fix CVE-2021-20205 and examples update
This commit is contained in:
parent
1a7abab570
commit
a98dae1fb6
|
@ -16,6 +16,9 @@ COPY lua/ /opt/lua
|
|||
COPY prepare.sh /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
|
||||
|
||||
# fix CVE-2021-20205
|
||||
RUN apk add "libjpeg-turbo>=2.1.0-r0"
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
|
||||
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
|
|
@ -16,6 +16,9 @@ COPY lua/ /opt/lua
|
|||
COPY prepare.sh /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
|
||||
|
||||
# fix CVE-2021-20205
|
||||
RUN apk add "libjpeg-turbo>=2.1.0-r0"
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
|
||||
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
|
|
@ -23,6 +23,9 @@ COPY lua/ /opt/lua
|
|||
COPY prepare.sh /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
|
||||
|
||||
# fix CVE-2021-20205
|
||||
RUN apk add "libjpeg-turbo>=2.1.0-r0"
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
|
||||
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
|
|
@ -23,6 +23,9 @@ COPY lua/ /opt/lua
|
|||
COPY prepare.sh /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
|
||||
|
||||
# fix CVE-2021-20205
|
||||
RUN apk add "libjpeg-turbo>=2.1.0-r0"
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
|
||||
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
|
|
@ -16,6 +16,9 @@ COPY lua/ /opt/lua
|
|||
COPY prepare.sh /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
|
||||
|
||||
# fix CVE-2021-20205
|
||||
RUN apk add "libjpeg-turbo>=2.1.0-r0"
|
||||
|
||||
VOLUME /www /http-confs /server-confs /modsec-confs /modsec-crs-confs /cache /pre-server-confs /acme-challenge
|
||||
|
||||
EXPOSE 8080/tcp 8443/tcp
|
||||
|
|
|
@ -18,6 +18,7 @@ services:
|
|||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_PROXY_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_BROTLI=yes
|
||||
- USE_REVERSE_PROXY=yes
|
||||
|
|
|
@ -34,7 +34,7 @@ services:
|
|||
- net2
|
||||
|
||||
mycrowdsec:
|
||||
image: crowdsecurity/crowdsec:v1.0.2
|
||||
image: crowdsecurity/crowdsec:v1.0.13
|
||||
restart: always
|
||||
volumes:
|
||||
- ./acquis.yaml:/etc/crowdsec/acquis.yaml
|
||||
|
|
|
@ -0,0 +1,43 @@
|
|||
version: '3'
|
||||
|
||||
services:
|
||||
|
||||
mywww:
|
||||
image: bunkerity/bunkerized-nginx
|
||||
restart: always
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
volumes:
|
||||
- ./drupal-files:/www:ro
|
||||
- ./letsencrypt:/etc/letsencrypt
|
||||
#- ./server-confs:/server-confs:ro # custom confs at server context for permalinks
|
||||
- ./modsec-crs-confs:/modsec-crs-confs:ro # custom Core Rule Set confs to add Drupal exclusions
|
||||
environment:
|
||||
- SERVER_NAME=www.website.com # replace with your domain
|
||||
- AUTO_LETS_ENCRYPT=yes
|
||||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- MAX_CLIENT_SIZE=50m
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_BROTLI=yes
|
||||
- REMOTE_PHP=mydrupal
|
||||
- REMOTE_PHP_PATH=/var/www/html
|
||||
|
||||
mydrupal:
|
||||
image: drupal:fpm-alpine
|
||||
restart: always
|
||||
volumes:
|
||||
- ./drupal-files:/var/www/html
|
||||
|
||||
mydb:
|
||||
image: mariadb
|
||||
restart: always
|
||||
volumes:
|
||||
- ./db-data:/var/lib/mysql
|
||||
environment:
|
||||
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
|
||||
- MYSQL_DATABASE=drupaldb
|
||||
- MYSQL_USER=user
|
||||
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password
|
|
@ -0,0 +1,7 @@
|
|||
SecAction \
|
||||
"id:900130,\
|
||||
phase:1,\
|
||||
nolog,\
|
||||
pass,\
|
||||
t:none,\
|
||||
setvar:tx.crs_exclusions_drupal=1"
|
|
@ -0,0 +1,33 @@
|
|||
version: '3'
|
||||
|
||||
services:
|
||||
|
||||
myreverse:
|
||||
image: bunkerity/bunkerized-nginx
|
||||
restart: always
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
volumes:
|
||||
- ./letsencrypt:/etc/letsencrypt
|
||||
#- ./modsec-crs-confs:/modsec-crs-confs:ro # fix FP with CRS
|
||||
environment:
|
||||
- SERVER_NAME=www.website.com # replace with your domain
|
||||
- SERVE_FILES=no
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- AUTO_LETS_ENCRYPT=yes
|
||||
- USE_PROXY_CACHE=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_BROTLI=yes
|
||||
- USE_REVERSE_PROXY=yes
|
||||
- REVERSE_PROXY_URL=/
|
||||
- REVERSE_PROXY_HOST=http://myghost:2368/
|
||||
|
||||
myghost:
|
||||
image: ghost:alpine
|
||||
volumes:
|
||||
- ./data-ghost:/
|
||||
environment:
|
||||
- url=https://www.website.com # replace with your domain
|
|
@ -0,0 +1,7 @@
|
|||
SecAction \
|
||||
"id:900220,\
|
||||
phase:1,\
|
||||
nolog,\
|
||||
pass,\
|
||||
t:none,\
|
||||
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/x-git-upload-pack-request| |application/x-git-receive-pack-request|'"
|
|
@ -0,0 +1,31 @@
|
|||
version: '3'
|
||||
|
||||
services:
|
||||
|
||||
myreverse:
|
||||
image: bunkerity/bunkerized-nginx
|
||||
restart: always
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
volumes:
|
||||
- ./letsencrypt:/etc/letsencrypt
|
||||
- ./modsec-crs-confs:/modsec-crs-confs:ro # fix FP with CRS
|
||||
environment:
|
||||
- SERVER_NAME=www.website.com # replace with your domain
|
||||
- SERVE_FILES=no
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- AUTO_LETS_ENCRYPT=yes
|
||||
- USE_PROXY_CACHE=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_BROTLI=yes
|
||||
- USE_REVERSE_PROXY=yes
|
||||
- REVERSE_PROXY_URL=/
|
||||
- REVERSE_PROXY_HOST=http://mygogs:3000/
|
||||
|
||||
mygogs:
|
||||
image: gogs/gogs
|
||||
volumes:
|
||||
- ./data-gogs:/data
|
|
@ -0,0 +1,7 @@
|
|||
SecAction \
|
||||
"id:900220,\
|
||||
phase:1,\
|
||||
nolog,\
|
||||
pass,\
|
||||
t:none,\
|
||||
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/x-git-upload-pack-request| |application/x-git-receive-pack-request|'"
|
|
@ -0,0 +1,46 @@
|
|||
version: '3'
|
||||
|
||||
services:
|
||||
|
||||
mywww:
|
||||
image: bunkerity/bunkerized-nginx
|
||||
restart: always
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
volumes:
|
||||
- ./joomla-files:/www:ro
|
||||
- ./letsencrypt:/etc/letsencrypt
|
||||
environment:
|
||||
- SERVER_NAME=www.website.com # replace with your domain
|
||||
- AUTO_LETS_ENCRYPT=yes
|
||||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- MAX_CLIENT_SIZE=50m
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_BROTLI=yes
|
||||
- REMOTE_PHP=myjoomla
|
||||
- REMOTE_PHP_PATH=/var/www/html
|
||||
|
||||
myjoomla:
|
||||
image: joomla:fpm-alpine
|
||||
restart: always
|
||||
volumes:
|
||||
- ./joomla-files:/var/www/html
|
||||
environment:
|
||||
- JOOMLA_DB_HOST=mydb
|
||||
- JOOMLA_DB_NAME=joomladb
|
||||
- JOOMLA_DB_USER=user
|
||||
- JOOMLA_DB_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
|
||||
|
||||
mydb:
|
||||
image: mariadb
|
||||
restart: always
|
||||
volumes:
|
||||
- ./db-data:/var/lib/mysql
|
||||
environment:
|
||||
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
|
||||
- MYSQL_DATABASE=joomladb
|
||||
- MYSQL_USER=user
|
||||
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match JOOMLA_DB_PASSWORD)
|
|
@ -18,6 +18,7 @@ services:
|
|||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- AUTO_LETS_ENCRYPT=yes
|
||||
- USE_PROXY_CACHE=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_BROTLI=yes
|
||||
- USE_REVERSE_PROXY=yes
|
||||
|
|
|
@ -18,6 +18,7 @@ services:
|
|||
- MAX_CLIENT_SIZE=50m
|
||||
- SERVE_FILES=no
|
||||
- USE_PROXY_CACHE=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_BROTLI=yes
|
||||
- USE_REVERSE_PROXY=yes
|
||||
|
|
|
@ -25,7 +25,6 @@ services:
|
|||
- app2.website.com_REMOTE_PHP=myapp2
|
||||
- app2.website.com_REMOTE_PHP_PATH=/app
|
||||
- app3.website.com_SERVE_FILES=no
|
||||
- app3.website.com_USE_CLIENT_CACHE=no
|
||||
- app3.website.com_USE_PROXY_CACHE=yes
|
||||
- app3.website.com_USE_REVERSE_PROXY=yes
|
||||
- app3.website.com_REVERSE_PROXY_URL=/
|
||||
|
|
|
@ -27,9 +27,9 @@ services:
|
|||
- wp.website.com_REMOTE_PHP_PATH=/var/www/html
|
||||
- nc.website.com_REMOTE_PHP=mync
|
||||
- nc.website.com_REMOTE_PHP_PATH=/var/www/html
|
||||
- nc.website.com_LIMIT_REQ_RATE=40r/s
|
||||
- nc.website.com_LIMIT_REQ_BURST=60
|
||||
- nc.website.com_ALLOWED_METHODS=GET|POST|HEAD|PROPFIND|DELETE|PUT|MKCOL|MOVE|COPY|PROPPATCH|REPORT
|
||||
- nc.website.com_LIMIT_REQ_RATE=5r/s
|
||||
- nc.website.com_LIMIT_REQ_BURST=10
|
||||
- nc.website.com_ALLOWED_METHODS=GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS
|
||||
- nc.website.com_X_FRAME_OPTIONS=SAMEORIGIN
|
||||
- nc.website.com_FAIL2BAN_STATUS_CODE=400|401|403|405|444
|
||||
networks:
|
||||
|
|
|
@ -1 +1,2 @@
|
|||
SecRuleRemoveById 921110
|
||||
SecRule REQUEST_FILENAME "@contains /remote.php/webdav" "id:1,ctl:ruleRemoveByTag=OWASP_CRS"
|
||||
|
|
|
@ -1 +1,4 @@
|
|||
SecRule REQUEST_FILENAME "/wp-admin/admin-ajax.php" "id:1,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-rce"
|
||||
SecRule REQUEST_FILENAME "/wp-admin/options.php" "id:2,ctl:ruleRemoveByTag=attack-xss"
|
||||
SecRule REQUEST_FILENAME "^/wp-json/yoast" "id:3,ctl:ruleRemoveById=930120"
|
||||
SecRuleRemoveById 953120
|
||||
|
|
|
@ -12,4 +12,4 @@ SecAction \
|
|||
nolog,\
|
||||
pass,\
|
||||
t:none,\
|
||||
setvar:'tx.allowed_methods=GET HEAD POST PROPFIND DELETE PUT MKCOL MOVE COPY PROPPATCH REPORT'"
|
||||
setvar:'tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS'"
|
||||
|
|
|
@ -23,16 +23,16 @@ services:
|
|||
- USE_CLIENT_CACHE=yes
|
||||
- REMOTE_PHP=mync
|
||||
- REMOTE_PHP_PATH=/var/www/html
|
||||
- LIMIT_REQ_RATE=40r/s
|
||||
- LIMIT_REQ_BURST=60
|
||||
- ALLOWED_METHODS=GET|POST|HEAD|PROPFIND|DELETE|PUT|MKCOL|MOVE|COPY|PROPPATCH|REPORT
|
||||
- LIMIT_REQ_RATE=5r/s
|
||||
- LIMIT_REQ_BURST=10
|
||||
- ALLOWED_METHODS=GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS
|
||||
- X_FRAME_OPTIONS=SAMEORIGIN
|
||||
- USE_GZIP=yes
|
||||
- USE_BROTLI=yes
|
||||
- FAIL2BAN_STATUS_CODE=400|401|403|405|444
|
||||
|
||||
mync:
|
||||
image: nextcloud:20-fpm
|
||||
image: nextcloud:21-fpm
|
||||
restart: always
|
||||
volumes:
|
||||
- ./nc-files:/var/www/html
|
||||
|
|
|
@ -1 +1,2 @@
|
|||
SecRuleRemoveById 921110
|
||||
SecRule REQUEST_FILENAME "@contains /remote.php/webdav" "id:1,ctl:ruleRemoveByTag=OWASP_CRS"
|
||||
|
|
|
@ -12,4 +12,4 @@ SecAction \
|
|||
nolog,\
|
||||
pass,\
|
||||
t:none,\
|
||||
setvar:'tx.allowed_methods=GET HEAD POST PROPFIND DELETE PUT MKCOL MOVE COPY PROPPATCH REPORT'"
|
||||
setvar:'tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS'"
|
||||
|
|
|
@ -20,6 +20,7 @@ services:
|
|||
- ALLOWED_METHODS=GET|POST|HEAD|PUT|DELETE
|
||||
- SERVE_FILES=no
|
||||
- USE_PROXY_CACHE=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_BROTLI=yes
|
||||
- USE_REVERSE_PROXY=yes
|
||||
|
|
|
@ -0,0 +1,47 @@
|
|||
version: '3'
|
||||
|
||||
services:
|
||||
|
||||
myreverse:
|
||||
image: bunkerity/bunkerized-nginx
|
||||
restart: always
|
||||
ports:
|
||||
- 80:8080
|
||||
- 443:8443
|
||||
volumes:
|
||||
- ./letsencrypt:/etc/letsencrypt
|
||||
environment:
|
||||
- SERVER_NAME=www.website.com # replace with your domain
|
||||
- SERVE_FILES=no
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- AUTO_LETS_ENCRYPT=yes
|
||||
- USE_PROXY_CACHE=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_BROTLI=yes
|
||||
- USE_REVERSE_PROXY=yes
|
||||
- REVERSE_PROXY_URL=/
|
||||
- REVERSE_PROXY_HOST=http://myredmine:3000/
|
||||
|
||||
redmine:
|
||||
image: redmine
|
||||
restart: always
|
||||
volumes:
|
||||
- ./redmine-data:/usr/src/redmine/files
|
||||
environment:
|
||||
- REDMINE_DB_MYSQL=mydb
|
||||
- REDMINE_DB_DATABASE=redminedb
|
||||
- REDMINE_DB_USERNAME=user
|
||||
- REDMINE_DB_PASSWORD=db-user-pwd # replace with a stronger password (must match MYSQL_PASSWORD)
|
||||
|
||||
mydb:
|
||||
image: mariadb
|
||||
restart: always
|
||||
volumes:
|
||||
- ./db-data:/var/lib/mysql
|
||||
environment:
|
||||
- MYSQL_ROOT_PASSWORD=db-root-pwd # replace with a stronger password
|
||||
- MYSQL_DATABASE=redminedb
|
||||
- MYSQL_USER=user
|
||||
- MYSQL_PASSWORD=db-user-pwd # replace with a stronger password (must match REDMINE_DB_PASSWORD)
|
|
@ -18,6 +18,7 @@ services:
|
|||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- AUTO_LETS_ENCRYPT=yes
|
||||
- USE_PROXY_CACHE=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_BROTLI=yes
|
||||
- USE_REVERSE_PROXY=yes
|
||||
|
|
|
@ -18,6 +18,7 @@ services:
|
|||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- AUTO_LETS_ENCRYPT=yes
|
||||
- USE_PROXY_CACHE=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_BROTLI=yes
|
||||
- USE_REVERSE_PROXY=yes
|
||||
|
|
|
@ -17,6 +17,7 @@ services:
|
|||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- AUTO_LETS_ENCRYPT=yes
|
||||
- USE_PROXY_CACHE=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_BROTLI=yes
|
||||
- USE_REVERSE_PROXY=yes
|
||||
|
|
|
@ -32,7 +32,7 @@ services:
|
|||
mode: host
|
||||
protocol: tcp
|
||||
volumes:
|
||||
- /shared/confs:/etc/nginx:ro
|
||||
- /shared/confs:/etc/nginx
|
||||
- /shared/letsencrypt:/etc/letsencrypt:ro
|
||||
- /shared/acme-challenge:/acme-challenge:ro
|
||||
- /shared/www:/www:ro
|
||||
|
@ -45,6 +45,7 @@ services:
|
|||
- AUTO_LETS_ENCRYPT=yes
|
||||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
networks:
|
||||
- net_config
|
||||
- net_services
|
||||
|
@ -86,6 +87,7 @@ services:
|
|||
- "node.role==worker"
|
||||
labels:
|
||||
- "bunkerized-nginx.SERVER_NAME=app2.website.com"
|
||||
- "bunkerized-nginx.USE_PROXY_CACHE=yes"
|
||||
- "bunkerized-nginx.USE_REVERSE_PROXY=yes"
|
||||
- "bunkerized-nginx.REVERSE_PROXY_URL=/"
|
||||
- "bunkerized-nginx.REVERSE_PROXY_HOST=http://app2"
|
||||
|
|
|
@ -17,6 +17,7 @@ services:
|
|||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- AUTO_LETS_ENCRYPT=yes
|
||||
- USE_PROXY_CACHE=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_BROTLI=yes
|
||||
- USE_REVERSE_PROXY=yes
|
||||
|
|
|
@ -18,6 +18,7 @@ services:
|
|||
- AUTO_LETS_ENCRYPT=yes
|
||||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- DISABLE_DEFAULT_SERVER=yes
|
||||
- USE_CLIENT_CACHE=yes
|
||||
- USE_GZIP=yes
|
||||
- USE_BROTLI=yes
|
||||
- admin.website.com_SERVE_FILES=no
|
||||
|
|
|
@ -13,6 +13,7 @@ services:
|
|||
- ./letsencrypt:/etc/letsencrypt
|
||||
- ./server-confs:/server-confs:ro # custom confs at server context for permalinks
|
||||
- ./modsec-crs-confs:/modsec-crs-confs:ro # custom Core Rule Set confs to add Wordpress exclusions
|
||||
- ./modsec-confs:/modsec-confs:ro # avoid some FP with CRS
|
||||
environment:
|
||||
- SERVER_NAME=www.website.com # replace with your domain
|
||||
- AUTO_LETS_ENCRYPT=yes
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
SecRule REQUEST_FILENAME "/wp-admin/admin-ajax.php" "id:1,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-rce"
|
||||
SecRule REQUEST_FILENAME "/wp-admin/options.php" "id:2,ctl:ruleRemoveByTag=attack-xss"
|
||||
SecRule REQUEST_FILENAME "^/wp-json/yoast" "id:3,ctl:ruleRemoveById=930120"
|
||||
SecRuleRemoveById 953120
|
Loading…
Reference in New Issue