Mercurial Mercurial > upstream > oracle > userland-gate / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/apache2-modules/mod_security2/security2.conf
changeset 278 77b380ba9d84 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/apache2-modules/mod_security2/security2.conf	Thu Jun 02 00:54:08 2011 -0700
@@ -0,0 +1,59 @@
+
+<IfDefine 64bit>
+LoadModule security2_module libexec/64/mod_security2.so
+</IfDefine>
+<IfDefine !64bit>
+LoadModule security2_module libexec/mod_security2.so
+</IfDefine>
+
+<IfModule mod_security2.c>
+
+# Basic configuration options
+SecRuleEngine On
+SecRequestBodyAccess On
+SecResponseBodyAccess Off
+
+# Handling of file uploads
+# TODO Choose a folder private to Apache.
+# SecUploadDir /opt/apache-frontend/tmp/
+SecUploadKeepFiles Off
+
+# Debug log
+SecDebugLog /var/apache2/2.2/logs/modsec_debug.log
+SecDebugLogLevel 0
+
+# Serial audit log
+SecAuditEngine RelevantOnly
+SecAuditLogRelevantStatus ^5
+SecAuditLogParts ABIFHZ
+SecAuditLogType Serial
+SecAuditLog /var/apache2/2.2/logs/modsec_audit.log
+
+# Maximum request body size we will
+# accept for buffering
+SecRequestBodyLimit 131072
+
+# Store up to 128 KB in memory
+SecRequestBodyInMemoryLimit 131072
+
+# Buffer response bodies of up to
+# 512 KB in length
+SecResponseBodyLimit 524288
+
+# Verify that we've correctly processed the request body.
+# As a rule of thumb, when failing to process a request body
+# you should reject the request when deployed in blocking mode
+# or log a high-severity alert when deployed in detection-only mode.
+SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" "phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
+
+# By default be strict with what we accept in the multipart/form-data
+# request body. If the rule below proves to be too strict for your
+# environment consider changing it to detection-only. You are encouraged
+# _not_ to remove it altogether.
+SecRule MULTIPART_STRICT_ERROR "!@eq 0" "phase:2,t:none,log,deny,msg:'Multipart request body failed strict validation: PE %{REQBODY_PROCESSOR_ERROR}, BQ %{MULTIPART_BOUNDARY_QUOTED}, BW %{MULTIPART_BOUNDARY_WHITESPACE}, DB %{MULTIPART_DATA_BEFORE}, DA %{MULTIPART_DATA_AFTER}, HF %{MULTIPART_HEADER_FOLDING}, LF %{MULTIPART_LF_LINE}, SM %{MULTIPART_SEMICOLON_MISSING}'"
+
+# Did we see anything that might be a boundary?
+SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" "phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
+
+SecRule REQUEST_URI "sfw" "deny"
+</IfModule>
upstream/oracle/userland-gate