File: security.conf.epp

package info (click to toggle)
puppet-module-puppetlabs-apache 12.2.0-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 2,664 kB
  • sloc: ruby: 275; sh: 32; makefile: 2
file content (81 lines) | stat: -rw-r--r-- 3,509 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
 
<IfModule mod_security2.c>
    # Default recommended configuration
    SecRuleEngine <%= $modsec_secruleengine %>
    SecRequestBodyAccess <%= $secrequestbodyaccess %>
  <%- if $custom_rules { -%>
    Include <%= $modsec_dir %>/custom_rules/*.conf
  <%- } -%>
    SecRule REQUEST_HEADERS:Content-Type "text/xml" \
      "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
    SecRequestBodyLimit <%= $secrequestbodylimit %>
    SecRequestBodyNoFilesLimit <%= $secrequestbodynofileslimit %>
    SecRequestBodyInMemoryLimit <%= $secrequestbodyinmemorylimit %>
    SecRequestBodyLimitAction <%= $secrequestbodylimitaction %>
    SecRule REQBODY_ERROR "!@eq 0" \
      "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
    SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
      "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body failed strict validation: \
      PE %{REQBODY_PROCESSOR_ERROR}, \
      BQ %{MULTIPART_BOUNDARY_QUOTED}, \
      BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
      DB %{MULTIPART_DATA_BEFORE}, \
      DA %{MULTIPART_DATA_AFTER}, \
      HF %{MULTIPART_HEADER_FOLDING}, \
      LF %{MULTIPART_LF_LINE}, \
      SM %{MULTIPART_MISSING_SEMICOLON}, \
      IQ %{MULTIPART_INVALID_QUOTING}, \
      IP %{MULTIPART_INVALID_PART}, \
      IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
      FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

    SecRule &REQUEST_HEADERS:Proxy "@gt 0" "id:1000005,log,deny,msg:'httpoxy denied'"


    SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
      "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"

    SecPcreMatchLimit <%= $secpcrematchlimit %>
    SecPcreMatchLimitRecursion <%= $secpcrematchlimitrecursion %>

    SecRule TX:/^MSC_/ "!@streq 0" \
      "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

    SecResponseBodyAccess <%= $secresponsebodyaccess %>
    SecResponseBodyMimeType text/plain text/html text/xml
    SecResponseBodyLimit 524288
    SecResponseBodyLimitAction <%= $secresponsebodylimitaction %>
    SecDebugLogLevel 0
    SecAuditEngine RelevantOnly
    SecAuditLogRelevantStatus "<%= $audit_log_relevant_status %>"
    SecAuditLogParts <%= $audit_log_parts %>
    SecAuditLogType <%= $audit_log_type %>
    <%- if $audit_log_storage_dir { -%>
    SecAuditLogStorageDir <%= $audit_log_storage_dir %>
    <%- } -%>
    SecArgumentSeparator &
    SecCookieFormat 0
<%- if $facts['os']['family'] == 'Debian' { -%>
    SecDebugLog <%= $logroot %>/modsec_debug.log
    SecAuditLog <%= $logroot %>/modsec_audit.log
    SecTmpDir /var/cache/modsecurity
    SecDataDir /var/cache/modsecurity
    SecUploadDir /var/cache/modsecurity
<%- }elsif $facts['os']['family'] == 'Suse' { -%>
    SecDebugLog /var/log/apache2/modsec_debug.log
    SecAuditLog /var/log/apache2/modsec_audit.log
    SecTmpDir /var/lib/mod_security
    SecDataDir /var/lib/mod_security
    SecUploadDir /var/lib/mod_security
<% } else { -%>
    SecDebugLog <%= $logroot %>/modsec_debug.log
    SecAuditLog <%= $logroot %>/modsec_audit.log
    SecTmpDir /var/lib/mod_security
    SecDataDir /var/lib/mod_security
    SecUploadDir /var/lib/mod_security
<% } -%>
    SecUploadKeepFiles Off

    # ModSecurity Core Rules Set configuration
    IncludeOptional <%= $modsec_dir %>/*.conf
    IncludeOptional <%= $modsec_dir %>/activated_rules/*.conf
</IfModule>