]> git.donarmstrong.com Git - dsa-puppet.git/blobdiff - 3rdparty/modules/apache/templates/mod/security.conf.erb
projects / dsa-puppet.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
try again, with puppetforge modules, correctly included now
[dsa-puppet.git] / 3rdparty / modules / apache / templates / mod / security.conf.erb
diff --git a/3rdparty/modules/apache/templates/mod/security.conf.erb b/3rdparty/modules/apache/templates/mod/security.conf.erb
new file mode 100644 (file)
index 0000000..7597c46
--- /dev/null
+++ b/3rdparty/modules/apache/templates/mod/security.conf.erb
@@ -0,0 +1,68 @@
+<IfModule mod_security2.c>
+    # ModSecurity Core Rules Set configuration
+<%- if scope.function_versioncmp([scope.lookupvar('::apache::apache_version'), '2.4']) >= 0 -%>
+    IncludeOptional <%= @modsec_dir %>/*.conf
+    IncludeOptional <%= @modsec_dir %>/activated_rules/*.conf
+<%- else -%>
+    Include <%= @modsec_dir %>/*.conf
+    Include <%= @modsec_dir %>/activated_rules/*.conf
+<%- end -%>
+
+    # Default recommended configuration
+    SecRuleEngine On
+    SecRequestBodyAccess On
+    SecRule REQUEST_HEADERS:Content-Type "text/xml" \
+      "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
+    SecRequestBodyLimit 13107200
+    SecRequestBodyNoFilesLimit 131072
+    SecRequestBodyInMemoryLimit 131072
+    SecRequestBodyLimitAction Reject
+    SecRule REQBODY_ERROR "!@eq 0" \
+      "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+    SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+      "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body failed strict validation: \
+      PE %{REQBODY_PROCESSOR_ERROR}, \
+      BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+      BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+      DB %{MULTIPART_DATA_BEFORE}, \
+      DA %{MULTIPART_DATA_AFTER}, \
+      HF %{MULTIPART_HEADER_FOLDING}, \
+      LF %{MULTIPART_LF_LINE}, \
+      SM %{MULTIPART_MISSING_SEMICOLON}, \
+      IQ %{MULTIPART_INVALID_QUOTING}, \
+      IP %{MULTIPART_INVALID_PART}, \
+      IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+      FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
+
+    SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
+      "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
+
+    SecPcreMatchLimit 1000
+    SecPcreMatchLimitRecursion 1000
+
+    SecRule TX:/^MSC_/ "!@streq 0" \
+      "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
+
+    SecResponseBodyAccess Off
+    SecResponseBodyMimeType text/plain text/html text/xml
+    SecResponseBodyLimit 524288
+    SecResponseBodyLimitAction ProcessPartial
+    SecDebugLogLevel 0
+    SecAuditEngine RelevantOnly
+    SecAuditLogRelevantStatus "^(?:5|4(?!04))"
+    SecAuditLogParts ABIJDEFHZ
+    SecAuditLogType Serial
+    SecArgumentSeparator &
+    SecCookieFormat 0
+<%- if scope.lookupvar('::osfamily') == 'Debian' -%>
+    SecDebugLog /var/log/apache2/modsec_debug.log
+    SecAuditLog /var/log/apache2/modsec_audit.log
+    SecTmpDir /var/cache/modsecurity
+    SecDataDir /var/cache/modsecurity
+<% else -%>
+    SecDebugLog /var/log/httpd/modsec_debug.log
+    SecAuditLog /var/log/httpd/modsec_audit.log
+    SecTmpDir /var/lib/mod_security
+    SecDataDir /var/lib/mod_security
+<% end -%>
+</IfModule>
Unnamed repository; edit this file 'description' to name the repository.