aboutsummaryrefslogtreecommitdiffstats
path: root/config/apache_mod_security
diff options
context:
space:
mode:
authorScott Ullrich <sullrich@pfsense.org>2009-06-21 20:55:13 -0400
committerScott Ullrich <sullrich@pfsense.org>2009-06-21 20:55:13 -0400
commit797e52de9e52c20d1306cfd32d1cc3b09fe0b940 (patch)
tree4cf09dd3162c7e19a8d5b7acdc7aa39f19148e69 /config/apache_mod_security
parent8b59acc20071fd66cd99f4b1f667da2ee88440a9 (diff)
downloadpfsense-packages-797e52de9e52c20d1306cfd32d1cc3b09fe0b940.tar.gz
pfsense-packages-797e52de9e52c20d1306cfd32d1cc3b09fe0b940.tar.bz2
pfsense-packages-797e52de9e52c20d1306cfd32d1cc3b09fe0b940.zip
Add button to enable mod_security features
Diffstat (limited to 'config/apache_mod_security')
-rw-r--r--config/apache_mod_security/apache_mod_security.inc67
-rw-r--r--config/apache_mod_security/apache_mod_security_settings.xml7
2 files changed, 44 insertions, 30 deletions
diff --git a/config/apache_mod_security/apache_mod_security.inc b/config/apache_mod_security/apache_mod_security.inc
index 0ecd1d6b..038ae4ae 100644
--- a/config/apache_mod_security/apache_mod_security.inc
+++ b/config/apache_mod_security/apache_mod_security.inc
@@ -69,7 +69,41 @@ EOF;
else
$global_listen .= ":80";
}
+ if($config['installedpackages']['apache_mod_security_settings']['config']['enablemodsecurity']) {
+ $enable_mod_security = true;
+ $mod_security = <<< EOF
+<IfModule mod_security.c>
+ # Turn the filtering engine On or Off
+ SecFilterEngine On
+
+ # Make sure that URL encoding is valid
+ SecFilterCheckURLEncoding On
+
+ # Unicode encoding check
+ SecFilterCheckUnicodeEncoding Off
+
+ # Only allow bytes from this range
+ SecFilterForceByteRange 0 255
+
+ # Only log suspicious requests
+ SecAuditEngine RelevantOnly
+ # The name of the audit log file
+ SecAuditLog logs/audit_log
+ # Debug level set to a minimum
+ SecFilterDebugLog logs/modsec_debug_log
+ SecFilterDebugLevel 0
+
+ # Should mod_security inspect POST payloads
+ SecFilterScanPOST On
+
+ # By default log and deny suspicious requests
+ # with HTTP status 500
+ SecFilterDefaultAction "deny,log,status:500"
+</IfModule>
+EOF;
+
+}
$apache_config = <<<EOF
##################################################################################
# NOTE: This file was generated by the pfSense package management system. #
@@ -542,37 +576,10 @@ SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
-<IfModule mod_security.c>
- # Turn the filtering engine On or Off
- SecFilterEngine On
-
- # Make sure that URL encoding is valid
- SecFilterCheckURLEncoding On
-
- # Unicode encoding check
- SecFilterCheckUnicodeEncoding Off
-
- # Only allow bytes from this range
- SecFilterForceByteRange 0 255
-
- # Only log suspicious requests
- SecAuditEngine RelevantOnly
-
- # The name of the audit log file
- SecAuditLog logs/audit_log
- # Debug level set to a minimum
- SecFilterDebugLog logs/modsec_debug_log
- SecFilterDebugLevel 0
-
- # Should mod_security inspect POST payloads
- SecFilterScanPOST On
-
- # By default log and deny suspicious requests
- # with HTTP status 500
- SecFilterDefaultAction "deny,log,status:500"
-</IfModule>
+# Mod security
+{$mod_security}
-# Mod_security and proxy settings
+# Proxysettings
{$mod_proxy}
# Include anything else
diff --git a/config/apache_mod_security/apache_mod_security_settings.xml b/config/apache_mod_security/apache_mod_security_settings.xml
index 2bfff47b..1aed0256 100644
--- a/config/apache_mod_security/apache_mod_security_settings.xml
+++ b/config/apache_mod_security/apache_mod_security_settings.xml
@@ -55,6 +55,13 @@
</tabs>
<fields>
<field>
+ <fielddescr>Enable mod_security protection</fielddescr>
+ <fieldname>enablemodsecurity</fieldname>
+ <description>Enables mod_security protection for all sites being proxied</description>
+ <type>input</type>
+ </field>
+
+ <field>
<fielddescr>Global site E-mail administrator</fielddescr>
<fieldname>globalsiteadminemail</fieldname>
<description>Enter the site administrators e-mail address</description>