summaryrefslogtreecommitdiffstats
path: root/mod_security.conf
blob: 7468a055b1f772d2cd9faa73dc5dd503872acb3e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92

LoadModule security2_module modules/mod_security2.so
LoadModule unique_id_module modules/mod_unique_id.so

<IfModule mod_security2.c>
	# This is the ModSecurity Core Rules Set.

	# Basic configuration goes in here
	Include modsecurity.d/*.conf
	Include modsecurity.d/activated_rules/*.conf

	# Additional items taken from new minimal modsecurity conf
	# Basic configuration options
	SecRuleEngine On
	SecRequestBodyAccess On
	SecResponseBodyAccess Off
	
	# Handling of file uploads
	# TODO Choose a folder private to Apache.
	# SecUploadDir /opt/apache-frontend/tmp/
	SecUploadKeepFiles Off
	SecUploadFileLimit 10

	# Debug log
	SecDebugLog /var/log/httpd/modsec_debug.log
	SecDebugLogLevel 0

	# Audit log
	SecAuditEngine RelevantOnly
	SecAuditLogRelevantStatus ^5
	SecAuditLogType Serial
	SecAuditLogParts ABIFHZ
	SecAuditLog /var/log/httpd/modsec_audit.log

	# Alternative mlogc configuration
	#SecAuditLogType Concurrent
	#SecAuditLogParts ABIDEFGHZ
	#SecAuditLogStorageDir /var/log/mlogc/data
	#SecAuditLog "|/usr/bin/mlogc /etc/mlogc.conf"

	# Set Data Directory
	SecDataDir /var/log/httpd/

	# Maximum request body size we will
	# accept for buffering
	SecRequestBodyLimit 131072

	# Store up to 128 KB in memory
	SecRequestBodyInMemoryLimit 131072

	# Buffer response bodies of up to
	# 512 KB in length
	SecResponseBodyLimit 524288

	# Verify that we've correctly processed the request body.
	# As a rule of thumb, when failing to process a request body
	# you should reject the request (when deployed in blocking mode)
	# or log a high-severity alert (when deployed in detection-only mode).
	SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
	"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"

	# By default be strict with what we accept in the multipart/form-data
	# request body. If the rule below proves to be too strict for your
	# environment consider changing it to detection-only. You are encouraged
	# _not_ to remove it altogether.
	SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
	"phase:2,t:none,log,deny,msg:'Multipart request body \
	failed strict validation: \
	PE %{REQBODY_PROCESSOR_ERROR}, \
	BQ %{MULTIPART_BOUNDARY_QUOTED}, \
	BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
	DB %{MULTIPART_DATA_BEFORE}, \
	DA %{MULTIPART_DATA_AFTER}, \
	HF %{MULTIPART_HEADER_FOLDING}, \
	LF %{MULTIPART_LF_LINE}, \
	SM %{MULTIPART_SEMICOLON_MISSING}, \
	IQ %{MULTIPART_INVALID_QUOTING}, \
	IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
	IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
	
	# Did we see anything that might be a boundary?
	SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
	"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
	
	# Some internal errors will set flags in TX and we will need to look for these.
	# All of these are prefixed with "MSC_".  The following flags currently exist:
	#
	# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
	#
	SecRule TX:/^MSC_/ "!@streq 0" \
	        "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
</IfModule>