author | Rich Burridge <rich.burridge@oracle.com> |
Thu, 14 Mar 2013 13:30:55 -0700 | |
changeset 1211 | 72f88619e71d |
parent 278 | 77b380ba9d84 |
permissions | -rw-r--r-- |
278
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
1 |
|
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
2 |
<IfDefine 64bit> |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
3 |
LoadModule security2_module libexec/64/mod_security2.so |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
4 |
</IfDefine> |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
5 |
<IfDefine !64bit> |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
6 |
LoadModule security2_module libexec/mod_security2.so |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
7 |
</IfDefine> |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
8 |
|
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
9 |
<IfModule mod_security2.c> |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
10 |
|
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
11 |
# Basic configuration options |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
12 |
SecRuleEngine On |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
13 |
SecRequestBodyAccess On |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
14 |
SecResponseBodyAccess Off |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
15 |
|
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
16 |
# Handling of file uploads |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
17 |
# TODO Choose a folder private to Apache. |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
18 |
# SecUploadDir /opt/apache-frontend/tmp/ |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
19 |
SecUploadKeepFiles Off |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
20 |
|
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
21 |
# Debug log |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
22 |
SecDebugLog /var/apache2/2.2/logs/modsec_debug.log |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
23 |
SecDebugLogLevel 0 |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
24 |
|
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
25 |
# Serial audit log |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
26 |
SecAuditEngine RelevantOnly |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
27 |
SecAuditLogRelevantStatus ^5 |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
28 |
SecAuditLogParts ABIFHZ |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
29 |
SecAuditLogType Serial |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
30 |
SecAuditLog /var/apache2/2.2/logs/modsec_audit.log |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
31 |
|
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
32 |
# Maximum request body size we will |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
33 |
# accept for buffering |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
34 |
SecRequestBodyLimit 131072 |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
35 |
|
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
36 |
# Store up to 128 KB in memory |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
37 |
SecRequestBodyInMemoryLimit 131072 |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
38 |
|
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
39 |
# Buffer response bodies of up to |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
40 |
# 512 KB in length |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
41 |
SecResponseBodyLimit 524288 |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
42 |
|
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
43 |
# Verify that we've correctly processed the request body. |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
44 |
# As a rule of thumb, when failing to process a request body |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
45 |
# you should reject the request when deployed in blocking mode |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
46 |
# or log a high-severity alert when deployed in detection-only mode. |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
47 |
SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" "phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2" |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
48 |
|
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
49 |
# By default be strict with what we accept in the multipart/form-data |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
50 |
# request body. If the rule below proves to be too strict for your |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
51 |
# environment consider changing it to detection-only. You are encouraged |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
52 |
# _not_ to remove it altogether. |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
53 |
SecRule MULTIPART_STRICT_ERROR "!@eq 0" "phase:2,t:none,log,deny,msg:'Multipart request body failed strict validation: PE %{REQBODY_PROCESSOR_ERROR}, BQ %{MULTIPART_BOUNDARY_QUOTED}, BW %{MULTIPART_BOUNDARY_WHITESPACE}, DB %{MULTIPART_DATA_BEFORE}, DA %{MULTIPART_DATA_AFTER}, HF %{MULTIPART_HEADER_FOLDING}, LF %{MULTIPART_LF_LINE}, SM %{MULTIPART_SEMICOLON_MISSING}'" |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
54 |
|
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
55 |
# Did we see anything that might be a boundary? |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
56 |
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" "phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'" |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
57 |
|
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
58 |
SecRule REQUEST_URI "sfw" "deny" |
77b380ba9d84
7045614 Move Apache Web server to userland
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
59 |
</IfModule> |