mirror of
https://github.com/bunkerity/bunkerized-nginx
synced 2023-12-13 21:30:18 +01:00
79 lines
2.8 KiB
Plaintext
79 lines
2.8 KiB
Plaintext
# process rules with disruptive actions
|
|
SecRuleEngine On
|
|
|
|
# allow body checks
|
|
SecRequestBodyAccess On
|
|
|
|
# enable XML parsing
|
|
SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
|
|
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
|
|
|
|
# enable JSON parsing
|
|
SecRule REQUEST_HEADERS:Content-Type "application/json" \
|
|
"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
|
|
|
|
# maximum data size
|
|
SecRequestBodyLimit 13107200
|
|
SecRequestBodyNoFilesLimit 131072
|
|
|
|
# reject requests if bigger than max data size
|
|
SecRequestBodyLimitAction Reject
|
|
|
|
# reject if we can't process the body
|
|
SecRule REQBODY_ERROR "!@eq 0" \
|
|
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
|
|
|
|
# be strict with multipart/form-data body
|
|
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
|
|
"id:'200003',phase:2,t:none,log,deny,status:400, \
|
|
msg:'Multipart request body failed strict validation: \
|
|
PE %{REQBODY_PROCESSOR_ERROR}, \
|
|
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
|
|
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
|
|
DB %{MULTIPART_DATA_BEFORE}, \
|
|
DA %{MULTIPART_DATA_AFTER}, \
|
|
HF %{MULTIPART_HEADER_FOLDING}, \
|
|
LF %{MULTIPART_LF_LINE}, \
|
|
SM %{MULTIPART_MISSING_SEMICOLON}, \
|
|
IQ %{MULTIPART_INVALID_QUOTING}, \
|
|
IP %{MULTIPART_INVALID_PART}, \
|
|
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
|
|
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
|
|
SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \
|
|
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
|
|
|
|
# enable response body checks
|
|
SecResponseBodyAccess On
|
|
SecResponseBodyMimeType text/plain text/html text/xml application/json
|
|
SecResponseBodyLimit 524288
|
|
SecResponseBodyLimitAction ProcessPartial
|
|
|
|
# log usefull stuff
|
|
SecAuditEngine {{ MODSECURITY_SEC_AUDIT_ENGINE }}
|
|
SecAuditLogType Serial
|
|
SecAuditLog /var/log/nginx/modsec_audit.log
|
|
|
|
# include OWASP CRS configuration
|
|
{% if USE_MODSECURITY_CRS == "yes" %}
|
|
include /opt/bunkerized-nginx/crs-setup.conf
|
|
|
|
# custom CRS configurations before loading rules (exclusions)
|
|
{% if is_custom_conf("/opt/bunkerized-nginx/modsec-crs-confs") +%}
|
|
include /opt/bunkerized-nginx/modsec-crs-confs/*.conf
|
|
{% endif %}
|
|
{% if MULTISITE == "yes" and is_custom_conf("/opt/bunkerized-nginx/modsec-crs-confs/" + FIRST_SERVER) +%}
|
|
include /opt/bunkerized-nginx/modsec-crs-confs/{{ FIRST_SERVER }}/*.conf
|
|
{% endif %}
|
|
|
|
# include OWASP CRS rules
|
|
include /opt/bunkerized-nginx/crs/*.conf
|
|
{% endif %}
|
|
|
|
# custom rules after loading the CRS
|
|
{% if is_custom_conf("/opt/bunkerized-nginx/modsec-confs") +%}
|
|
include /opt/bunkerized-nginx/modsec-confs/*.conf
|
|
{% endif %}
|
|
{% if MULTISITE == "yes" and is_custom_conf("/opt/bunkerized-nginx/modsec-confs/" + FIRST_SERVER) +%}
|
|
include /opt/bunkerized-nginx/modsec-confs/{{ FIRST_SERVER }}/*.conf
|
|
{% endif %}
|