# Ficheiro de Exceções do ModSecurity para o Nextcloud (ATUALIZADO)

# --------------------------------------------------------------------------
# Broad API & Extension Whitelist (User Request: "Liberate all APIs")
# --------------------------------------------------------------------------
# Allows /apps/, /ocs/ (Open Cloud Standard), and /remote.php (WebDAV)
# to ensure plugins and sync clients work without restriction.
SecRule REQUEST_URI "@rx ^/(index\.php/apps|apps|ocs|remote\.php)/" \
    "id:10050,phase:1,pass,nolog,ctl:ruleEngine=Off"

# --------------------------------------------------------------------------
# Office Online (WOPI & Hosting)
# --------------------------------------------------------------------------
# Whitelist for Office Online server communication
SecRule REQUEST_URI "@rx ^/(hosting|op|we|wv|p|x|lo|m|o|browser)/" \
    "id:10014,phase:1,pass,nolog,ctl:ruleEngine=Off"

# Proxy Whitelist for Office Online (Internal)
SecRule REMOTE_ADDR "@ipMatch 172.16.254.1" \
    "id:10034,phase:1,pass,nolog,chain,msg:'WHITELIST: [Proxy 172.16.254.1] Office Online WOPI'"
    SecRule REQUEST_URI "@beginsWith /index.php/apps/officeonline/wopi/files/" "ctl:ruleEngine=Off"

# --------------------------------------------------------------------------
# Specific Sync & Discovery (Legacy/Specific IDs reserved)
# --------------------------------------------------------------------------
SecRule REQUEST_URI "@streq /.well-known/caldav" "id:10002,phase:1,pass,nolog,ctl:ruleEngine=Off"
SecRule REQUEST_URI "@streq /.well-known/carddav" "id:10003,phase:1,pass,nolog,ctl:ruleEngine=Off"

# Preview Generator
SecRule REQUEST_URI "@beginsWith /index.php/core/preview" "id:10010,phase:1,pass,nolog,ctl:ruleRemoveById=9XXXXX"