diff options
Diffstat (limited to 'config/apache_mod_security')
-rw-r--r-- | config/apache_mod_security/apache_mod_security.inc | 34 | ||||
-rw-r--r-- | config/apache_mod_security/apache_mod_security_settings.xml | 23 |
2 files changed, 48 insertions, 9 deletions
diff --git a/config/apache_mod_security/apache_mod_security.inc b/config/apache_mod_security/apache_mod_security.inc index c45f426d..eee5af4c 100644 --- a/config/apache_mod_security/apache_mod_security.inc +++ b/config/apache_mod_security/apache_mod_security.inc @@ -36,7 +36,7 @@ conf_mount_rw(); // Needed mod_security directories if(!is_dir("/usr/local/apachemodsecurity")) safe_mkdir("/usr/local/apachemodsecurity"); -if(!is_dir("/usr/local/apachemodsecurity")) +if(!is_dir("/usr/local/apachemodsecurity/rules")) safe_mkdir("/usr/local/apachemodsecurity/rules"); // Startup function @@ -166,7 +166,25 @@ function generate_apache_configuration() { safe_mkdir("/var/db/apachemodsecuritycache"); $cache_root .= "CacheRoot /var/db/apachemodsecuritycache\n"; } - + + // SecRequestBodyInMemoryLimit Directive + if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['secrequestbodyinmemorylimit']) + $secrequestbodyinmemorylimit = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['secrequestbodyinmemorylimit']; + else + $secrequestbodyinmemorylimit = "131072"; + + // SecRequestBodyLimit + if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['secrequestbodylimit']) + $secrequestbodylimit = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['secrequestbodylimit']; + else + $secrequestbodylimit = "10485760"; + + // SecAuditEngine + if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['secauditengine']) + $secauditengine = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['secauditengine']; + else + $secauditengine = "RelevantOnly"; + $mod_proxy .= <<<EOF # Off when using ProxyPass @@ -325,10 +343,9 @@ EOF; SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess On - - # XXX Add knobs for these - SecRequestBodyInMemoryLimit 131072 - SecRequestBodyLimit 10485760 + + SecRequestBodyInMemoryLimit {$secrequestbodyinmemorylimit} + SecRequestBodyLimit {$secrequestbodylimit} {$mod_security_custom} @@ -339,11 +356,10 @@ EOF; SecUploadDir /var/spool/apache/private SecUploadKeepFiles Off - # XXX Add knobs for these # The audit engine works independently and # can be turned On of Off on the per-server or # on the per-directory basis - SecAuditEngine RelevantOnly + SecAuditEngine {$secauditengine} # XXX Add knobs for these # Make sure that URL encoding is valid @@ -373,8 +389,8 @@ EOF; EOF; - } + $apache_config = <<<EOF ################################################################################## # NOTE: This file was generated by the pfSense package management system. # diff --git a/config/apache_mod_security/apache_mod_security_settings.xml b/config/apache_mod_security/apache_mod_security_settings.xml index 4382d731..9f1fd2c2 100644 --- a/config/apache_mod_security/apache_mod_security_settings.xml +++ b/config/apache_mod_security/apache_mod_security_settings.xml @@ -142,12 +142,35 @@ <type>input</type> </field> <field> + <fielddescr>Configures the maximum request body size ModSecurity will store in memory.</fielddescr> + <fieldname>secrequestbodyinmemorylimit</fieldname> + <description>Configures the maximum request body size ModSecurity will store in memory.</description> + <type>input</type> + </field> + <field> + <fielddescr>Configures the maximum request body size ModSecurity will accept for buffering.</fielddescr> + <fieldname>secrequestbodylimit</fieldname> + <description>Configures the maximum request body size ModSecurity will accept for buffering.</description> + <type>input</type> + </field + <field> <fielddescr>Enable mod_security protection</fielddescr> <fieldname>enablemodsecurity</fieldname> <description>Enables mod_security protection for all sites being proxied</description> <type>checkbox</type> </field> <field> + <fielddescr>Configures the audit logging engine.</fielddescr> + <fieldname>secauditengine</fieldname> + <description>Configures the audit logging engine.</description> + <type>select</type> + <options> + <option><name>RelevantOnly</name><value>RelevantOnly</value></option> + <option><name>All</name><value>On</value></option> + <option><name>Off</name><value>Off</value></option> + </options> + </field> + <field> <fielddescr>Custom mod_security rules</fielddescr> <fieldname>modsecuritycustom</fieldname> <description>Paste any custom mod_security rules that you would like to use</description> |