3rdparty/modules/apache/templates/mod/security.conf.erb

   1 <IfModule mod_security2.c>
   2     # ModSecurity Core Rules Set configuration
   3 <%- if scope.function_versioncmp([scope.lookupvar('::apache::apache_version'), '2.4']) >= 0 -%>
   4     IncludeOptional <%= @modsec_dir %>/*.conf
   5     IncludeOptional <%= @modsec_dir %>/activated_rules/*.conf
   6 <%- else -%>
   7     Include <%= @modsec_dir %>/*.conf
   8     Include <%= @modsec_dir %>/activated_rules/*.conf
   9 <%- end -%>
  10
  11     # Default recommended configuration
  12     SecRuleEngine On
  13     SecRequestBodyAccess On
  14     SecRule REQUEST_HEADERS:Content-Type "text/xml" \
  15       "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
  16     SecRequestBodyLimit 13107200
  17     SecRequestBodyNoFilesLimit 131072
  18     SecRequestBodyInMemoryLimit 131072
  19     SecRequestBodyLimitAction Reject
  20     SecRule REQBODY_ERROR "!@eq 0" \
  21       "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
  22     SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
  23       "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body failed strict validation: \
  24       PE %{REQBODY_PROCESSOR_ERROR}, \
  25       BQ %{MULTIPART_BOUNDARY_QUOTED}, \
  26       BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
  27       DB %{MULTIPART_DATA_BEFORE}, \
  28       DA %{MULTIPART_DATA_AFTER}, \
  29       HF %{MULTIPART_HEADER_FOLDING}, \
  30       LF %{MULTIPART_LF_LINE}, \
  31       SM %{MULTIPART_MISSING_SEMICOLON}, \
  32       IQ %{MULTIPART_INVALID_QUOTING}, \
  33       IP %{MULTIPART_INVALID_PART}, \
  34       IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
  35       FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
  36
  37     SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
  38       "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
  39
  40     SecPcreMatchLimit 1000
  41     SecPcreMatchLimitRecursion 1000
  42
  43     SecRule TX:/^MSC_/ "!@streq 0" \
  44       "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
  45
  46     SecResponseBodyAccess Off
  47     SecResponseBodyMimeType text/plain text/html text/xml
  48     SecResponseBodyLimit 524288
  49     SecResponseBodyLimitAction ProcessPartial
  50     SecDebugLogLevel 0
  51     SecAuditEngine RelevantOnly
  52     SecAuditLogRelevantStatus "^(?:5|4(?!04))"
  53     SecAuditLogParts ABIJDEFHZ
  54     SecAuditLogType Serial
  55     SecArgumentSeparator &
  56     SecCookieFormat 0
  57 <%- if scope.lookupvar('::osfamily') == 'Debian' -%>
  58     SecDebugLog /var/log/apache2/modsec_debug.log
  59     SecAuditLog /var/log/apache2/modsec_audit.log
  60     SecTmpDir /var/cache/modsecurity
  61     SecDataDir /var/cache/modsecurity
  62 <% else -%>
  63     SecDebugLog /var/log/httpd/modsec_debug.log
  64     SecAuditLog /var/log/httpd/modsec_audit.log
  65     SecTmpDir /var/lib/mod_security
  66     SecDataDir /var/lib/mod_security
  67 <% end -%>
  68 </IfModule>