forked from pool/apache2-mod_security2
7ec8988758
in autoconf m4 macros. Obsoletes patch
modsecurity-apache_2.8.0-build_fix_pcre.diff
- use automake for build, add autoconf and automake to
BuildRequires:. This fix is combined with [bnc#876878].
- turn on --enable-htaccess-config
- use %{?_smp_mflags} for build
- OWASP rule set. [bnc#876878]
new in 2.8.0 (more complete changelog to add to last changelog):
* Connection limits (SecConnReadStateLimit/SecConnWriteStateLimit)
now support white and suspicious list
* New variables: FULL_REQUEST and FULL_REQUEST_LENGTH
* GPLv2 replaced by Apache License v2
* rules are not part of the source tarball any longer, but
maintaned upstream externally, and included in this package.
* documentation was externalized to a wiki. Package contains
the FAQ and the reference manual in html form.
* renamed the term "Encryption" in directives that actually refer
to hashes. See CHANGES file for more details.
* byte conversion issues on s390x when logging fixed.
* many small issues fixed that were discovered by a Coverity scanner
* updated reference manual
* wrong time calculation when logging for some timezones fixed.
* replaced time-measuring mechanism with finer granularity for
measured request/answer phases. (Stopwatch remains for compat.)
* cookie parser memory leak fix
* parsing of quoted strings in multipart Content-Disposition
headers fixed.
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_security2?expand=0&rev=46
294 lines
10 KiB
Plaintext
294 lines
10 KiB
Plaintext
|
|
# Dear administrator/webmaster,
|
|
#
|
|
# Welcome to /etc/apache2/conf.d/mod_security2.conf, the starting point for
|
|
# the configuration of mod_security2.
|
|
# Please read this text down to line 63 for information about activation
|
|
# and configuration of the mod_security2 apache module.
|
|
#
|
|
# To activate mod_security2, its apache module must be configured to be
|
|
# loaded when apache starts. The mod_security2 apache module depends on
|
|
# the module mod_unique_id to be able to run. This means that both apache
|
|
# modules must be activated/loaded when apache starts.
|
|
|
|
# Change the configuration to load these two modules by adding the two
|
|
# module names "security2" and "unique_id" to the variable APACHE_MODULES
|
|
# in /etc/sysconfig/apache2 . You can do that manually, or use the tools
|
|
# a2enmod (enable apache module) and a2dismod (disable apache module).
|
|
# These two tools expect the name of the module without the leading
|
|
# "mod_" as an argument!
|
|
#
|
|
# note: /etc/sysconfig/apache2 is evaluated upon apache start by the apache
|
|
# start script /usr/sbin/start_apache2 . Changes in APACHE_MODULES are then
|
|
# visible in /etc/apache2/sysconfig.d/loadmodule.conf, changed by the start
|
|
# script.
|
|
#
|
|
# example for the use of a2enmod/a2dismod:
|
|
#
|
|
# a2enmod security2 # enable module security2
|
|
# a2enmod unique_id # enable module unique_id
|
|
#
|
|
# a2dismod security2 # disable
|
|
# a2dismod unique_id # %
|
|
|
|
#
|
|
# This file /etc/apache2/conf.d/mod_security2.conf makes some basic
|
|
# configuration settings, then loads
|
|
# /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf
|
|
# which is the baseline for the rules that can be loaded later.
|
|
#
|
|
# Afterwards, all files named *.conf in /etc/apache2/mod_security2.d are read.
|
|
# For the rules you wish to apply, place a symlink to the rules file there.
|
|
#
|
|
# About the rules; The OWASP ModSecurity Core Rule Set version 2.2.9
|
|
# is contained in this package, a splendid set of rules made to provide for a
|
|
# decent basic and even advanced protection. The rules files are contained
|
|
# in the directory /usr/share/apache2-mod_security2/rules/.
|
|
#
|
|
# Example (use all of the basic rules that come with the package):
|
|
#
|
|
# cd /etc/apache2/mod_security2.d
|
|
# for i in /usr/share/apache2-mod_security2/rules/base_rules/mod*; do
|
|
# ln -s $i .
|
|
# done
|
|
#
|
|
# At last, simply restart apache:
|
|
# rcapache2 restart
|
|
#
|
|
# In doubt, please consult the valuable online documentation on the project's
|
|
# website, which is the authoritative source for documentation.
|
|
# For offline reading, the webpages for the Reference Guide and the FAQ are
|
|
# located in the package's documentation directory, in the state of 2013/01:
|
|
# /usr/share/doc/packages/apache2-mod_security2
|
|
#
|
|
# Roman Drahtmueller <draht@suse.de>, SUSE, 20140610.
|
|
#
|
|
|
|
|
|
|
|
<IfModule mod_security2.c>
|
|
|
|
# -- Rule engine initialization ----------------------------------------------
|
|
|
|
# Enable ModSecurity, attaching it to every transaction. Use detection
|
|
# only to start with, because that minimises the chances of post-installation
|
|
# disruption.
|
|
#
|
|
SecRuleEngine DetectionOnly
|
|
|
|
|
|
# -- Request body handling ---------------------------------------------------
|
|
|
|
# Allow ModSecurity to access request bodies. If you don't, ModSecurity
|
|
# won't be able to see any POST parameters, which opens a large security
|
|
# hole for attackers to exploit.
|
|
#
|
|
SecRequestBodyAccess On
|
|
|
|
|
|
# Enable XML request body parser.
|
|
# Initiate XML Processor in case of xml content-type
|
|
#
|
|
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
|
|
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
|
|
|
|
|
|
# Maximum request body size we will accept for buffering. If you support
|
|
# file uploads then the value given on the first line has to be as large
|
|
# as the largest file you are willing to accept. The second value refers
|
|
# to the size of data, with files excluded. You want to keep that value as
|
|
# low as practical.
|
|
#
|
|
SecRequestBodyLimit 13107200
|
|
SecRequestBodyNoFilesLimit 131072
|
|
|
|
# Store up to 128 KB of request body data in memory. When the multipart
|
|
# parser reachers this limit, it will start using your hard disk for
|
|
# storage. That is slow, but unavoidable.
|
|
#
|
|
SecRequestBodyInMemoryLimit 131072
|
|
|
|
# What do do if the request body size is above our configured limit.
|
|
# Keep in mind that this setting will automatically be set to ProcessPartial
|
|
# when SecRuleEngine is set to DetectionOnly mode in order to minimize
|
|
# disruptions when initially deploying ModSecurity.
|
|
#
|
|
SecRequestBodyLimitAction Reject
|
|
|
|
# Verify that we've correctly processed the request body.
|
|
# As a rule of thumb, when failing to process a request body
|
|
# you should reject the request (when deployed in blocking mode)
|
|
# or log a high-severity alert (when deployed in detection-only mode).
|
|
#
|
|
SecRule REQBODY_ERROR "!@eq 0" \
|
|
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
|
|
|
|
# By default be strict with what we accept in the multipart/form-data
|
|
# request body. If the rule below proves to be too strict for your
|
|
# environment consider changing it to detection-only. You are encouraged
|
|
# _not_ to remove it altogether.
|
|
#
|
|
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
|
|
"id:'200002',phase:2,t:none,log,deny,status:44, \
|
|
msg:'Multipart request body failed strict validation: \
|
|
PE %{REQBODY_PROCESSOR_ERROR}, \
|
|
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
|
|
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
|
|
DB %{MULTIPART_DATA_BEFORE}, \
|
|
DA %{MULTIPART_DATA_AFTER}, \
|
|
HF %{MULTIPART_HEADER_FOLDING}, \
|
|
LF %{MULTIPART_LF_LINE}, \
|
|
SM %{MULTIPART_MISSING_SEMICOLON}, \
|
|
IQ %{MULTIPART_INVALID_QUOTING}, \
|
|
IP %{MULTIPART_INVALID_PART}, \
|
|
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
|
|
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
|
|
|
|
# Did we see anything that might be a boundary?
|
|
#
|
|
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
|
|
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
|
|
|
|
# PCRE Tuning
|
|
# We want to avoid a potential RegEx DoS condition
|
|
#
|
|
SecPcreMatchLimit 1000
|
|
SecPcreMatchLimitRecursion 1000
|
|
|
|
# Some internal errors will set flags in TX and we will need to look for these.
|
|
# All of these are prefixed with "MSC_". The following flags currently exist:
|
|
#
|
|
# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
|
|
#
|
|
SecRule TX:/^MSC_/ "!@streq 0" \
|
|
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
|
|
|
|
|
|
# -- Response body handling --------------------------------------------------
|
|
|
|
# Allow ModSecurity to access response bodies.
|
|
# You should have this directive enabled in order to identify errors
|
|
# and data leakage issues.
|
|
#
|
|
# Do keep in mind that enabling this directive does increases both
|
|
# memory consumption and response latency.
|
|
#
|
|
SecResponseBodyAccess On
|
|
|
|
# Which response MIME types do you want to inspect? You should adjust the
|
|
# configuration below to catch documents but avoid static files
|
|
# (e.g., images and archives).
|
|
#
|
|
SecResponseBodyMimeType text/plain text/html text/xml
|
|
|
|
# Buffer response bodies of up to 512 KB in length.
|
|
SecResponseBodyLimit 524288
|
|
|
|
# What happens when we encounter a response body larger than the configured
|
|
# limit? By default, we process what we have and let the rest through.
|
|
# That's somewhat less secure, but does not break any legitimate pages.
|
|
#
|
|
SecResponseBodyLimitAction ProcessPartial
|
|
|
|
|
|
# -- Filesystem configuration ------------------------------------------------
|
|
|
|
# The location where ModSecurity stores temporary files (for example, when
|
|
# it needs to handle a file upload that is larger than the configured limit).
|
|
#
|
|
# This default setting is chosen due to all systems have /tmp available however,
|
|
# this is less than ideal. It is recommended that you specify a location that's private.
|
|
#
|
|
SecTmpDir /tmp/
|
|
|
|
# The location where ModSecurity will keep its persistent data. This default setting
|
|
# is chosen due to all systems have /tmp available however, it
|
|
# too should be updated to a place that other users can't access.
|
|
#
|
|
SecDataDir /tmp/
|
|
|
|
|
|
# -- File uploads handling configuration -------------------------------------
|
|
|
|
# The location where ModSecurity stores intercepted uploaded files. This
|
|
# location must be private to ModSecurity. You don't want other users on
|
|
# the server to access the files, do you?
|
|
#
|
|
#SecUploadDir /opt/modsecurity/var/upload/
|
|
|
|
# By default, only keep the files that were determined to be unusual
|
|
# in some way (by an external inspection script). For this to work you
|
|
# will also need at least one file inspection rule.
|
|
#
|
|
#SecUploadKeepFiles RelevantOnly
|
|
|
|
# Uploaded files are by default created with permissions that do not allow
|
|
# any other user to access them. You may need to relax that if you want to
|
|
# interface ModSecurity to an external program (e.g., an anti-virus).
|
|
#
|
|
#SecUploadFileMode 0600
|
|
|
|
|
|
# -- Debug log configuration -------------------------------------------------
|
|
|
|
# The default debug log configuration is to duplicate the error, warning
|
|
# and notice messages from the error log.
|
|
#
|
|
#SecDebugLog /var/log/apache2/modsec_debug.log
|
|
#SecDebugLogLevel 3
|
|
|
|
# -- Audit log configuration -------------------------------------------------
|
|
|
|
# Log the transactions that are marked by a rule, as well as those that
|
|
# trigger a server error (determined by a 5xx or 4xx, excluding 404,
|
|
# level response status codes).
|
|
#
|
|
SecAuditEngine RelevantOnly
|
|
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
|
|
|
|
# Log everything we know about a transaction.
|
|
SecAuditLogParts ABIJDEFHZ
|
|
|
|
# Use a single file for logging. This is much easier to look at, but
|
|
# assumes that you will use the audit log only ocassionally.
|
|
#
|
|
SecAuditLogType Serial
|
|
SecAuditLog /var/log/apache2/modsec_audit.log
|
|
|
|
# Specify the path for concurrent audit logging.
|
|
#SecAuditLogStorageDir /opt/modsecurity/var/audit/
|
|
|
|
|
|
# -- Miscellaneous -----------------------------------------------------------
|
|
|
|
# Use the most commonly used application/x-www-form-urlencoded parameter
|
|
# separator. There's probably only one application somewhere that uses
|
|
# something else so don't expect to change this value.
|
|
#
|
|
SecArgumentSeparator &
|
|
|
|
# Settle on version 0 (zero) cookies, as that is what most applications
|
|
# use. Using an incorrect cookie version may open your installation to
|
|
# evasion attacks (against the rules that examine named cookies).
|
|
#
|
|
SecCookieFormat 0
|
|
|
|
# Specify your Unicode Code Point.
|
|
# This mapping is used by the t:urlDecodeUni transformation function
|
|
# to properly map encoded data to your language. Properly setting
|
|
# these directives helps to reduce false positives and negatives.
|
|
#
|
|
#SecUnicodeCodePage 20127
|
|
#SecUnicodeMapFile unicode.mapping
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Include /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf
|
|
# as set up with symlinks for files that are placed here:
|
|
Include /etc/apache2/mod_security2.d/*.conf
|
|
|
|
</IfModule>
|