NgixProxy_Pathfinder/modsec_rules/gitea-rule-exceptions.conf

# Ficheiro de Exceções do ModSecurity para o Gitea (ATUALIZADO)

# --------------------------------------------------------------------------
# Git Operations & Web Interface
# --------------------------------------------------------------------------

# ID 10008: Permitir operacoes de edição na UI
SecRule REQUEST_URI "@rx ^/.*/(src/branch|_edit|_new|commits/branch)/" \
    "id:10008,phase:1,nolog,allow,ctl:ruleEngine=Off"

# ID 10011: Permitir acesso a assets e raw files
SecRule REQUEST_URI "@rx ^/.*/.*(raw|assets)/" \
    "id:10011,phase:1,nolog,pass,ctl:ruleEngine=Off"

# ID 10013: Permitir acesso a arquivos .conf (git repos)
SecRule REQUEST_FILENAME "@rx \.conf$" \
    "id:10013,phase:1,nolog,pass,chain,msg:'[CUSTOM] Whitelist .conf files for Git server'"
    SecRule SERVER_NAME "@streq git.itguys.com.br" "ctl:ruleRemoveById=930120"

# ID 10025: Upload de Arquivos na UI
SecRule REQUEST_URI "@rx ^/[^/]+/[^/]+/upload-file$" \
    "id:10025,phase:1,pass,nolog,ctl:ruleEngine=Off"

# ID 10026: Wiki
SecRule REQUEST_URI "@rx ^/[^/]+/[^/]+/wiki$" \
    "id:10026,phase:1,pass,nolog,ctl:ruleEngine=Off"

# --------------------------------------------------------------------------
# Git Hooks & Uploads
# --------------------------------------------------------------------------

# ID 10040: Git Smart Protocol (Push/Pull)
# Disables rule engine and INCREASES request body limit for git-receive-pack (Push)
# to allow large uploads.
SecRule REQUEST_URI "@rx /git-(upload|receive)-pack$" \
    "id:10040, \
    phase:1, \
    pass, \
    nolog, \
    ctl:ruleEngine=Off, \
    ctl:requestBodyAccess=Off"

# ID 10041: Permitir LFS (Large File Storage) e Uploads via HTTP
SecRule REQUEST_URI "@rx /(info/lfs|objects/batch)" \
    "id:10041,phase:1,pass,nolog,ctl:ruleEngine=Off"