upstream/oracle/userland-gate: components/apache2-modules/mod_security2/security2.conf@255465c5756f (annotated)

278 77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	1
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	2	<IfDefine 64bit>
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	3	LoadModule security2_module libexec/64/mod_security2.so
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	4	</IfDefine>
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	5	<IfDefine !64bit>
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	6	LoadModule security2_module libexec/mod_security2.so
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	7	</IfDefine>
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	8
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	9	<IfModule mod_security2.c>
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	10
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	11	# Basic configuration options
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	12	SecRuleEngine On
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	13	SecRequestBodyAccess On
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	14	SecResponseBodyAccess Off
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	15
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	16	# Handling of file uploads
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	17	# TODO Choose a folder private to Apache.
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	18	# SecUploadDir /opt/apache-frontend/tmp/
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	19	SecUploadKeepFiles Off
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	20
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	21	# Debug log
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	22	SecDebugLog /var/apache2/2.2/logs/modsec_debug.log
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	23	SecDebugLogLevel 0
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	24
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	25	# Serial audit log
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	26	SecAuditEngine RelevantOnly
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	27	SecAuditLogRelevantStatus ^5
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	28	SecAuditLogParts ABIFHZ
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	29	SecAuditLogType Serial
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	30	SecAuditLog /var/apache2/2.2/logs/modsec_audit.log
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	31
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	32	# Maximum request body size we will
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	33	# accept for buffering
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	34	SecRequestBodyLimit 131072
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	35
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	36	# Store up to 128 KB in memory
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	37	SecRequestBodyInMemoryLimit 131072
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	38
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	39	# Buffer response bodies of up to
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	40	# 512 KB in length
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	41	SecResponseBodyLimit 524288
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	42
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	43	# Verify that we've correctly processed the request body.
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	44	# As a rule of thumb, when failing to process a request body
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	45	# you should reject the request when deployed in blocking mode
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	46	# or log a high-severity alert when deployed in detection-only mode.
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	47	SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" "phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	48
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	49	# By default be strict with what we accept in the multipart/form-data
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	50	# request body. If the rule below proves to be too strict for your
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	51	# environment consider changing it to detection-only. You are encouraged
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	52	# _not_ to remove it altogether.
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	53	SecRule MULTIPART_STRICT_ERROR "!@eq 0" "phase:2,t:none,log,deny,msg:'Multipart request body failed strict validation: PE %{REQBODY_PROCESSOR_ERROR}, BQ %{MULTIPART_BOUNDARY_QUOTED}, BW %{MULTIPART_BOUNDARY_WHITESPACE}, DB %{MULTIPART_DATA_BEFORE}, DA %{MULTIPART_DATA_AFTER}, HF %{MULTIPART_HEADER_FOLDING}, LF %{MULTIPART_LF_LINE}, SM %{MULTIPART_SEMICOLON_MISSING}'"
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	54
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	55	# Did we see anything that might be a boundary?
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	56	SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" "phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	57
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	58	SecRule REQUEST_URI "sfw" "deny"
77b380ba9d84 7045614 Move Apache Web server to userland Petr Sumbera <petr.sumbera@oracle.com> parents: diff changeset	59	</IfModule>

author	Mike Sullivan <Mike.Sullivan@Oracle.COM>
	Wed, 29 Aug 2012 11:05:56 -0700
changeset 957	255465c5756f
parent 278	77b380ba9d84
permissions	-rw-r--r--