aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorScott Ullrich <sullrich@G5.local>2009-10-27 19:59:57 -0400
committerScott Ullrich <sullrich@G5.local>2009-10-27 19:59:57 -0400
commit6abe1f9648d0b3ea16c5901d7490d829a2d78063 (patch)
tree2ca8f14fb5693fdf11158c260e02fde7d3fc0c2b
parentcefe0accd2b44cacd17c8f35f76dbdac66241a6d (diff)
downloadpfsense-packages-6abe1f9648d0b3ea16c5901d7490d829a2d78063.tar.gz
pfsense-packages-6abe1f9648d0b3ea16c5901d7490d829a2d78063.tar.bz2
pfsense-packages-6abe1f9648d0b3ea16c5901d7490d829a2d78063.zip
Add more tunables
-rw-r--r--config/apache_mod_security/apache_mod_security.inc34
-rw-r--r--config/apache_mod_security/apache_mod_security_settings.xml23
2 files changed, 48 insertions, 9 deletions
diff --git a/config/apache_mod_security/apache_mod_security.inc b/config/apache_mod_security/apache_mod_security.inc
index c45f426d..eee5af4c 100644
--- a/config/apache_mod_security/apache_mod_security.inc
+++ b/config/apache_mod_security/apache_mod_security.inc
@@ -36,7 +36,7 @@ conf_mount_rw();
// Needed mod_security directories
if(!is_dir("/usr/local/apachemodsecurity"))
safe_mkdir("/usr/local/apachemodsecurity");
-if(!is_dir("/usr/local/apachemodsecurity"))
+if(!is_dir("/usr/local/apachemodsecurity/rules"))
safe_mkdir("/usr/local/apachemodsecurity/rules");
// Startup function
@@ -166,7 +166,25 @@ function generate_apache_configuration() {
safe_mkdir("/var/db/apachemodsecuritycache");
$cache_root .= "CacheRoot /var/db/apachemodsecuritycache\n";
}
-
+
+ // SecRequestBodyInMemoryLimit Directive
+ if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['secrequestbodyinmemorylimit'])
+ $secrequestbodyinmemorylimit = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['secrequestbodyinmemorylimit'];
+ else
+ $secrequestbodyinmemorylimit = "131072";
+
+ // SecRequestBodyLimit
+ if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['secrequestbodylimit'])
+ $secrequestbodylimit = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['secrequestbodylimit'];
+ else
+ $secrequestbodylimit = "10485760";
+
+ // SecAuditEngine
+ if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['secauditengine'])
+ $secauditengine = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['secauditengine'];
+ else
+ $secauditengine = "RelevantOnly";
+
$mod_proxy .= <<<EOF
# Off when using ProxyPass
@@ -325,10 +343,9 @@ EOF;
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
-
- # XXX Add knobs for these
- SecRequestBodyInMemoryLimit 131072
- SecRequestBodyLimit 10485760
+
+ SecRequestBodyInMemoryLimit {$secrequestbodyinmemorylimit}
+ SecRequestBodyLimit {$secrequestbodylimit}
{$mod_security_custom}
@@ -339,11 +356,10 @@ EOF;
SecUploadDir /var/spool/apache/private
SecUploadKeepFiles Off
- # XXX Add knobs for these
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis
- SecAuditEngine RelevantOnly
+ SecAuditEngine {$secauditengine}
# XXX Add knobs for these
# Make sure that URL encoding is valid
@@ -373,8 +389,8 @@ EOF;
EOF;
-
}
+
$apache_config = <<<EOF
##################################################################################
# NOTE: This file was generated by the pfSense package management system. #
diff --git a/config/apache_mod_security/apache_mod_security_settings.xml b/config/apache_mod_security/apache_mod_security_settings.xml
index 4382d731..9f1fd2c2 100644
--- a/config/apache_mod_security/apache_mod_security_settings.xml
+++ b/config/apache_mod_security/apache_mod_security_settings.xml
@@ -142,12 +142,35 @@
<type>input</type>
</field>
<field>
+ <fielddescr>Configures the maximum request body size ModSecurity will store in memory.</fielddescr>
+ <fieldname>secrequestbodyinmemorylimit</fieldname>
+ <description>Configures the maximum request body size ModSecurity will store in memory.</description>
+ <type>input</type>
+ </field>
+ <field>
+ <fielddescr>Configures the maximum request body size ModSecurity will accept for buffering.</fielddescr>
+ <fieldname>secrequestbodylimit</fieldname>
+ <description>Configures the maximum request body size ModSecurity will accept for buffering.</description>
+ <type>input</type>
+ </field
+ <field>
<fielddescr>Enable mod_security protection</fielddescr>
<fieldname>enablemodsecurity</fieldname>
<description>Enables mod_security protection for all sites being proxied</description>
<type>checkbox</type>
</field>
<field>
+ <fielddescr>Configures the audit logging engine.</fielddescr>
+ <fieldname>secauditengine</fieldname>
+ <description>Configures the audit logging engine.</description>
+ <type>select</type>
+ <options>
+ <option><name>RelevantOnly</name><value>RelevantOnly</value></option>
+ <option><name>All</name><value>On</value></option>
+ <option><name>Off</name><value>Off</value></option>
+ </options>
+ </field>
+ <field>
<fielddescr>Custom mod_security rules</fielddescr>
<fieldname>modsecuritycustom</fieldname>
<description>Paste any custom mod_security rules that you would like to use</description>