diff --git a/README.md b/README.md
index 8994e6baa..87c385348 100644
--- a/README.md
+++ b/README.md
@@ -27,6 +27,7 @@
* [Class: apache::mod::negotiation](#class-apachemodnegotiation)
* [Class: apache::mod::deflate](#class-apachemoddeflate)
* [Class: apache::mod::reqtimeout](#class-apachemodreqtimeout)
+ * [Class: apache::mod::security](#class-modsecurity)
* [Class: apache::mod::version](#class-apachemodversion)
* [Defined Type: apache::vhost](#defined-type-apachevhost)
* [Parameter: `directories` for apache::vhost](#parameter-directories-for-apachevhost)
@@ -555,6 +556,7 @@ There are many `apache::mod::[name]` classes within this module that can be decl
* `rewrite`
* `rpaf`*
* `setenvif`
+* `security`
* `shib`* (see [`apache::mod::shib`](#class-apachemodshib) below)
* `speling`
* `ssl`* (see [`apache::mod::ssl`](#class-apachemodssl) below)
@@ -583,7 +585,7 @@ To configure the event thread limit:
$threadlimit => '128',
}
```
-
+
####Class: `apache::mod::info`
@@ -748,8 +750,8 @@ Installs Apache mod_status and uses the status.conf.erb template. These are the
extended_status = 'On',
status_path = '/server-status',
){
-
-
+
+
}
```
@@ -875,6 +877,24 @@ A string or an array that sets the `RequestReadTimeout` option. Defaults to
`['header=20-40,MinRate=500', 'body=20,MinRate=500']`.
+####Class: `apache::mod::security`
+
+Installs and configures mod_security. Defaults to enabled and running on all
+vhosts.
+
+```puppet
+ include '::apache::mod::security'
+```
+
+#####`modsec_dir`
+
+Directory to install the modsec configuration and activated rules links into
+
+#####`activated_rules`
+
+Array of rules from the modsec_crs_path to activate by symlinking to
+${modsec_dir}/activated_rules.
+
####Defined Type: `apache::vhost`
The Apache module allows a lot of flexibility in the setup and configuration of virtual hosts. This flexibility is due, in part, to `vhost` being a defined resource type, which allows it to be evaluated multiple times with different parameters.
@@ -907,7 +927,7 @@ If you have a series of specific configurations and do not want a base `::apache
#####`access_log`
-Specifies whether `*_access.log` directives (`*_file`,`*_pipe`, or `*_syslog`) should be configured. Setting the value to 'false' chooses none. Defaults to 'true'.
+Specifies whether `*_access.log` directives (`*_file`,`*_pipe`, or `*_syslog`) should be configured. Setting the value to 'false' chooses none. Defaults to 'true'.
#####`access_log_file`
@@ -1109,6 +1129,34 @@ in without being aware of the consequences; see http://httpd.apache.org/docs/2.4
Specifies the verbosity of the error log. Defaults to 'warn' for the global server configuration and can be overridden on a per-vhost basis. Valid values are 'emerg', 'alert', 'crit', 'error', 'warn', 'notice', 'info' or 'debug'.
+######`modsec_body_limit`
+
+Configures the maximum request body size (in bytes) ModSecurity will accept for buffering
+
+######`modsec_disable_vhost`
+
+Boolean. Only valid if apache::mod::security is included. Used to disable mod_security on an individual vhost. Only relevant if apache::mod::security is included.
+
+######`modsec_disable_ids`
+
+Array of mod_security IDs to remove from the vhost. Also takes a hash allowing removal of an ID from a specific location.
+
+```puppet
+ apache::vhost { 'sample.example.net':
+ modsec_disable_ids => [ 90015, 90016 ],
+ }
+```
+
+```puppet
+ apache::vhost { 'sample.example.net':
+ modsec_disable_ids => { '/location1' => [ 90015, 90016 ] },
+ }
+```
+
+######`modsec_disable_ips`
+
+Array of IPs to exclude from mod_security rule matching
+
#####`no_proxy_uris`
Specifies URLs you do not want to proxy. This parameter is meant to be used in combination with [`proxy_dest`](#proxy_dest).
@@ -1160,7 +1208,7 @@ Allows per-vhost setting [`php_admin_value`s or `php_admin_flag`s](http://php.ne
#####`port`
-Sets the port the host is configured on. The module's defaults ensure the host listens on port 80 for non-SSL vhosts and port 443 for SSL vhosts. The host only listens on the port set in this parameter.
+Sets the port the host is configured on. The module's defaults ensure the host listens on port 80 for non-SSL vhosts and port 443 for SSL vhosts. The host only listens on the port set in this parameter.
#####`priority`
@@ -1208,7 +1256,7 @@ Specifies the address to redirect to. Defaults to 'undef'.
#####`redirect_source`
-Specifies the source URIs that redirect to the destination specified in `redirect_dest`. If more than one item for redirect is supplied, the source and destination must be the same length, and the items are order-dependent.
+Specifies the source URIs that redirect to the destination specified in `redirect_dest`. If more than one item for redirect is supplied, the source and destination must be the same length, and the items are order-dependent.
```puppet
apache::vhost { 'site.name.fdqn':
@@ -1459,9 +1507,9 @@ To set up a virtual host with WSGI
The `directories` parameter within the `apache::vhost` class passes an array of hashes to the vhost to create [Directory](http://httpd.apache.org/docs/current/mod/core.html#directory), [File](http://httpd.apache.org/docs/current/mod/core.html#files), and [Location](http://httpd.apache.org/docs/current/mod/core.html#location) directive blocks. These blocks take the form, '< Directory /path/to/directory>...< /Directory>'.
-The `path` key sets the path for the directory, files, and location blocks. Its value must be a path for the 'directory', 'files', and 'location' providers, or a regex for the 'directorymatch', 'filesmatch', or 'locationmatch' providers. Each hash passed to `directories` **must** contain `path` as one of the keys.
+The `path` key sets the path for the directory, files, and location blocks. Its value must be a path for the 'directory', 'files', and 'location' providers, or a regex for the 'directorymatch', 'filesmatch', or 'locationmatch' providers. Each hash passed to `directories` **must** contain `path` as one of the keys.
-The `provider` key is optional. If missing, this key defaults to 'directory'. Valid values for `provider` are 'directory', 'files', 'location', 'directorymatch', 'filesmatch', or 'locationmatch'. If you set `provider` to 'directorymatch', it uses the keyword 'DirectoryMatch' in the Apache config file.
+The `provider` key is optional. If missing, this key defaults to 'directory'. Valid values for `provider` are 'directory', 'files', 'location', 'directorymatch', 'filesmatch', or 'locationmatch'. If you set `provider` to 'directorymatch', it uses the keyword 'DirectoryMatch' in the Apache config file.
General `directories` usage looks something like
@@ -1488,7 +1536,7 @@ Available handlers, represented as keys, should be placed within the `directory`
}
```
-Any handlers you do not set in these hashes are considered 'undefined' within Puppet and are not added to the virtual host, resulting in the module using their default values. Supported handlers are:
+Any handlers you do not set in these hashes are considered 'undefined' within Puppet and are not added to the virtual host, resulting in the module using their default values. Supported handlers are:
######`addhandlers`
@@ -1620,7 +1668,7 @@ Pass a string of custom configuration directives to be placed at the end of the
######`deny`
-Sets a [Deny](http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#deny) directive, specifying which hosts are denied access to the server. **Deprecated:** This parameter is being deprecated due to a change in Apache. It only works with Apache 2.2 and lower.
+Sets a [Deny](http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#deny) directive, specifying which hosts are denied access to the server. **Deprecated:** This parameter is being deprecated due to a change in Apache. It only works with Apache 2.2 and lower.
```puppet
apache::vhost { 'sample.example.net':
@@ -1734,10 +1782,10 @@ Sets the value for the [PassengerEnabled](http://www.modrails.com/documentation/
```puppet
apache::vhost { 'sample.example.net':
docroot => '/path/to/directory',
- directories => [
- { path => '/path/to/directory',
+ directories => [
+ { path => '/path/to/directory',
passenger_enabled => 'on',
- },
+ },
],
}
```
@@ -1771,9 +1819,9 @@ Sets a `SetHandler` directive as per the [Apache Core documentation](http://http
```puppet
apache::vhost { 'sample.example.net':
docroot => '/path/to/directory',
- directories => [
- { path => '/path/to/directory',
- sethandler => 'None',
+ directories => [
+ { path => '/path/to/directory',
+ sethandler => 'None',
}
],
}
@@ -1824,7 +1872,7 @@ Allows an valid content setting to be set or altered for the application request
######`shib_use_headers`
-When set to 'On' this turns on the use of request headers to publish attributes to applications. Valid values for this key is 'On' or 'Off', and the default value is 'Off'. This key is disabled if `apache::mod::shib` is not defined. Check the [`mod_shib` documentation](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-Server/VirtualHostOptions) for more details.
+When set to 'On' this turns on the use of request headers to publish attributes to applications. Valid values for this key is 'On' or 'Off', and the default value is 'Off'. This key is disabled if `apache::mod::shib` is not defined. Check the [`mod_shib` documentation](https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig#NativeSPApacheConfig-Server/VirtualHostOptions) for more details.
######`ssl_options`
@@ -2015,7 +2063,7 @@ A unique alias. This is used internally to link the action with the FastCGI serv
#####`file_type`
-The MIME-type of the file to be processed by the FastCGI server.
+The MIME-type of the file to be processed by the FastCGI server.
###Virtual Host Examples
@@ -2310,6 +2358,7 @@ If you need to use ProxySet in the balancer config
* `apache::peruser::multiplexer`: Enables the [Peruser](http://www.freebsd.org/cgi/url.cgi?ports/www/apache22-peruser-mpm/pkg-descr) module for FreeBSD only.
* `apache::peruser::processor`: Enables the [Peruser](http://www.freebsd.org/cgi/url.cgi?ports/www/apache22-peruser-mpm/pkg-descr) module for FreeBSD only.
+* `apache::security::file_link`: Links the activated_rules from apache::mod::security to the respective CRS rules on disk.
###Templates
diff --git a/manifests/mod/security.pp b/manifests/mod/security.pp
new file mode 100644
index 000000000..9641d70df
--- /dev/null
+++ b/manifests/mod/security.pp
@@ -0,0 +1,64 @@
+class apache::mod::security (
+ $crs_package = $::apache::params::modsec_crs_package,
+ $activated_rules = $::apache::params::modsec_default_rules,
+ $modsec_dir = $::apache::params::modsec_dir,
+){
+
+ if $::osfamily == 'FreeBSD' {
+ fail('FreeBSD is not currently supported')
+ }
+
+ ::apache::mod { 'security':
+ id => 'security2_module',
+ lib => 'mod_security2.so',
+ }
+
+ ::apache::mod { 'unique_id_module':
+ id => 'unique_id_module',
+ lib => 'mod_unique_id.so',
+ }
+
+ if $crs_package {
+ package { $crs_package:
+ ensure => 'latest',
+ before => File['security.conf'],
+ }
+ }
+
+ # Template uses:
+ # - $modsec_dir
+ file { 'security.conf':
+ ensure => file,
+ content => template('apache/mod/security.conf.erb'),
+ path => "${::apache::mod_dir}/security.conf",
+ require => Exec["mkdir ${::apache::mod_dir}"],
+ before => File[$::apache::mod_dir],
+ notify => Service['httpd'],
+ }
+
+ file { $modsec_dir:
+ ensure => directory,
+ owner => $::apache::params::user,
+ group => $::apache::params::group,
+ mode => '0555',
+ purge => true,
+ recurse => true,
+ }
+
+ file { "${modsec_dir}/activated_rules":
+ ensure => directory,
+ owner => $::apache::params::user,
+ group => $::apache::params::group,
+ mode => '0555',
+ }
+
+ file { "${modsec_dir}/security_crs.conf":
+ ensure => file,
+ content => template('apache/mod/security_crs.conf.erb'),
+ require => File[$modsec_dir],
+ notify => Service['httpd'],
+ }
+
+ apache::security::rule_link { $activated_rules: }
+
+}
diff --git a/manifests/params.pp b/manifests/params.pp
index 6a221fd63..ac92b2b14 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -83,6 +83,7 @@
},
'proxy_html' => 'mod_proxy_html',
'python' => 'mod_python',
+ 'security' => 'mod_security',
'shibboleth' => 'shibboleth',
'ssl' => 'mod_ssl',
'wsgi' => 'mod_wsgi',
@@ -109,6 +110,32 @@
} else {
$wsgi_socket_prefix = undef
}
+ $modsec_crs_package = 'mod_security_crs'
+ $modsec_crs_path = '/usr/lib/modsecurity.d'
+ $modsec_dir = '/etc/httpd/modsecurity.d'
+ $modsec_default_rules = [
+ 'base_rules/modsecurity_35_bad_robots.data',
+ 'base_rules/modsecurity_35_scanners.data',
+ 'base_rules/modsecurity_40_generic_attacks.data',
+ 'base_rules/modsecurity_41_sql_injection_attacks.data',
+ 'base_rules/modsecurity_50_outbound.data',
+ 'base_rules/modsecurity_50_outbound_malware.data',
+ 'base_rules/modsecurity_crs_20_protocol_violations.conf',
+ 'base_rules/modsecurity_crs_21_protocol_anomalies.conf',
+ 'base_rules/modsecurity_crs_23_request_limits.conf',
+ 'base_rules/modsecurity_crs_30_http_policy.conf',
+ 'base_rules/modsecurity_crs_35_bad_robots.conf',
+ 'base_rules/modsecurity_crs_40_generic_attacks.conf',
+ 'base_rules/modsecurity_crs_41_sql_injection_attacks.conf',
+ 'base_rules/modsecurity_crs_41_xss_attacks.conf',
+ 'base_rules/modsecurity_crs_42_tight_security.conf',
+ 'base_rules/modsecurity_crs_45_trojans.conf',
+ 'base_rules/modsecurity_crs_47_common_exceptions.conf',
+ 'base_rules/modsecurity_crs_49_inbound_blocking.conf',
+ 'base_rules/modsecurity_crs_50_outbound.conf',
+ 'base_rules/modsecurity_crs_59_outbound_blocking.conf',
+ 'base_rules/modsecurity_crs_60_correlation.conf'
+ ]
} elsif $::osfamily == 'Debian' {
$user = 'www-data'
$group = 'www-data'
@@ -149,6 +176,7 @@
'proxy_html' => 'libapache2-mod-proxy-html',
'python' => 'libapache2-mod-python',
'rpaf' => 'libapache2-mod-rpaf',
+ 'security' => 'libapache2-modsecurity',
'suphp' => 'libapache2-mod-suphp',
'wsgi' => 'libapache2-mod-wsgi',
'xsendfile' => 'libapache2-mod-xsendfile',
@@ -165,6 +193,32 @@
$mime_support_package = 'mime-support'
$mime_types_config = '/etc/mime.types'
$docroot = '/var/www'
+ $modsec_crs_package = 'modsecurity-crs'
+ $modsec_crs_path = '/usr/share/modsecurity-crs'
+ $modsec_dir = '/etc/modsecurity'
+ $modsec_default_rules = [
+ 'base_rules/modsecurity_35_bad_robots.data',
+ 'base_rules/modsecurity_35_scanners.data',
+ 'base_rules/modsecurity_40_generic_attacks.data',
+ 'base_rules/modsecurity_41_sql_injection_attacks.data',
+ 'base_rules/modsecurity_50_outbound.data',
+ 'base_rules/modsecurity_50_outbound_malware.data',
+ 'base_rules/modsecurity_crs_20_protocol_violations.conf',
+ 'base_rules/modsecurity_crs_21_protocol_anomalies.conf',
+ 'base_rules/modsecurity_crs_23_request_limits.conf',
+ 'base_rules/modsecurity_crs_30_http_policy.conf',
+ 'base_rules/modsecurity_crs_35_bad_robots.conf',
+ 'base_rules/modsecurity_crs_40_generic_attacks.conf',
+ 'base_rules/modsecurity_crs_41_sql_injection_attacks.conf',
+ 'base_rules/modsecurity_crs_41_xss_attacks.conf',
+ 'base_rules/modsecurity_crs_42_tight_security.conf',
+ 'base_rules/modsecurity_crs_45_trojans.conf',
+ 'base_rules/modsecurity_crs_47_common_exceptions.conf',
+ 'base_rules/modsecurity_crs_49_inbound_blocking.conf',
+ 'base_rules/modsecurity_crs_50_outbound.conf',
+ 'base_rules/modsecurity_crs_59_outbound_blocking.conf',
+ 'base_rules/modsecurity_crs_60_correlation.conf'
+ ]
#
# Passenger-specific settings
diff --git a/manifests/security/rule_link.pp b/manifests/security/rule_link.pp
new file mode 100644
index 000000000..1ddc9d6aa
--- /dev/null
+++ b/manifests/security/rule_link.pp
@@ -0,0 +1,12 @@
+define apache::security::rule_link () {
+
+ $parts = split($title, '/')
+ $filename = $parts[-1]
+
+ file { $filename:
+ ensure => 'link',
+ path => "${::apache::mod::security::modsec_dir}/activated_rules/${filename}",
+ target => "${::apache::params::modsec_crs_path}/${title}",
+ require => File["${::apache::mod::security::modsec_dir}/activated_rules"],
+ }
+}
diff --git a/manifests/vhost.pp b/manifests/vhost.pp
index 50b3a1ec4..711dffeeb 100644
--- a/manifests/vhost.pp
+++ b/manifests/vhost.pp
@@ -106,6 +106,10 @@
$passenger_start_timeout = undef,
$passenger_pre_start = undef,
$add_default_charset = undef,
+ $modsec_disable_vhost = undef,
+ $modsec_disable_ids = undef,
+ $modsec_disable_ips = undef,
+ $modsec_body_limit = undef,
) {
# The base class must be included first because it is used by parameter defaults
if ! defined(Class['apache']) {
@@ -414,6 +418,17 @@
$_directories = [ merge($_directory, $_directory_version) ]
}
+ ## Create a global LocationMatch if locations aren't defined
+ if $modsec_disable_ids {
+ if is_hash($modsec_disable_ids) {
+ $_modsec_disable_ids = $modsec_disable_ids
+ } elsif is_array($modsec_disable_ids) {
+ $_modsec_disable_ids = { '.*' => $modsec_disable_ids }
+ } else {
+ fail("Apache::Vhost[${name}]: 'modsec_disable_ids' must be either a Hash of location/IDs or an Array of IDs")
+ }
+ }
+
concat { "${priority_real}-${filename}.conf":
ensure => $ensure,
path => "${::apache::vhost_dir}/${priority_real}-${filename}.conf",
@@ -491,7 +506,7 @@
content => template('apache/vhost/_fallbackresource.erb'),
}
}
-
+
# Template uses:
# - $allow_encoded_slashes
if $allow_encoded_slashes {
@@ -823,6 +838,19 @@
}
}
+ # Template uses:
+ # - $modsec_disable_vhost
+ # - $modsec_disable_ids
+ # - $modsec_disable_ips
+ # - $modsec_body_limit
+ if $modsec_disable_vhost or $modsec_disable_ids or $modsec_disable_ips {
+ concat::fragment { "${name}-security":
+ target => "${priority_real}-${filename}.conf",
+ order => 320,
+ content => template('apache/vhost/_security.erb')
+ }
+ }
+
# Template uses no variables
concat::fragment { "${name}-file_footer":
target => "${priority_real}-${filename}.conf",
diff --git a/spec/acceptance/mod_security_spec.rb b/spec/acceptance/mod_security_spec.rb
new file mode 100644
index 000000000..74d1cd26e
--- /dev/null
+++ b/spec/acceptance/mod_security_spec.rb
@@ -0,0 +1,228 @@
+require 'spec_helper_acceptance'
+
+describe 'apache::mod::security class', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do
+ case fact('osfamily')
+ when 'Debian'
+ mod_dir = '/etc/apache2/mods-available'
+ service_name = 'apache2'
+ package_name = 'apache2'
+ when 'RedHat'
+ mod_dir = '/etc/httpd/conf.d'
+ service_name = 'httpd'
+ package_name = 'httpd'
+ end
+
+ context "default mod_security config" do
+ if fact('osfamily') == 'RedHat' and fact('operatingsystemmajrelease') =~ /(5|6)/
+ it 'adds epel' do
+ pp = "class { 'epel': }"
+ apply_manifest(pp, :catch_failures => true)
+ end
+ end
+
+ it 'succeeds in puppeting mod_security' do
+ pp= <<-EOS
+ class { 'apache': }
+ class { 'apache::mod::security': }
+ apache::vhost { 'modsec.example.com':
+ port => '80',
+ docroot => '/var/www/html',
+ }
+ host { 'modsec.example.com': ip => '127.0.0.1', }
+ file { '/var/www/html/index.html':
+ ensure => file,
+ content => 'Index page',
+ }
+ EOS
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ describe service(service_name) do
+ it { is_expected.to be_enabled }
+ it { is_expected.to be_running }
+ end
+
+ describe package(package_name) do
+ it { is_expected.to be_installed }
+ end
+
+ describe file("#{mod_dir}/security.conf") do
+ it { is_expected.to contain "mod_security2.c" }
+ end
+
+ it 'should return index page' do
+ shell('/usr/bin/curl -H"User-Agent: beaker" modsec.example.com:80') do |r|
+ expect(r.stdout).to match(/Index page/)
+ expect(r.exit_code).to eq(0)
+ end
+ end
+
+ it 'should block query with SQL' do
+ shell '/usr/bin/curl -H"User-Agent beaker" -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22]
+ end
+
+ end #default mod_security config
+
+ context "mod_security should allow disabling by vhost" do
+ it 'succeeds in puppeting mod_security' do
+ pp= <<-EOS
+ class { 'apache': }
+ class { 'apache::mod::security': }
+ apache::vhost { 'modsec.example.com':
+ port => '80',
+ docroot => '/var/www/html',
+ }
+ host { 'modsec.example.com': ip => '127.0.0.1', }
+ file { '/var/www/html/index.html':
+ ensure => file,
+ content => "Index page\\n",
+ }
+ EOS
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ describe service(service_name) do
+ it { is_expected.to be_enabled }
+ it { is_expected.to be_running }
+ end
+
+ describe file("#{mod_dir}/security.conf") do
+ it { is_expected.to contain "mod_security2.c" }
+ end
+
+ it 'should block query with SQL' do
+ shell '/usr/bin/curl -H"User-Agent: beaker" -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22]
+ end
+
+ it 'should disable mod_security per vhost' do
+ pp= <<-EOS
+ class { 'apache': }
+ class { 'apache::mod::security': }
+ apache::vhost { 'modsec.example.com':
+ port => '80',
+ docroot => '/var/www/html',
+ modsec_disable_vhost => false,
+ }
+ EOS
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should return index page' do
+ shell('/usr/bin/curl -H"User-Agent: beaker" -f modsec.example.com:80?SELECT%20*FROM%20mysql.users') do |r|
+ expect(r.stdout).to match(/Index page/)
+ expect(r.exit_code).to eq(0)
+ end
+ end
+ end #mod_security should allow disabling by vhost
+
+ context "mod_security should allow disabling by ip" do
+ it 'succeeds in puppeting mod_security' do
+ pp= <<-EOS
+ class { 'apache': }
+ class { 'apache::mod::security': }
+ apache::vhost { 'modsec.example.com':
+ port => '80',
+ docroot => '/var/www/html',
+ }
+ host { 'modsec.example.com': ip => '127.0.0.1', }
+ file { '/var/www/html/index.html':
+ ensure => file,
+ content => "Index page\\n",
+ }
+ EOS
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ describe service(service_name) do
+ it { is_expected.to be_enabled }
+ it { is_expected.to be_running }
+ end
+
+ describe file("#{mod_dir}/security.conf") do
+ it { is_expected.to contain "mod_security2.c" }
+ end
+
+ it 'should block query with SQL' do
+ shell '/usr/bin/curl -H"User-Agent: beaker" -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22]
+ end
+
+ it 'should disable mod_security per vhost' do
+ pp= <<-EOS
+ class { 'apache': }
+ class { 'apache::mod::security': }
+ apache::vhost { 'modsec.example.com':
+ port => '80',
+ docroot => '/var/www/html',
+ modsec_disable_ips => [ '127.0.0.1' ],
+ }
+ EOS
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should return index page' do
+ shell('/usr/bin/curl -H"User-Agent: beaker" modsec.example.com:80') do |r|
+ expect(r.stdout).to match(/Index page/)
+ expect(r.exit_code).to eq(0)
+ end
+ end
+ end #mod_security should allow disabling by ip
+
+ context "mod_security should allow disabling by id" do
+ it 'succeeds in puppeting mod_security' do
+ pp= <<-EOS
+ class { 'apache': }
+ class { 'apache::mod::security': }
+ apache::vhost { 'modsec.example.com':
+ port => '80',
+ docroot => '/var/www/html',
+ }
+ host { 'modsec.example.com': ip => '127.0.0.1', }
+ file { '/var/www/html/index.html':
+ ensure => file,
+ content => 'Index page',
+ }
+ file { '/var/www/html/index2.html':
+ ensure => file,
+ content => 'Page 2',
+ }
+ EOS
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ describe service(service_name) do
+ it { is_expected.to be_enabled }
+ it { is_expected.to be_running }
+ end
+
+ describe file("#{mod_dir}/security.conf") do
+ it { is_expected.to contain "mod_security2.c" }
+ end
+
+ it 'should block query with SQL' do
+ shell '/usr/bin/curl -H"User-Agent: beaker" -f modsec.example.com:80?SELECT%20*FROM%20mysql.users', :acceptable_exit_codes => [22]
+ end
+
+ it 'should disable mod_security per vhost' do
+ pp= <<-EOS
+ class { 'apache': }
+ class { 'apache::mod::security': }
+ apache::vhost { 'modsec.example.com':
+ port => '80',
+ docroot => '/var/www/html',
+ modsec_disable_ids => [ '950007' ],
+ }
+ EOS
+ apply_manifest(pp, :catch_failures => true)
+ end
+
+ it 'should return index page' do
+ shell('/usr/bin/curl -H"User-Agent: beaker" -f modsec.example.com:80?SELECT%20*FROM%20mysql.users') do |r|
+ expect(r.stdout).to match(/Index page/)
+ expect(r.exit_code).to eq(0)
+ end
+ end
+
+ end #mod_security should allow disabling by id
+
+
+end #apache::mod::security class
diff --git a/spec/classes/mod/security_spec.rb b/spec/classes/mod/security_spec.rb
new file mode 100644
index 000000000..05586c2ca
--- /dev/null
+++ b/spec/classes/mod/security_spec.rb
@@ -0,0 +1,93 @@
+require 'spec_helper'
+
+describe 'apache::mod::security', :type => :class do
+ let :pre_condition do
+ 'include apache'
+ end
+
+ context "on RedHat based systems" do
+ let :facts do
+ {
+ :osfamily => 'RedHat',
+ :operatingsystem => 'CentOS',
+ :operatingsystemrelease => '7',
+ :kernel => 'Linux',
+ :id => 'root',
+ :concat_basedir => '/',
+ :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ }
+ end
+ it { should contain_apache__mod('security').with(
+ :id => 'security2_module',
+ :lib => 'mod_security2.so'
+ ) }
+ it { should contain_apache__mod('unique_id_module').with(
+ :id => 'unique_id_module',
+ :lib => 'mod_unique_id.so'
+ ) }
+ it { should contain_package('mod_security_crs') }
+ it { should contain_file('security.conf').with(
+ :path => '/etc/httpd/conf.d/security.conf'
+ ) }
+ it { should contain_file('/etc/httpd/modsecurity.d').with(
+ :ensure => 'directory',
+ :path => '/etc/httpd/modsecurity.d',
+ :owner => 'apache',
+ :group => 'apache'
+ ) }
+ it { should contain_file('/etc/httpd/modsecurity.d/activated_rules').with(
+ :ensure => 'directory',
+ :path => '/etc/httpd/modsecurity.d/activated_rules',
+ :owner => 'apache',
+ :group => 'apache'
+ ) }
+ it { should contain_file('/etc/httpd/modsecurity.d/security_crs.conf').with(
+ :path => '/etc/httpd/modsecurity.d/security_crs.conf'
+ ) }
+ it { should contain_apache__security__rule_link('base_rules/modsecurity_35_bad_robots.data') }
+ end
+
+ context "on Debian based systems" do
+ let :facts do
+ {
+ :osfamily => 'Debian',
+ :operatingsystem => 'Debian',
+ :operatingsystemrelease => '6',
+ :concat_basedir => '/',
+ :lsbdistcodename => 'squeeze',
+ :id => 'root',
+ :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :kernel => 'Linux'
+ }
+ end
+ it { should contain_apache__mod('security').with(
+ :id => 'security2_module',
+ :lib => 'mod_security2.so'
+ ) }
+ it { should contain_apache__mod('unique_id_module').with(
+ :id => 'unique_id_module',
+ :lib => 'mod_unique_id.so'
+ ) }
+ it { should contain_package('modsecurity-crs') }
+ it { should contain_file('security.conf').with(
+ :path => '/etc/apache2/mods-available/security.conf'
+ ) }
+ it { should contain_file('/etc/modsecurity').with(
+ :ensure => 'directory',
+ :path => '/etc/modsecurity',
+ :owner => 'www-data',
+ :group => 'www-data'
+ ) }
+ it { should contain_file('/etc/modsecurity/activated_rules').with(
+ :ensure => 'directory',
+ :path => '/etc/modsecurity/activated_rules',
+ :owner => 'www-data',
+ :group => 'www-data'
+ ) }
+ it { should contain_file('/etc/modsecurity/security_crs.conf').with(
+ :path => '/etc/modsecurity/security_crs.conf'
+ ) }
+ it { should contain_apache__security__rule_link('base_rules/modsecurity_35_bad_robots.data') }
+ end
+
+end
diff --git a/spec/defines/modsec_link_spec.rb b/spec/defines/modsec_link_spec.rb
new file mode 100644
index 000000000..c1633d01d
--- /dev/null
+++ b/spec/defines/modsec_link_spec.rb
@@ -0,0 +1,51 @@
+require 'spec_helper'
+
+describe 'apache::security::rule_link', :type => :define do
+ let :pre_condition do
+ 'class { "apache": }
+ class { "apache::mod::security": activated_rules => [] }
+ '
+ end
+
+ let :title do
+ 'base_rules/modsecurity_35_bad_robots.data'
+ end
+
+ context "on RedHat based systems" do
+ let :facts do
+ {
+ :osfamily => 'RedHat',
+ :operatingsystem => 'CentOS',
+ :operatingsystemrelease => '7',
+ :kernel => 'Linux',
+ :id => 'root',
+ :concat_basedir => '/',
+ :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ }
+ end
+ it { should contain_file('modsecurity_35_bad_robots.data').with(
+ :path => '/etc/httpd/modsecurity.d/activated_rules/modsecurity_35_bad_robots.data',
+ :target => '/usr/lib/modsecurity.d/base_rules/modsecurity_35_bad_robots.data'
+ ) }
+ end
+
+ context "on Debian based systems" do
+ let :facts do
+ {
+ :osfamily => 'Debian',
+ :operatingsystem => 'Debian',
+ :operatingsystemrelease => '6',
+ :concat_basedir => '/',
+ :lsbdistcodename => 'squeeze',
+ :id => 'root',
+ :path => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin',
+ :kernel => 'Linux'
+ }
+ end
+ it { should contain_file('modsecurity_35_bad_robots.data').with(
+ :path => '/etc/modsecurity/activated_rules/modsecurity_35_bad_robots.data',
+ :target => '/usr/share/modsecurity-crs/base_rules/modsecurity_35_bad_robots.data'
+ ) }
+ end
+
+end
diff --git a/templates/mod/security.conf.erb b/templates/mod/security.conf.erb
new file mode 100644
index 000000000..ed884eadd
--- /dev/null
+++ b/templates/mod/security.conf.erb
@@ -0,0 +1,68 @@
+
+ # ModSecurity Core Rules Set configuration
+<%- if scope.function_versioncmp([scope.lookupvar('::apache::apache_version'), '2.4']) >= 0 -%>
+ IncludeOptional <%= @modsec_dir %>/*.conf
+ IncludeOptional <%= @modsec_dir %>/activated_rules/*.conf
+<%- else -%>
+ Include <%= @modsec_dir %>/*.conf
+ Include <%= @modsec_dir %>/activated_rules/*.conf
+<%- end -%>
+
+ # Default recommended configuration
+ SecRuleEngine On
+ SecRequestBodyAccess On
+ SecRule REQUEST_HEADERS:Content-Type "text/xml" \
+ "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
+ SecRequestBodyLimit 13107200
+ SecRequestBodyNoFilesLimit 131072
+ SecRequestBodyInMemoryLimit 131072
+ SecRequestBodyLimitAction Reject
+ SecRule REQBODY_ERROR "!@eq 0" \
+ "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+ SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+ "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body failed strict validation: \
+ PE %{REQBODY_PROCESSOR_ERROR}, \
+ BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+ BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+ DB %{MULTIPART_DATA_BEFORE}, \
+ DA %{MULTIPART_DATA_AFTER}, \
+ HF %{MULTIPART_HEADER_FOLDING}, \
+ LF %{MULTIPART_LF_LINE}, \
+ SM %{MULTIPART_MISSING_SEMICOLON}, \
+ IQ %{MULTIPART_INVALID_QUOTING}, \
+ IP %{MULTIPART_INVALID_PART}, \
+ IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+ FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
+
+ SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
+ "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
+
+ SecPcreMatchLimit 1000
+ SecPcreMatchLimitRecursion 1000
+
+ SecRule TX:/^MSC_/ "!@streq 0" \
+ "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
+
+ SecResponseBodyAccess Off
+ SecResponseBodyMimeType text/plain text/html text/xml
+ SecResponseBodyLimit 524288
+ SecResponseBodyLimitAction ProcessPartial
+ SecDebugLogLevel 0
+ SecAuditEngine RelevantOnly
+ SecAuditLogRelevantStatus "^(?:5|4(?!04))"
+ SecAuditLogParts ABIJDEFHZ
+ SecAuditLogType Serial
+ SecArgumentSeparator &
+ SecCookieFormat 0
+<%- if scope.lookupvar('::operatingsystem') == 'Ubuntu' -%>
+ SecDebugLog /var/log/apache2/modsec_debug.log
+ SecAuditLog /var/log/apache2/modsec_audit.log
+ SecTmpDir /var/cache/modsecurity
+ SecDataDir /var/cache/modsecurity
+<% else -%>
+ SecDebugLog /var/log/httpd/modsec_debug.log
+ SecAuditLog /var/log/httpd/modsec_audit.log
+ SecTmpDir /var/lib/mod_security
+ SecDataDir /var/lib/mod_security
+<% end -%>
+
diff --git a/templates/mod/security_crs.conf.erb b/templates/mod/security_crs.conf.erb
new file mode 100644
index 000000000..4a990eb3a
--- /dev/null
+++ b/templates/mod/security_crs.conf.erb
@@ -0,0 +1,428 @@
+# ---------------------------------------------------------------
+# Core ModSecurity Rule Set ver.2.2.6
+# Copyright (C) 2006-2012 Trustwave All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENCE file for full details.
+# ---------------------------------------------------------------
+
+
+#
+# -- [[ Recommended Base Configuration ]] -------------------------------------------------
+#
+# The configuration directives/settings in this file are used to control
+# the OWASP ModSecurity CRS. These settings do **NOT** configure the main
+# ModSecurity settings such as:
+#
+# - SecRuleEngine
+# - SecRequestBodyAccess
+# - SecAuditEngine
+# - SecDebugLog
+#
+# You should use the modsecurity.conf-recommended file that comes with the
+# ModSecurity source code archive.
+#
+# Ref: http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/modsecurity.conf-recommended
+#
+
+
+#
+# -- [[ Rule Version ]] -------------------------------------------------------------------
+#
+# Rule version data is added to the "Producer" line of Section H of the Audit log:
+#
+# - Producer: ModSecurity for Apache/2.7.0-rc1 (http://www.modsecurity.org/); OWASP_CRS/2.2.4.
+#
+# Ref: https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecComponentSignature
+#
+SecComponentSignature "OWASP_CRS/2.2.6"
+
+
+#
+# -- [[ Modes of Operation: Self-Contained vs. Collaborative Detection ]] -----------------
+#
+# Each detection rule uses the "block" action which will inherit the SecDefaultAction
+# specified below. Your settings here will determine which mode of operation you use.
+#
+# -- [[ Self-Contained Mode ]] --
+# Rules inherit the "deny" disruptive action. The first rule that matches will block.
+#
+# -- [[ Collaborative Detection Mode ]] --
+# This is a "delayed blocking" mode of operation where each matching rule will inherit
+# the "pass" action and will only contribute to anomaly scores. Transactional blocking
+# can be applied
+#
+# -- [[ Alert Logging Control ]] --
+# You have three options -
+#
+# - To log to both the Apache error_log and ModSecurity audit_log file use: "log"
+# - To log *only* to the ModSecurity audit_log file use: "nolog,auditlog"
+# - To log *only* to the Apache error_log file use: "log,noauditlog"
+#
+# Ref: http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-traditional-vs-anomaly-scoring-detection-modes.html
+# Ref: https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecDefaultAction
+#
+SecDefaultAction "phase:1,deny,log"
+
+
+#
+# -- [[ Collaborative Detection Severity Levels ]] ----------------------------------------
+#
+# These are the default scoring points for each severity level. You may
+# adjust these to you liking. These settings will be used in macro expansion
+# in the rules to increment the anomaly scores when rules match.
+#
+# These are the default Severity ratings (with anomaly scores) of the individual rules -
+#
+# - 2: Critical - Anomaly Score of 5.
+# Is the highest severity level possible without correlation. It is
+# normally generated by the web attack rules (40 level files).
+# - 3: Error - Anomaly Score of 4.
+# Is generated mostly from outbound leakage rules (50 level files).
+# - 4: Warning - Anomaly Score of 3.
+# Is generated by malicious client rules (35 level files).
+# - 5: Notice - Anomaly Score of 2.
+# Is generated by the Protocol policy and anomaly files.
+#
+SecAction \
+ "id:'900001', \
+ phase:1, \
+ t:none, \
+ setvar:tx.critical_anomaly_score=5, \
+ setvar:tx.error_anomaly_score=4, \
+ setvar:tx.warning_anomaly_score=3, \
+ setvar:tx.notice_anomaly_score=2, \
+ nolog, \
+ pass"
+
+
+#
+# -- [[ Collaborative Detection Scoring Threshold Levels ]] ------------------------------
+#
+# These variables are used in macro expansion in the 49 inbound blocking and 59
+# outbound blocking files.
+#
+# **MUST HAVE** ModSecurity v2.5.12 or higher to use macro expansion in numeric
+# operators. If you have an earlier version, edit the 49/59 files directly to
+# set the appropriate anomaly score levels.
+#
+# You should set the score to the proper threshold you would prefer. If set to "5"
+# it will work similarly to previous Mod CRS rules and will create an event in the error_log
+# file if there are any rules that match. If you would like to lessen the number of events
+# generated in the error_log file, you should increase the anomaly score threshold to
+# something like "20". This would only generate an event in the error_log file if
+# there are multiple lower severity rule matches or if any 1 higher severity item matches.
+#
+SecAction \
+ "id:'900002', \
+ phase:1, \
+ t:none, \
+ setvar:tx.inbound_anomaly_score_level=5, \
+ nolog, \
+ pass"
+
+
+SecAction \
+ "id:'900003', \
+ phase:1, \
+ t:none, \
+ setvar:tx.outbound_anomaly_score_level=4, \
+ nolog, \
+ pass"
+
+
+#
+# -- [[ Collaborative Detection Blocking ]] -----------------------------------------------
+#
+# This is a collaborative detection mode where each rule will increment an overall
+# anomaly score for the transaction. The scores are then evaluated in the following files:
+#
+# Inbound anomaly score - checked in the modsecurity_crs_49_inbound_blocking.conf file
+# Outbound anomaly score - checked in the modsecurity_crs_59_outbound_blocking.conf file
+#
+# If you want to use anomaly scoring mode, then uncomment this line.
+#
+#SecAction \
+ "id:'900004', \
+ phase:1, \
+ t:none, \
+ setvar:tx.anomaly_score_blocking=on, \
+ nolog, \
+ pass"
+
+
+#
+# -- [[ GeoIP Database ]] -----------------------------------------------------------------
+#
+# There are some rulesets that need to inspect the GEO data of the REMOTE_ADDR data.
+#
+# You must first download the MaxMind GeoIP Lite City DB -
+#
+# http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
+#
+# You then need to define the proper path for the SecGeoLookupDb directive
+#
+# Ref: http://blog.spiderlabs.com/2010/10/detecting-malice-with-modsecurity-geolocation-data.html
+# Ref: http://blog.spiderlabs.com/2010/11/detecting-malice-with-modsecurity-ip-forensics.html
+#
+#SecGeoLookupDb /opt/modsecurity/lib/GeoLiteCity.dat
+
+#
+# -- [[ Regression Testing Mode ]] --------------------------------------------------------
+#
+# If you are going to run the regression testing mode, you should uncomment the
+# following rule. It will enable DetectionOnly mode for the SecRuleEngine and
+# will enable Response Header tagging so that the client testing script can see
+# which rule IDs have matched.
+#
+# You must specify the your source IP address where you will be running the tests
+# from.
+#
+#SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \
+ "id:'900005', \
+ phase:1, \
+ t:none, \
+ ctl:ruleEngine=DetectionOnly, \
+ setvar:tx.regression_testing=1, \
+ nolog, \
+ pass"
+
+
+#
+# -- [[ HTTP Policy Settings ]] ----------------------------------------------------------
+#
+# Set the following policy settings here and they will be propagated to the 23 rules
+# file (modsecurity_common_23_request_limits.conf) by using macro expansion.
+# If you run into false positives, you can adjust the settings here.
+#
+# Only the max number of args is uncommented by default as there are a high rate
+# of false positives. Uncomment the items you wish to set.
+#
+#
+# -- Maximum number of arguments in request limited
+SecAction \
+ "id:'900006', \
+ phase:1, \
+ t:none, \
+ setvar:tx.max_num_args=255, \
+ nolog, \
+ pass"
+
+#
+# -- Limit argument name length
+#SecAction \
+ "id:'900007', \
+ phase:1, \
+ t:none, \
+ setvar:tx.arg_name_length=100, \
+ nolog, \
+ pass"
+
+#
+# -- Limit value name length
+#SecAction \
+ "id:'900008', \
+ phase:1, \
+ t:none, \
+ setvar:tx.arg_length=400, \
+ nolog, \
+ pass"
+
+#
+# -- Limit arguments total length
+#SecAction \
+ "id:'900009', \
+ phase:1, \
+ t:none, \
+ setvar:tx.total_arg_length=64000, \
+ nolog, \
+ pass"
+
+#
+# -- Individual file size is limited
+#SecAction \
+ "id:'900010', \
+ phase:1, \
+ t:none, \
+ setvar:tx.max_file_size=1048576, \
+ nolog, \
+ pass"
+
+#
+# -- Combined file size is limited
+#SecAction \
+ "id:'900011', \
+ phase:1, \
+ t:none, \
+ setvar:tx.combined_file_sizes=1048576, \
+ nolog, \
+ pass"
+
+
+#
+# Set the following policy settings here and they will be propagated to the 30 rules
+# file (modsecurity_crs_30_http_policy.conf) by using macro expansion.
+# If you run into false positves, you can adjust the settings here.
+#
+SecAction \
+ "id:'900012', \
+ phase:1, \
+ t:none, \
+ setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
+ setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf', \
+ setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
+ setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
+ setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', \
+ nolog, \
+ pass"
+
+
+#
+# -- [[ Content Security Policy (CSP) Settings ]] -----------------------------------------
+#
+# The purpose of these settings is to send CSP response headers to
+# Mozilla FireFox users so that you can enforce how dynamic content
+# is used. CSP usage helps to prevent XSS attacks against your users.
+#
+# Reference Link:
+#
+# https://developer.mozilla.org/en/Security/CSP
+#
+# Uncomment this SecAction line if you want use CSP enforcement.
+# You need to set the appropriate directives and settings for your site/domain and
+# and activate the CSP file in the experimental_rules directory.
+#
+# Ref: http://blog.spiderlabs.com/2011/04/modsecurity-advanced-topic-of-the-week-integrating-content-security-policy-csp.html
+#
+#SecAction \
+ "id:'900013', \
+ phase:1, \
+ t:none, \
+ setvar:tx.csp_report_only=1, \
+ setvar:tx.csp_report_uri=/csp_violation_report, \
+ setenv:'csp_policy=allow \'self\'; img-src *.yoursite.com; media-src *.yoursite.com; style-src *.yoursite.com; frame-ancestors *.yoursite.com; script-src *.yoursite.com; report-uri %{tx.csp_report_uri}', \
+ nolog, \
+ pass"
+
+
+#
+# -- [[ Brute Force Protection ]] ---------------------------------------------------------
+#
+# If you are using the Brute Force Protection rule set, then uncomment the following
+# lines and set the following variables:
+# - Protected URLs: resources to protect (e.g. login pages) - set to your login page
+# - Burst Time Slice Interval: time interval window to monitor for bursts
+# - Request Threshold: request # threshold to trigger a burst
+# - Block Period: temporary block timeout
+#
+#SecAction \
+ "id:'900014', \
+ phase:1, \
+ t:none, \
+ setvar:'tx.brute_force_protected_urls=/login.jsp /partner_login.php', \
+ setvar:'tx.brute_force_burst_time_slice=60', \
+ setvar:'tx.brute_force_counter_threshold=10', \
+ setvar:'tx.brute_force_block_timeout=300', \
+ nolog, \
+ pass"
+
+
+#
+# -- [[ DoS Protection ]] ----------------------------------------------------------------
+#
+# If you are using the DoS Protection rule set, then uncomment the following
+# lines and set the following variables:
+# - Burst Time Slice Interval: time interval window to monitor for bursts
+# - Request Threshold: request # threshold to trigger a burst
+# - Block Period: temporary block timeout
+#
+#SecAction \
+ "id:'900015', \
+ phase:1, \
+ t:none, \
+ setvar:'tx.dos_burst_time_slice=60', \
+ setvar:'tx.dos_counter_threshold=100', \
+ setvar:'tx.dos_block_timeout=600', \
+ nolog, \
+ pass"
+
+
+#
+# -- [[ Check UTF enconding ]] -----------------------------------------------------------
+#
+# We only want to apply this check if UTF-8 encoding is actually used by the site, otherwise
+# it will result in false positives.
+#
+# Uncomment this line if your site uses UTF8 encoding
+#SecAction \
+ "id:'900016', \
+ phase:1, \
+ t:none, \
+ setvar:tx.crs_validate_utf8_encoding=1, \
+ nolog, \
+ pass"
+
+
+#
+# -- [[ Enable XML Body Parsing ]] -------------------------------------------------------
+#
+# The rules in this file will trigger the XML parser upon an XML request
+#
+# Initiate XML Processor in case of xml content-type
+#
+SecRule REQUEST_HEADERS:Content-Type "text/xml" \
+ "id:'900017', \
+ phase:1, \
+ t:none,t:lowercase, \
+ nolog, \
+ pass, \
+ chain"
+ SecRule REQBODY_PROCESSOR "!@streq XML" \
+ "ctl:requestBodyProcessor=XML"
+
+
+#
+# -- [[ Global and IP Collections ]] -----------------------------------------------------
+#
+# Create both Global and IP collections for rules to use
+# There are some CRS rules that assume that these two collections
+# have already been initiated.
+#
+SecRule REQUEST_HEADERS:User-Agent "^(.*)$" \
+ "id:'900018', \
+ phase:1, \
+ t:none,t:sha1,t:hexEncode, \
+ setvar:tx.ua_hash=%{matched_var}, \
+ nolog, \
+ pass"
+
+
+SecRule REQUEST_HEADERS:x-forwarded-for "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b" \
+ "id:'900019', \
+ phase:1, \
+ t:none, \
+ capture, \
+ setvar:tx.real_ip=%{tx.1}, \
+ nolog, \
+ pass"
+
+
+SecRule &TX:REAL_IP "!@eq 0" \
+ "id:'900020', \
+ phase:1, \
+ t:none, \
+ initcol:global=global, \
+ initcol:ip=%{tx.real_ip}_%{tx.ua_hash}, \
+ nolog, \
+ pass"
+
+
+SecRule &TX:REAL_IP "@eq 0" \
+ "id:'900021', \
+ phase:1, \
+ t:none, \
+ initcol:global=global, \
+ initcol:ip=%{remote_addr}_%{tx.ua_hash}, \
+ nolog, \
+ pass"
diff --git a/templates/vhost/_security.erb b/templates/vhost/_security.erb
new file mode 100644
index 000000000..5ab0a5b5d
--- /dev/null
+++ b/templates/vhost/_security.erb
@@ -0,0 +1,20 @@
+<% if @modsec_disable_vhost -%>
+ SecRuleEngine Off
+<% end -%>
+<% if @_modsec_disable_ids.is_a?(Hash) -%>
+<% @_modsec_disable_ids.each do |location,rules| -%>
+ >
+<% Array(rules).each do |rule| -%>
+ SecRuleRemoveById <%= rule %>
+<% end -%>
+
+<% end -%>
+<% end -%>
+<% ips = Array(@modsec_disable_ips).join(',') %>
+<% if ips != '' %>
+ SecRule REMOTE_ADDR "<%= ips %>" "nolog,allow,id:1234123455"
+ SecAction "phase:2,pass,nolog,id:1234123456"
+<% end -%>
+<% if @modsec_body_limit -%>
+ SecRequestBodyLimit <%= @modsec_body_limit %>
+<% end -%>