From 797e52de9e52c20d1306cfd32d1cc3b09fe0b940 Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Sun, 21 Jun 2009 20:55:13 -0400 Subject: Add button to enable mod_security features --- config/apache_mod_security/apache_mod_security.inc | 67 ++++++++++++---------- .../apache_mod_security_settings.xml | 7 +++ 2 files changed, 44 insertions(+), 30 deletions(-) (limited to 'config/apache_mod_security') diff --git a/config/apache_mod_security/apache_mod_security.inc b/config/apache_mod_security/apache_mod_security.inc index 0ecd1d6b..038ae4ae 100644 --- a/config/apache_mod_security/apache_mod_security.inc +++ b/config/apache_mod_security/apache_mod_security.inc @@ -69,7 +69,41 @@ EOF; else $global_listen .= ":80"; } + if($config['installedpackages']['apache_mod_security_settings']['config']['enablemodsecurity']) { + $enable_mod_security = true; + $mod_security = <<< EOF + + # Turn the filtering engine On or Off + SecFilterEngine On + + # Make sure that URL encoding is valid + SecFilterCheckURLEncoding On + + # Unicode encoding check + SecFilterCheckUnicodeEncoding Off + + # Only allow bytes from this range + SecFilterForceByteRange 0 255 + + # Only log suspicious requests + SecAuditEngine RelevantOnly + # The name of the audit log file + SecAuditLog logs/audit_log + # Debug level set to a minimum + SecFilterDebugLog logs/modsec_debug_log + SecFilterDebugLevel 0 + + # Should mod_security inspect POST payloads + SecFilterScanPOST On + + # By default log and deny suspicious requests + # with HTTP status 500 + SecFilterDefaultAction "deny,log,status:500" + +EOF; + +} $apache_config = << - - # Turn the filtering engine On or Off - SecFilterEngine On - - # Make sure that URL encoding is valid - SecFilterCheckURLEncoding On - - # Unicode encoding check - SecFilterCheckUnicodeEncoding Off - - # Only allow bytes from this range - SecFilterForceByteRange 0 255 - - # Only log suspicious requests - SecAuditEngine RelevantOnly - - # The name of the audit log file - SecAuditLog logs/audit_log - # Debug level set to a minimum - SecFilterDebugLog logs/modsec_debug_log - SecFilterDebugLevel 0 - - # Should mod_security inspect POST payloads - SecFilterScanPOST On - - # By default log and deny suspicious requests - # with HTTP status 500 - SecFilterDefaultAction "deny,log,status:500" - +# Mod security +{$mod_security} -# Mod_security and proxy settings +# Proxysettings {$mod_proxy} # Include anything else diff --git a/config/apache_mod_security/apache_mod_security_settings.xml b/config/apache_mod_security/apache_mod_security_settings.xml index 2bfff47b..1aed0256 100644 --- a/config/apache_mod_security/apache_mod_security_settings.xml +++ b/config/apache_mod_security/apache_mod_security_settings.xml @@ -54,6 +54,13 @@ + + Enable mod_security protection + enablemodsecurity + Enables mod_security protection for all sites being proxied + input + + Global site E-mail administrator globalsiteadminemail -- cgit v1.2.3