diff options
Diffstat (limited to 'config')
| -rw-r--r-- | config/apache_mod_security/apache_mod_security.inc | 67 | ||||
| -rw-r--r-- | config/apache_mod_security/apache_mod_security_settings.xml | 7 |
2 files changed, 44 insertions, 30 deletions
diff --git a/config/apache_mod_security/apache_mod_security.inc b/config/apache_mod_security/apache_mod_security.inc index 0ecd1d6b..038ae4ae 100644 --- a/config/apache_mod_security/apache_mod_security.inc +++ b/config/apache_mod_security/apache_mod_security.inc @@ -69,7 +69,41 @@ EOF; else $global_listen .= ":80"; } + if($config['installedpackages']['apache_mod_security_settings']['config']['enablemodsecurity']) { + $enable_mod_security = true; + $mod_security = <<< EOF +<IfModule mod_security.c> + # Turn the filtering engine On or Off + SecFilterEngine On + + # Make sure that URL encoding is valid + SecFilterCheckURLEncoding On + + # Unicode encoding check + SecFilterCheckUnicodeEncoding Off + + # Only allow bytes from this range + SecFilterForceByteRange 0 255 + + # Only log suspicious requests + SecAuditEngine RelevantOnly + # The name of the audit log file + SecAuditLog logs/audit_log + # Debug level set to a minimum + SecFilterDebugLog logs/modsec_debug_log + SecFilterDebugLevel 0 + + # Should mod_security inspect POST payloads + SecFilterScanPOST On + + # By default log and deny suspicious requests + # with HTTP status 500 + SecFilterDefaultAction "deny,log,status:500" +</IfModule> +EOF; + +} $apache_config = <<<EOF ################################################################################## # NOTE: This file was generated by the pfSense package management system. # @@ -542,37 +576,10 @@ SSLRandomSeed startup builtin SSLRandomSeed connect builtin </IfModule> -<IfModule mod_security.c> - # Turn the filtering engine On or Off - SecFilterEngine On - - # Make sure that URL encoding is valid - SecFilterCheckURLEncoding On - - # Unicode encoding check - SecFilterCheckUnicodeEncoding Off - - # Only allow bytes from this range - SecFilterForceByteRange 0 255 - - # Only log suspicious requests - SecAuditEngine RelevantOnly - - # The name of the audit log file - SecAuditLog logs/audit_log - # Debug level set to a minimum - SecFilterDebugLog logs/modsec_debug_log - SecFilterDebugLevel 0 - - # Should mod_security inspect POST payloads - SecFilterScanPOST On - - # By default log and deny suspicious requests - # with HTTP status 500 - SecFilterDefaultAction "deny,log,status:500" -</IfModule> +# Mod security +{$mod_security} -# Mod_security and proxy settings +# Proxysettings {$mod_proxy} # Include anything else diff --git a/config/apache_mod_security/apache_mod_security_settings.xml b/config/apache_mod_security/apache_mod_security_settings.xml index 2bfff47b..1aed0256 100644 --- a/config/apache_mod_security/apache_mod_security_settings.xml +++ b/config/apache_mod_security/apache_mod_security_settings.xml @@ -55,6 +55,13 @@ </tabs> <fields> <field> + <fielddescr>Enable mod_security protection</fielddescr> + <fieldname>enablemodsecurity</fieldname> + <description>Enables mod_security protection for all sites being proxied</description> + <type>input</type> + </field> + + <field> <fielddescr>Global site E-mail administrator</fielddescr> <fieldname>globalsiteadminemail</fieldname> <description>Enter the site administrators e-mail address</description> |