joao.goncalves
/
NgixProxy_Pathfinder
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
NgixProxy_Pathfinder/modsec.conf.template

76 lines
3.6 KiB
Plaintext
Raw Permalink Blame History

# Original of the latest recommended version:
# https://github.com/owasp-modsecurity/ModSecurity/blob/v3/master/modsecurity.conf-recommended
# Directives configured upstream (in the same order)
SecRuleEngine ${MODSEC_RULE_ENGINE}
SecRequestBodyAccess ${MODSEC_REQ_BODY_ACCESS}
SecRequestBodyLimit ${MODSEC_REQ_BODY_LIMIT}
SecRequestBodyNoFilesLimit ${MODSEC_REQ_BODY_NOFILES_LIMIT}
SecRequestBodyLimitAction ${MODSEC_REQ_BODY_LIMIT_ACTION}
SecRequestBodyJsonDepthLimit ${MODSEC_REQ_BODY_JSON_DEPTH_LIMIT}
SecArgumentsLimit ${MODSEC_ARGUMENTS_LIMIT}
SecPcreMatchLimit ${MODSEC_PCRE_MATCH_LIMIT}
SecPcreMatchLimitRecursion ${MODSEC_PCRE_MATCH_LIMIT_RECURSION}
SecResponseBodyAccess ${MODSEC_RESP_BODY_ACCESS}
SecResponseBodyMimeType ${MODSEC_RESP_BODY_MIMETYPE}
SecResponseBodyLimit ${MODSEC_RESP_BODY_LIMIT}
SecResponseBodyLimitAction ${MODSEC_RESP_BODY_LIMIT_ACTION}
SecTmpDir ${MODSEC_TMP_DIR}
SecDataDir ${MODSEC_DATA_DIR}
SecAuditEngine ${MODSEC_AUDIT_ENGINE}
SecAuditLogRelevantStatus "${MODSEC_AUDIT_LOG_RELEVANT_STATUS}"
SecAuditLogParts ${MODSEC_AUDIT_LOG_PARTS}
SecAuditLogType ${MODSEC_AUDIT_LOG_TYPE}
SecAuditLog ${MODSEC_AUDIT_LOG}
SecArgumentSeparator ${MODSEC_ARGUMENT_SEPARATOR}
SecCookieFormat ${MODSEC_COOKIE_FORMAT}
SecUnicodeMapFile unicode.mapping ${MODSEC_UNICODE_MAPPING}
SecStatusEngine ${MODSEC_STATUS_ENGINE}
# Additional directives
SecAuditLogFormat ${MODSEC_AUDIT_LOG_FORMAT}
SecAuditLogStorageDir ${MODSEC_AUDIT_STORAGE_DIR}
SecDebugLog ${MODSEC_DEBUG_LOG}
SecDebugLogLevel ${MODSEC_DEBUG_LOGLEVEL}
SecDisableBackendCompression ${MODSEC_DISABLE_BACKEND_COMPRESSION}
SecTmpSaveUploadedFiles ${MODSEC_TMP_SAVE_UPLOADED_FILES}
SecUploadDir ${MODSEC_UPLOAD_DIR}
SecUploadFileMode ${MODSEC_UPLOAD_FILE_MODE}
SecUploadKeepFiles ${MODSEC_UPLOAD_KEEP_FILES}
# Rules configured upstream (in the same order)
SecRule REQUEST_HEADERS:Content-Type "^(?:application(?:/soap\+|/)|text/)xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRule REQUEST_HEADERS:Content-Type "^application/json" \
"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
SecRule &ARGS "@ge ${MODSEC_ARGUMENTS_LIMIT}" \
"id:'200007', phase:2,t:none,log,deny,status:400,msg:'Failed to fully parse request body due to large argument count',severity:2"
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:400, \
msg:'Multipart request body failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
SecRule TX:/^MSC_/ "!@streq 0" \
"id:'200005',phase:2,t:none,log,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
# Additional rules
SecRule REQUEST_HEADERS:Content-Type "^application/[a-z0-9.-]+[+]json" \
"id:'200006',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
# Gemini: Include Custom Rules
include /etc/nginx/custom_rules/*.conf
Reference in New Issue View Git Blame Copy Permalink