings ]] ---------------------------------------------------------- -# -# Set the following policy settings here and they will be propagated to the 23 rules -# file (modsecurity_common_23_request_limits.conf) by using macro expansion. -# If you run into false positives, you can adjust the settings here. -# -# Only the max number of args is uncommented by default as there are a high rate -# of false positives. Uncomment the items you wish to set. -# -# -# -- Maximum number of arguments in request limited -SecAction \ - "id:'900006', \ - phase:1, \ - t:none, \ - setvar:tx.max_num_args=<%= @secrequestmaxnumargs %>, \ - nolog, \ - pass" - -# -# -- Limit argument name length -#SecAction \ - "id:'900007', \ - phase:1, \ - t:none, \ - setvar:tx.arg_name_length=100, \ - nolog, \ - pass" - -# -# -- Limit value name length -#SecAction \ - "id:'900008', \ - phase:1, \ - t:none, \ - setvar:tx.arg_length=400, \ - nolog, \ - pass" - -# -# -- Limit arguments total length -#SecAction \ - "id:'900009', \ - phase:1, \ - t:none, \ - setvar:tx.total_arg_length=64000, \ - nolog, \ - pass" - -# -# -- Individual file size is limited -#SecAction \ - "id:'900010', \ - phase:1, \ - t:none, \ - setvar:tx.max_file_size=1048576, \ - nolog, \ - pass" - -# -# -- Combined file size is limited -#SecAction \ - "id:'900011', \ - phase:1, \ - t:none, \ - setvar:tx.combined_file_sizes=1048576, \ - nolog, \ - pass" - - -# -# Set the following policy settings here and they will be propagated to the 30 rules -# file (modsecurity_crs_30_http_policy.conf) by using macro expansion. -# If you run into false positves, you can adjust the settings here. -# -SecAction \ - "id:'900012', \ - phase:1, \ - t:none, \ - setvar:'tx.allowed_methods=<%= @allowed_methods -%>', \ - setvar:'tx.allowed_request_content_type=<%= @content_types -%>', \ - setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \ - setvar:'tx.restricted_extensions=<%= @restricted_extensions -%>', \ - setvar:'tx.restricted_headers=<%= @restricted_headers -%>', \ - nolog, \ - pass" - - -# -# -- [[ Content Security Policy (CSP) Settings ]] ----------------------------------------- -# -# The purpose of these settings is to send CSP response headers to -# Mozilla FireFox users so that you can enforce how dynamic content -# is used. CSP usage helps to prevent XSS attacks against your users. -# -# Reference Link: -# -# https://developer.mozilla.org/en/Security/CSP -# -# Uncomment this SecAction line if you want use CSP enforcement. -# You need to set the appropriate directives and settings for your site/domain and -# and activate the CSP file in the experimental_rules directory. -# -# Ref: http://blog.spiderlabs.com/2011/04/modsecurity-advanced-topic-of-the-week-integrating-content-security-policy-csp.html -# -#SecAction \ - "id:'900013', \ - phase:1, \ - t:none, \ - setvar:tx.csp_report_only=1, \ - setvar:tx.csp_report_uri=/csp_violation_report, \ - setenv:'csp_policy=allow \'self\'; img-src *.yoursite.com; media-src *.yoursite.com; style-src *.yoursite.com; frame-ancestors *.yoursite.com; script-src *.yoursite.com; report-uri %{tx.csp_report_uri}', \ - nolog, \ - pass" - - -# -# -- [[ Brute Force Protection ]] --------------------------------------------------------- -# -# If you are using the Brute Force Protection rule set, then uncomment the following -# lines and set the following variables: -# - Protected URLs: resources to protect (e.g. login pages) - set to your login page -# - Burst Time Slice Interval: time interval window to monitor for bursts -# - Request Threshold: request # threshold to trigger a burst -# - Block Period: temporary block timeout -# -#SecAction \ - "id:'900014', \ - phase:1, \ - t:none, \ - setvar:'tx.brute_force_protected_urls=#/login.jsp# #/partner_login.php#', \ - setvar:'tx.brute_force_burst_time_slice=60', \ - setvar:'tx.brute_force_counter_threshold=10', \ - setvar:'tx.brute_force_block_timeout=300', \ - nolog, \ - pass" - - -# -# -- [[ DoS Protection ]] ---------------------------------------------------------------- -# -# If you are using the DoS Protection rule set, then uncomment the following -# lines and set the following variables: -# - Burst Time Slice Interval: time interval window to monitor for bursts -# - Request Threshold: request # threshold to trigger a burst -# - Block Period: temporary block timeout -# -SecAction \ - "id:'900015', \ - phase:1, \ - t:none, \ - setvar:'tx.dos_burst_time_slice=60', \ - setvar:'tx.dos_counter_threshold=100', \ - setvar:'tx.dos_block_timeout=600', \ - nolog, \ - pass" - - -# -# -- [[ Check UTF enconding ]] ----------------------------------------------------------- -# -# We only want to apply this check if UTF-8 encoding is actually used by the site, otherwise -# it will result in false positives. -# -# Uncomment this line if your site uses UTF8 encoding -#SecAction \ - "id:'900016', \ - phase:1, \ - t:none, \ - setvar:tx.crs_validate_utf8_encoding=1, \ - nolog, \ - pass" - - -# -# -- [[ Enable XML Body Parsing ]] ------------------------------------------------------- -# -# The rules in this file will trigger the XML parser upon an XML request -# -# Initiate XML Processor in case of xml content-type -# -SecRule REQUEST_HEADERS:Content-Type "text/xml" \ - "id:'900017', \ - phase:1, \ - t:none,t:lowercase, \ - nolog, \ - pass, \ - chain" - SecRule REQBODY_PROCESSOR "!@streq XML" \ - "ctl:requestBodyProcessor=XML" - - -# -# -- [[ Global and IP Collections ]] ----------------------------------------------------- -# -# Create both Global and IP collections for rules to use -# There are some CRS rules that assume that these two collections -# have already been initiated. -# -SecRule REQUEST_HEADERS:User-Agent "^(.*)$" \ - "id:'900018', \ - phase:1, \ - t:none,t:sha1,t:hexEncode, \ - setvar:tx.ua_hash=%{matched_var}, \ - nolog, \ - pass" - - -SecRule REQUEST_HEADERS:x-forwarded-for "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b" \ - "id:'900019', \ - phase:1, \ - t:none, \ - capture, \ - setvar:tx.real_ip=%{tx.1}, \ - nolog, \ - pass" - - -SecRule &TX:REAL_IP "!@eq 0" \ - "id:'900020', \ - phase:1, \ - t:none, \ - initcol:global=global, \ - initcol:ip=%{tx.real_ip}_%{tx.ua_hash}, \ - nolog, \ - pass" - - -SecRule &TX:REAL_IP "@eq 0" \ - "id:'900021', \ - phase:1, \ - t:none, \ - initcol:global=global, \ - initcol:ip=%{remote_addr}_%{tx.ua_hash}, \ - setvar:tx.real_ip=%{remote_addr}, \ - nolog, \ - pass" -<% else -%> -# ------------------------------------------------------------------------ -# OWASP ModSecurity Core Rule Set ver.3.3.2 -# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved. -# -# The OWASP ModSecurity Core Rule Set is distributed under -# Apache Software License (ASL) version 2 -# Please see the enclosed LICENSE file for full details. -# ------------------------------------------------------------------------ - - -# -# -- [[ Introduction ]] -------------------------------------------------------- -# -# The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack -# detection rules that provide a base level of protection for any web -# application. They are written for the open source, cross-platform -# ModSecurity Web Application Firewall. -# -# See also: -# https://coreruleset.org/ -# https://github.com/SpiderLabs/owasp-modsecurity-crs -# https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project -# - - -# -# -- [[ System Requirements ]] ------------------------------------------------- -# -# CRS requires ModSecurity version 2.8.0 or above. -# We recommend to always use the newest ModSecurity version. -# -# The configuration directives/settings in this file are used to control -# the OWASP ModSecurity CRS. These settings do **NOT** configure the main -# ModSecurity settings (modsecurity.conf) such as SecRuleEngine, -# SecRequestBodyAccess, SecAuditEngine, SecDebugLog, and XML processing. -# -# The CRS assumes that modsecurity.conf has been loaded. It is bundled with -# ModSecurity. If you don't have it, you can get it from: -# 2.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v2/master/modsecurity.conf-recommended -# 3.x: https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended -# -# The order of file inclusion in your webserver configuration should always be: -# 1. modsecurity.conf -# 2. crs-setup.conf (this file) -# 3. rules/*.conf (the CRS rule files) -# -# Please refer to the INSTALL file for detailed installation instructions. -# - - -# -# -- [[ Mode of Operation: Anomaly Scoring vs. Self-Contained ]] --------------- -# -# The CRS can run in two modes: -# -# -- [[ Anomaly Scoring Mode (default) ]] -- -# In CRS3, anomaly mode is the default and recommended mode, since it gives the -# most accurate log information and offers the most flexibility in setting your -# blocking policies. It is also called "collaborative detection mode". -# In this mode, each matching rule increases an 'anomaly score'. -# At the conclusion of the inbound rules, and again at the conclusion of the -# outbound rules, the anomaly score is checked, and the blocking evaluation -# rules apply a disruptive action, by default returning an error 403. -# -# -- [[ Self-Contained Mode ]] -- -# In this mode, rules apply an action instantly. This was the CRS2 default. -# It can lower resource usage, at the cost of less flexibility in blocking policy -# and less informative audit logs (only the first detected threat is logged). -# Rules inherit the disruptive action that you specify (i.e. deny, drop, etc). -# The first rule that matches will execute this action. In most cases this will -# cause evaluation to stop after the first rule has matched, similar to how many -# IDSs function. -# -# -- [[ Alert Logging Control ]] -- -# In the mode configuration, you must also adjust the desired logging options. -# There are three common options for dealing with logging. By default CRS enables -# logging to the webserver error log (or Event viewer) plus detailed logging to -# the ModSecurity audit log (configured under SecAuditLog in modsecurity.conf). -# -# - To log to both error log and ModSecurity audit log file, use: "log,auditlog" -# - To log *only* to the ModSecurity audit log file, use: "nolog,auditlog" -# - To log *only* to the error log file, use: "log,noauditlog" -# -# Examples for the various modes follow. -# You must leave one of the following options enabled. -# Note that you must specify the same line for phase:1 and phase:2. -# - -# Default: Anomaly Scoring mode, log to error log, log to ModSecurity audit log -# - By default, offending requests are blocked with an error 403 response. -# - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example -# and review section 'Changing the Disruptive Action for Anomaly Mode'. -# - In Apache, you can use ErrorDocument to show a friendly error page or -# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html -# -# SecDefaultAction "phase:1,log,auditlog,pass" -# SecDefaultAction "phase:2,log,auditlog,pass" - -# Example: Anomaly Scoring mode, log only to ModSecurity audit log -# - By default, offending requests are blocked with an error 403 response. -# - To change the disruptive action, see RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example -# and review section 'Changing the Disruptive Action for Anomaly Mode'. -# - In Apache, you can use ErrorDocument to show a friendly error page or -# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html -# -# SecDefaultAction "phase:1,nolog,auditlog,pass" -# SecDefaultAction "phase:2,nolog,auditlog,pass" - -# Example: Self-contained mode, return error 403 on blocking -# - In this configuration the default disruptive action becomes 'deny'. After a -# rule triggers, it will stop processing the request and return an error 403. -# - You can also use a different error status, such as 404, 406, et cetera. -# - In Apache, you can use ErrorDocument to show a friendly error page or -# perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html -# -# SecDefaultAction "phase:1,log,auditlog,deny,status:403" -# SecDefaultAction "phase:2,log,auditlog,deny,status:403" - -# Example: Self-contained mode, redirect back to homepage on blocking -# - In this configuration the 'tag' action includes the Host header data in the -# log. This helps to identify which virtual host triggered the rule (if any). -# - Note that this might cause redirect loops in some situations; for example -# if a Cookie or User-Agent header is blocked, it will also be blocked when -# the client subsequently tries to access the homepage. You can also redirect -# to another custom URL. -# SecDefaultAction "phase:1,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'" -# SecDefaultAction "phase:2,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'" - -SecDefaultAction "phase:1,<%= @_secdefaultaction -%>" -SecDefaultAction "phase:2,<%= @_secdefaultaction -%>" - -# -# -- [[ Paranoia Level Initialization ]] --------------------------------------- -# -# The Paranoia Level (PL) setting allows you to choose the desired level -# of rule checks that will add to your anomaly scores. -# -# With each paranoia level increase, the CRS enables additional rules -# giving you a higher level of security. However, higher paranoia levels -# also increase the possibility of blocking some legitimate traffic due to -# false alarms (also named false positives or FPs). If you use higher -# paranoia levels, it is likely that you will need to add some exclusion -# rules for certain requests and applications receiving complex input. -# -# - A paranoia level of 1 is default. In this level, most core rules -# are enabled. PL1 is advised for beginners, installations -# covering many different sites and applications, and for setups -# with standard security requirements. -# At PL1 you should face FPs rarely. If you encounter FPs, please -# open an issue on the CRS GitHub site and don't forget to attach your -# complete Audit Log record for the request with the issue. -# - Paranoia level 2 includes many extra rules, for instance enabling -# many regexp-based SQL and XSS injection protections, and adding -# extra keywords checked for code injections. PL2 is advised -# for moderate to experienced users desiring more complete coverage -# and for installations with elevated security requirements. -# PL2 comes with some FPs which you need to handle. -# - Paranoia level 3 enables more rules and keyword lists, and tweaks -# limits on special characters used. PL3 is aimed at users experienced -# at the handling of FPs and at installations with a high security -# requirement. -# - Paranoia level 4 further restricts special characters. -# The highest level is advised for experienced users protecting -# installations with very high security requirements. Running PL4 will -# likely produce a very high number of FPs which have to be -# treated before the site can go productive. -# -# All rules will log their PL to the audit log; -# example: [tag "paranoia-level/2"]. This allows you to deduct from the -# audit log how the WAF behavior is affected by paranoia level. -# -# It is important to also look into the variable -# tx.enforce_bodyproc_urlencoded (Enforce Body Processor URLENCODED) -# defined below. Enabling it closes a possible bypass of CRS. -# -# Uncomment this rule to change the default: -# -SecAction \ - "id:900000,\ - phase:1,\ - nolog,\ - pass,\ - t:none,\ - setvar:tx.paranoia_level=<%= @paranoia_level -%>" - - -# It is possible to execute rules from a higher paranoia level but not include -# them in the anomaly scoring. This allows you to take a well-tuned system on -# paranoia level 1 and add rules from paranoia level 2 without having to fear -# the new rules would lead to false positives that raise your score above the -# threshold. -# This optional feature is enabled by uncommenting the following rule and -# setting the tx.executing_paranoia_level. -# Technically, rules up to the level defined in tx.executing_paranoia_level -# will be executed, but only the rules up to tx.paranoia_level affect the -# anomaly scores. -# By default, tx.executing_paranoia_level is set to tx.paranoia_level. -# tx.executing_paranoia_level must not be lower than tx.paranoia_level. -# -# Please notice that setting tx.executing_paranoia_level to a higher paranoia -# level results in a performance impact that is equally high as setting -# tx.paranoia_level to said level. -# -SecAction \ - "id:900001,\ - phase:1,\ - nolog,\ - pass,\ - t:none,\ - setvar:tx.executing_paranoia_level=<%= @executing_paranoia_level -%>" - - -# -# -- [[ Enforce Body Processor URLENCODED ]] ----------------------------------- -# -# ModSecurity selects the body processor based on the Content-Type request -# header. But clients are not always setting the Content-Type header for their -# request body payloads. This will leave ModSecurity with limited vision into -# the payload. The variable tx.enforce_bodyproc_urlencoded lets you force the -# URLENCODED body processor in these situations. This is off by default, as it -# implies a change of the behaviour of ModSecurity beyond CRS (the body -# processor applies to all rules, not only CRS) and because it may lead to -# false positives already on paranoia level 1. However, enabling this variable -# closes a possible bypass of CRS so it should be considered. -# -# Uncomment this rule to change the default: -# -#SecAction \ -# "id:900010,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.enforce_bodyproc_urlencoded=1" - - -# -# -- [[ Anomaly Mode Severity Levels ]] ---------------------------------------- -# -# Each rule in the CRS has an associated severity level. -# These are the default scoring points for each severity level. -# These settings will be used to increment the anomaly score if a rule matches. -# You may adjust these points to your liking, but this is usually not needed. -# -# - CRITICAL severity: Anomaly Score of 5. -# Mostly generated by the application attack rules (93x and 94x files). -# - ERROR severity: Anomaly Score of 4. -# Generated mostly from outbound leakage rules (95x files). -# - WARNING severity: Anomaly Score of 3. -# Generated mostly by malicious client rules (91x files). -# - NOTICE severity: Anomaly Score of 2. -# Generated mostly by the protocol rules (92x files). -# -# In anomaly mode, these scores are cumulative. -# So it's possible for a request to hit multiple rules. -# -# (Note: In this file, we use 'phase:1' to set CRS configuration variables. -# In general, 'phase:request' is used. However, we want to make absolutely sure -# that all configuration variables are set before the CRS rules are processed.) -# -SecAction \ - "id:900100,\ - phase:1,\ - nolog,\ - pass,\ - t:none,\ - setvar:tx.critical_anomaly_score=<%= @critical_anomaly_score -%>, \ - setvar:tx.error_anomaly_score=<%= @error_anomaly_score -%>, \ - setvar:tx.warning_anomaly_score=<%= @warning_anomaly_score -%>, \ - setvar:tx.notice_anomaly_score=<%= @notice_anomaly_score -%>" - - -# -# -- [[ Anomaly Mode Blocking Threshold Levels ]] ------------------------------ -# -# Here, you can specify at which cumulative anomaly score an inbound request, -# or outbound response, gets blocked. -# -# Most detected inbound threats will give a critical score of 5. -# Smaller violations, like violations of protocol/standards, carry lower scores. -# -# [ At default value ] -# If you keep the blocking thresholds at the defaults, the CRS will work -# similarly to previous CRS versions: a single critical rule match will cause -# the request to be blocked and logged. -# -# [ Using higher values ] -# If you want to make the CRS less sensitive, you can increase the blocking -# thresholds, for instance to 7 (which would require multiple rule matches -# before blocking) or 10 (which would require at least two critical alerts - or -# a combination of many lesser alerts), or even higher. However, increasing the -# thresholds might cause some attacks to bypass the CRS rules or your policies. -# -# [ New deployment strategy: Starting high and decreasing ] -# It is a common practice to start a fresh CRS installation with elevated -# anomaly scoring thresholds (>100) and then lower the limits as your -# confidence in the setup grows. You may also look into the Sampling -# Percentage section below for a different strategy to ease into a new -# CRS installation. -# -# [ Anomaly Threshold / Paranoia Level Quadrant ] -# -# High Anomaly Limit | High Anomaly Limit -# Low Paranoia Level | High Paranoia Level -# -> Fresh Site | -> Experimental Site -# ------------------------------------------------------ -# Low Anomaly Limit | Low Anomaly Limit -# Low Paranoia Level | High Paranoia Level -# -> Standard Site | -> High Security Site -# -# Uncomment this rule to change the defaults: -# -SecAction \ - "id:900110,\ - phase:1,\ - nolog,\ - pass,\ - t:none,\ - setvar:tx.inbound_anomaly_score_threshold=<%= @inbound_anomaly_threshold -%>, \ - setvar:tx.outbound_anomaly_score_threshold=<%= @outbound_anomaly_threshold -%>" - -# -# -- [[ Application Specific Rule Exclusions ]] ---------------------------------------- -# -# Some well-known applications may undertake actions that appear to be -# malicious. This includes actions such as allowing HTML or Javascript within -# parameters. In such cases the CRS aims to prevent false positives by allowing -# administrators to enable prebuilt, application specific exclusions on an -# application by application basis. -# These application specific exclusions are distinct from the rules that would -# be placed in the REQUEST-900-EXCLUSION-RULES-BEFORE-CRS configuration file as -# they are prebuilt for specific applications. The 'REQUEST-900' file is -# designed for users to add their own custom exclusions. Note, using these -# application specific exclusions may loosen restrictions of the CRS, -# especially if used with an application they weren't designed for. As a result -# they should be applied with care. -# To use this functionality you must specify a supported application. To do so -# uncomment rule 900130. In addition to uncommenting the rule you will need to -# specify which application(s) you'd like to enable exclusions for. Only a -# (very) limited set of applications are currently supported, please use the -# filenames prefixed with 'REQUEST-903' to guide you in your selection. -# Such filenames use the following convention: -# REQUEST-903.9XXX-{APPNAME}-EXCLUSIONS-RULES.conf -# -# It is recommended if you run multiple web applications on your site to limit -# the effects of the exclusion to only the path where the excluded webapp -# resides using a rule similar to the following example: -# SecRule REQUEST_URI "@beginsWith /wordpress/" setvar:tx.crs_exclusions_wordpress=1 - -# -# Modify and uncomment this rule to select which application: -# -#SecAction \ -# "id:900130,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.crs_exclusions_cpanel=1,\ -# setvar:tx.crs_exclusions_drupal=1,\ -# setvar:tx.crs_exclusions_dokuwiki=1,\ -# setvar:tx.crs_exclusions_nextcloud=1,\ -# setvar:tx.crs_exclusions_wordpress=1,\ -# setvar:tx.crs_exclusions_xenforo=1" - -# -# -- [[ HTTP Policy Settings ]] ------------------------------------------------ -# -# This section defines your policies for the HTTP protocol, such as: -# - allowed HTTP versions, HTTP methods, allowed request Content-Types -# - forbidden file extensions (e.g. .bak, .sql) and request headers (e.g. Proxy) -# -# These variables are used in the following rule files: -# - REQUEST-911-METHOD-ENFORCEMENT.conf -# - REQUEST-912-DOS-PROTECTION.conf -# - REQUEST-920-PROTOCOL-ENFORCEMENT.conf - -# HTTP methods that a client is allowed to use. -# Default: GET HEAD POST OPTIONS -# Example: for RESTful APIs, add the following methods: PUT PATCH DELETE -# Example: for WebDAV, add the following methods: CHECKOUT COPY DELETE LOCK -# MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK -# Uncomment this rule to change the default. -SecAction \ - "id:900200,\ - phase:1,\ - nolog,\ - pass,\ - t:none,\ - setvar:'tx.allowed_methods=<%= @allowed_methods -%>'" - -# Content-Types that a client is allowed to send in a request. -# Default: |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| -# |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| -# |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| -# |application/csp-report| |application/xss-auditor-report| |text/plain| -# Uncomment this rule to change the default. -SecAction \ - "id:900220,\ - phase:1,\ - nolog,\ - pass,\ - t:none,\ - setvar:'tx.allowed_request_content_type=<%= @content_types -%>'" - -# Allowed HTTP versions. -# Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 -# Example for legacy clients: HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 -# Note that some web server versions use 'HTTP/2', some 'HTTP/2.0', so -# we include both version strings by default. -# Uncomment this rule to change the default. -#SecAction \ -# "id:900230,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'" - -# Forbidden file extensions. -# Guards against unintended exposure of development/configuration files. -# Default: .asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/ -# Example: .bak/ .config/ .conf/ .db/ .ini/ .log/ .old/ .pass/ .pdb/ .rdb/ .sql/ -# Uncomment this rule to change the default. -SecAction \ - "id:900240,\ - phase:1,\ - nolog,\ - pass,\ - t:none,\ - setvar:'tx.restricted_extensions=<%= @restricted_extensions -%>'" - -# Forbidden request headers. -# Header names should be lowercase, enclosed by /slashes/ as delimiters. -# Blocking Proxy header prevents 'httpoxy' vulnerability: https://httpoxy.org -# Default: /proxy/ /lock-token/ /content-range/ /if/ -# Uncomment this rule to change the default. -SecAction \ - "id:900250,\ - phase:1,\ - nolog,\ - pass,\ - t:none,\ - setvar:'tx.restricted_headers=<%= @restricted_headers -%>'" - -# File extensions considered static files. -# Extensions include the dot, lowercase, enclosed by /slashes/ as delimiters. -# Used in DoS protection rule. See section "Anti-Automation / DoS Protection". -# Default: /.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/ -# Uncomment this rule to change the default. -#SecAction \ -# "id:900260,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'" - -# Content-Types charsets that a client is allowed to send in a request. -# Default: utf-8|iso-8859-1|iso-8859-15|windows-1252 -# Uncomment this rule to change the default. -# Use "|" to separate multiple charsets like in the rule defining -# tx.allowed_request_content_type. -#SecAction \ -# "id:900280,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:'tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252'" - -# -# -- [[ HTTP Argument/Upload Limits ]] ----------------------------------------- -# -# Here you can define optional limits on HTTP get/post parameters and uploads. -# This can help to prevent application specific DoS attacks. -# -# These values are checked in REQUEST-920-PROTOCOL-ENFORCEMENT.conf. -# Beware of blocking legitimate traffic when enabling these limits. -# - -# Block request if number of arguments is too high -# Default: unlimited -# Example: 255 -# Uncomment this rule to set a limit. -SecAction \ - "id:900300,\ - phase:1,\ - nolog,\ - pass,\ - t:none,\ - setvar:tx.max_num_args=<%= @secrequestmaxnumargs %>" - -# Block request if the length of any argument name is too high -# Default: unlimited -# Example: 100 -# Uncomment this rule to set a limit. -#SecAction \ -# "id:900310,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.arg_name_length=100" - -# Block request if the length of any argument value is too high -# Default: unlimited -# Example: 400 -# Uncomment this rule to set a limit. -#SecAction \ -# "id:900320,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.arg_length=400" - -# Block request if the total length of all combined arguments is too high -# Default: unlimited -# Example: 64000 -# Uncomment this rule to set a limit. -#SecAction \ -# "id:900330,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.total_arg_length=64000" - -# Block request if the file size of any individual uploaded file is too high -# Default: unlimited -# Example: 1048576 -# Uncomment this rule to set a limit. -#SecAction \ -# "id:900340,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.max_file_size=1048576" - -# Block request if the total size of all combined uploaded files is too high -# Default: unlimited -# Example: 1048576 -# Uncomment this rule to set a limit. -#SecAction \ -# "id:900350,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.combined_file_sizes=1048576" - - -# -# -- [[ Easing In / Sampling Percentage ]] ------------------------------------- -# -# Adding the Core Rule Set to an existing productive site can lead to false -# positives, unexpected performance issues and other undesired side effects. -# -# It can be beneficial to test the water first by enabling the CRS for a -# limited number of requests only and then, when you have solved the issues (if -# any) and you have confidence in the setup, to raise the ratio of requests -# being sent into the ruleset. -# -# Adjust the percentage of requests that are funnelled into the Core Rules by -# setting TX.sampling_percentage below. The default is 100, meaning that every -# request gets checked by the CRS. The selection of requests, which are going -# to be checked, is based on a pseudo random number generated by ModSecurity. -# -# If a request is allowed to pass without being checked by the CRS, there is no -# entry in the audit log (for performance reasons), but an error log entry is -# written. If you want to disable the error log entry, then issue the -# following directive somewhere after the inclusion of the CRS -# (E.g., RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf). -# -# SecRuleUpdateActionById 901150 "nolog" -# -# ATTENTION: If this TX.sampling_percentage is below 100, then some of the -# requests will bypass the Core Rules completely and you lose the ability to -# protect your service with ModSecurity. -# -# Uncomment this rule to enable this feature: -# -#SecAction "id:900400,\ -# phase:1,\ -# pass,\ -# nolog,\ -# setvar:tx.sampling_percentage=100" - - -# -# -- [[ Project Honey Pot HTTP Blacklist ]] ------------------------------------ -# -# Optionally, you can check the client IP address against the Project Honey Pot -# HTTPBL (dnsbl.httpbl.org). In order to use this, you need to register to get a -# free API key. Set it here with SecHttpBlKey. -# -# Project Honeypot returns multiple different malicious IP types. -# You may specify which you want to block by enabling or disabling them below. -# -# Ref: https://www.projecthoneypot.org/httpbl.php -# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecHttpBlKey -# -# Uncomment these rules to use this feature: -# -#SecHttpBlKey XXXXXXXXXXXXXXXXX -#SecAction "id:900500,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.block_search_ip=1,\ -# setvar:tx.block_suspicious_ip=1,\ -# setvar:tx.block_harvester_ip=1,\ -# setvar:tx.block_spammer_ip=1" - - -# -# -- [[ GeoIP Database ]] ------------------------------------------------------ -# -# There are some rulesets that inspect geolocation data of the client IP address -# (geoLookup). The CRS uses geoLookup to implement optional country blocking. -# -# To use geolocation, we make use of the MaxMind GeoIP database. -# This database is not included with the CRS and must be downloaded. -# -# There are two formats for the GeoIP database. ModSecurity v2 uses GeoLite (.dat files), -# and ModSecurity v3 uses GeoLite2 (.mmdb files). -# -# If you use ModSecurity 3, MaxMind provides a binary for updating GeoLite2 files, -# see https://github.com/maxmind/geoipupdate. -# -# Download the package for your OS, and read https://dev.maxmind.com/geoip/geoipupdate/ -# for configuration options. -# -# Warning: GeoLite (not GeoLite2) databases are considered legacy, and not being updated anymore. -# See https://support.maxmind.com/geolite-legacy-discontinuation-notice/ for more info. -# -# Therefore, if you use ModSecurity v2, you need to regenerate updated .dat files -# from CSV files first. -# -# You can achieve this using https://github.com/sherpya/geolite2legacy -# Pick the zip files from maxmind site: -# https://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip -# -# Follow the guidelines for installing the tool and run: -# ./geolite2legacy.py -i GeoLite2-Country-CSV.zip \ -# -f geoname2fips.csv -o /usr/share/GeoliteCountry.dat -# -# Update the database regularly, see Step 3 of the configuration link above. -# -# By default, when you execute `sudo geoipupdate` on Linux, files from the free database -# will be downloaded to `/usr/share/GeoIP` (both v1 and v2). -# -# Then choose from: -# - `GeoLite2-Country.mmdb` (if you are using ModSecurity v3) -# - `GeoLiteCountry.dat` (if you are using ModSecurity v2) -# -# Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html -# Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html -# -# Uncomment only one of the next rules here to use this feature. -# Choose the one depending on the ModSecurity version you are using, and change the path accordingly: -# -# For ModSecurity v3: -#SecGeoLookupDB /usr/share/GeoIP/GeoLite2-Country.mmdb -# For ModSecurity v2 (points to the converted one): -#SecGeoLookupDB /usr/share/GeoIP/GeoLiteCountry.dat - -# -# -=[ Block Countries ]=- -# -# Rules in the IP Reputation file can check the client against a list of high -# risk country codes. These countries have to be defined in the variable -# tx.high_risk_country_codes via their ISO 3166 two-letter country code: -# https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements -# -# If you are sure that you are not getting any legitimate requests from a given -# country, then you can disable all access from that country via this variable. -# The rule performing the test has the rule id 910100. -# -# This rule requires SecGeoLookupDB to be enabled and the GeoIP database to be -# downloaded (see the section "GeoIP Database" above.) -# -# By default, the list is empty. A list used by some sites was the following: -# setvar:'tx.high_risk_country_codes=UA ID YU LT EG RO BG TR RU PK MY CN'" -# -# Uncomment this rule to use this feature: -# -#SecAction \ -# "id:900600,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:'tx.high_risk_country_codes='" - - -# -# -- [[ Anti-Automation / DoS Protection ]] ------------------------------------ -# -# Optional DoS protection against clients making requests too quickly. -# -# When a client is making more than 100 requests (excluding static files) within -# 60 seconds, this is considered a 'burst'. After two bursts, the client is -# blocked for 600 seconds. -# -# Requests to static files are not counted towards DoS; they are listed in the -# 'tx.static_extensions' setting, which you can change in this file (see -# section "HTTP Policy Settings"). -# -# For a detailed description, see rule file REQUEST-912-DOS-PROTECTION.conf. -# -# Uncomment this rule to use this feature: -# -<% if @enable_dos_protection -%> -SecAction \ - "id:900700,\ - phase:1,\ - nolog,\ - pass,\ - t:none,\ - setvar:'tx.dos_burst_time_slice=<%= @dos_burst_time_slice %>',\ - setvar:'tx.dos_counter_threshold=<%= @dos_counter_threshold %>',\ - setvar:'tx.dos_block_timeout=<%= @dos_block_timeout %>'" -<% end -%> - -# -# -- [[ Check UTF-8 encoding ]] ------------------------------------------------ -# -# The CRS can optionally check request contents for invalid UTF-8 encoding. -# We only want to apply this check if UTF-8 encoding is actually used by the -# site; otherwise it will result in false positives. -# -# Uncomment this rule to use this feature: -# -#SecAction \ -# "id:900950,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.crs_validate_utf8_encoding=1" - - -# -# -- [[ Blocking Based on IP Reputation ]] ------------------------------------ -# -# Blocking based on reputation is permanent in the CRS. Unlike other rules, -# which look at the individual request, the blocking of IPs is based on -# a persistent record in the IP collection, which remains active for a -# certain amount of time. -# -# There are two ways an individual client can become flagged for blocking: -# - External information (RBL, GeoIP, etc.) -# - Internal information (Core Rules) -# -# The record in the IP collection carries a flag, which tags requests from -# individual clients with a flag named IP.reput_block_flag. -# But the flag alone is not enough to have a client blocked. There is also -# a global switch named tx.do_reput_block. This is off by default. If you set -# it to 1 (=On), requests from clients with the IP.reput_block_flag will -# be blocked for a certain duration. -# -# Variables -# ip.reput_block_flag Blocking flag for the IP collection record -# ip.reput_block_reason Reason (= rule message) that caused to blocking flag -# tx.do_reput_block Switch deciding if we really block based on flag -# tx.reput_block_duration Setting to define the duration of a block -# -# It may be important to know, that all the other core rules are skipped for -# requests, when it is clear that they carry the blocking flag in question. -# -# Uncomment this rule to use this feature: -# -#SecAction \ -# "id:900960,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.do_reput_block=1" -# -# Uncomment this rule to change the blocking time: -# Default: 300 (5 minutes) -# -#SecAction \ -# "id:900970,\ -# phase:1,\ -# nolog,\ -# pass,\ -# t:none,\ -# setvar:tx.reput_block_duration=300" - - -# -# -- [[ Collection timeout ]] -------------------------------------------------- -# -# Set the SecCollectionTimeout directive from the ModSecurity default (1 hour) -# to a lower setting which is appropriate to most sites. -# This increases performance by cleaning out stale collection (block) entries. -# -# This value should be greater than or equal to: -# tx.reput_block_duration (see section "Blocking Based on IP Reputation") and -# tx.dos_block_timeout (see section "Anti-Automation / DoS Protection"). -# -# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecCollectionTimeout - -# Please keep this directive uncommented. -# Default: 600 (10 minutes) -SecCollectionTimeout 600 - - -# -# -- [[ End of setup ]] -------------------------------------------------------- -# -# The CRS checks the tx.crs_setup_version variable to ensure that the setup -# has been loaded. If you are not planning to use this setup template, -# you must manually set the tx.crs_setup_version variable before including -# the CRS rules/* files. -# -# The variable is a numerical representation of the CRS version number. -# E.g., v3.0.0 is represented as 300. -# -SecAction \ - "id:900990,\ - phase:1,\ - nolog,\ - pass,\ - t:none,\ - setvar:tx.crs_setup_version=332" -<% end -%> - diff --git a/templates/mod/status.conf.epp b/templates/mod/status.conf.epp index b7031956e..50e440b8c 100644 --- a/templates/mod/status.conf.epp +++ b/templates/mod/status.conf.epp @@ -1,10 +1,6 @@ > SetHandler server-status - <%# From Puppet 4.2 up, replace: -%> - <%# "scope.function_template(["apache/mod/