76 lines
3.4 KiB
Plaintext
76 lines
3.4 KiB
Plaintext
|
{%- set apache = pillar.get('apache', {}) %}
|
||
|
{%- set modsec = apache.get('mod_security', {}) %}
|
||
|
{%- set sec_rule_engine = modsec.get('sec_rule_engine', 'DetectionOnly' ) -%}
|
||
|
{%- set sec_request_body_access = modsec.get('sec_request_body_access', 'On' ) -%}
|
||
|
{%- set sec_request_body_limit = modsec.get('sec_request_body_limit', 13107200 ) -%}
|
||
|
{%- set sec_request_body_no_files_limit = modsec.get('sec_request_body_no_files_limit', 131072 ) -%}
|
||
|
{%- set sec_request_body_in_memory_limit = modsec.get('sec_request_body_in_memory_limit', 131072 ) -%}
|
||
|
{%- set sec_request_body_limit_action = modsec.get('sec_request_body_limit_action', 'Reject' ) -%}
|
||
|
{%- set sec_pcre_match_limit = modsec.get('sec_pcre_match_limit', 1000 ) -%}
|
||
|
{%- set sec_pcre_match_limit_recursion = modsec.get('sec_pcre_match_limit_recursion', 1000 ) -%}
|
||
|
{%- set sec_debug_log_level = modsec.get('sec_debug_log_level', 0 ) -%}
|
||
|
#
|
||
|
# This file is managed/autogenerated by salt.
|
||
|
# Modify the salt pillar that generates this file instead
|
||
|
#
|
||
|
|
||
|
LoadModule security2_module modules/mod_security2.so
|
||
|
|
||
|
<IfModule !mod_unique_id.c>
|
||
|
LoadModule unique_id_module modules/mod_unique_id.so
|
||
|
</IfModule>
|
||
|
<IfModule mod_security2.c>
|
||
|
# ModSecurity Core Rules Set configuration
|
||
|
Include modsecurity.d/*.conf
|
||
|
Include modsecurity.d/activated_rules/*.conf
|
||
|
|
||
|
# Default recommended configuration
|
||
|
SecRuleEngine {{ sec_rule_engine }}
|
||
|
SecRequestBodyAccess {{ sec_request_body_access }}
|
||
|
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
|
||
|
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
|
||
|
SecRequestBodyLimit {{ sec_request_body_limit }}
|
||
|
SecRequestBodyNoFilesLimit {{ sec_request_body_no_files_limit }}
|
||
|
SecRequestBodyInMemoryLimit {{ sec_request_body_in_memory_limit }}
|
||
|
SecRequestBodyLimitAction {{ sec_request_body_limit_action }}
|
||
|
SecRule REQBODY_ERROR "!@eq 0" \
|
||
|
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
|
||
|
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
|
||
|
"id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
|
||
|
failed strict validation: \
|
||
|
PE %{REQBODY_PROCESSOR_ERROR}, \
|
||
|
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
|
||
|
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
|
||
|
DB %{MULTIPART_DATA_BEFORE}, \
|
||
|
DA %{MULTIPART_DATA_AFTER}, \
|
||
|
HF %{MULTIPART_HEADER_FOLDING}, \
|
||
|
LF %{MULTIPART_LF_LINE}, \
|
||
|
SM %{MULTIPART_MISSING_SEMICOLON}, \
|
||
|
IQ %{MULTIPART_INVALID_QUOTING}, \
|
||
|
IP %{MULTIPART_INVALID_PART}, \
|
||
|
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
|
||
|
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
|
||
|
|
||
|
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
|
||
|
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
|
||
|
|
||
|
SecPcreMatchLimit {{ sec_pcre_match_limit }}
|
||
|
SecPcreMatchLimitRecursion {{ sec_pcre_match_limit_recursion }}
|
||
|
|
||
|
SecRule TX:/^MSC_/ "!@streq 0" \
|
||
|
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
|
||
|
|
||
|
SecResponseBodyAccess Off
|
||
|
SecDebugLog /var/log/httpd/modsec_debug.log
|
||
|
SecDebugLogLevel {{ sec_debug_log_level }}
|
||
|
SecAuditEngine RelevantOnly
|
||
|
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
|
||
|
SecAuditLogParts ABIJDEFHZ
|
||
|
SecAuditLogType Serial
|
||
|
SecAuditLog /var/log/httpd/modsec_audit.log
|
||
|
SecArgumentSeparator &
|
||
|
SecCookieFormat 0
|
||
|
SecTmpDir /var/lib/mod_security
|
||
|
SecDataDir /var/lib/mod_security
|
||
|
</IfModule>
|