From 797e52de9e52c20d1306cfd32d1cc3b09fe0b940 Mon Sep 17 00:00:00 2001
From: Scott Ullrich <sullrich@pfsense.org>
Date: Sun, 21 Jun 2009 20:55:13 -0400
Subject: Add button to enable mod_security features

---
 config/apache_mod_security/apache_mod_security.inc | 67 ++++++++++++----------
 .../apache_mod_security_settings.xml               |  7 +++
 2 files changed, 44 insertions(+), 30 deletions(-)

(limited to 'config/apache_mod_security')

diff --git a/config/apache_mod_security/apache_mod_security.inc b/config/apache_mod_security/apache_mod_security.inc
index 0ecd1d6b..038ae4ae 100644
--- a/config/apache_mod_security/apache_mod_security.inc
+++ b/config/apache_mod_security/apache_mod_security.inc
@@ -69,7 +69,41 @@ EOF;
 		else 
 			$global_listen .= ":80";
 	}
+	if($config['installedpackages']['apache_mod_security_settings']['config']['enablemodsecurity'])  {
+		$enable_mod_security = true;
+		$mod_security = <<< EOF
+<IfModule mod_security.c>
+    # Turn the filtering engine On or Off
+    SecFilterEngine On
+
+    # Make sure that URL encoding is valid
+    SecFilterCheckURLEncoding On
+
+    # Unicode encoding check
+    SecFilterCheckUnicodeEncoding Off
+
+    # Only allow bytes from this range
+    SecFilterForceByteRange 0 255
+
+    # Only log suspicious requests
+    SecAuditEngine RelevantOnly
 
+    # The name of the audit log file
+    SecAuditLog logs/audit_log
+    # Debug level set to a minimum
+    SecFilterDebugLog logs/modsec_debug_log    
+    SecFilterDebugLevel 0
+
+    # Should mod_security inspect POST payloads
+    SecFilterScanPOST On
+
+    # By default log and deny suspicious requests
+    # with HTTP status 500
+    SecFilterDefaultAction "deny,log,status:500"
+</IfModule>
+EOF;
+		
+}
 	$apache_config = <<<EOF
 ##################################################################################
 # NOTE: This file was generated by the pfSense package management system.        #
@@ -542,37 +576,10 @@ SSLRandomSeed startup builtin
 SSLRandomSeed connect builtin
 </IfModule>
 
-<IfModule mod_security.c>
-    # Turn the filtering engine On or Off
-    SecFilterEngine On
-    
-    # Make sure that URL encoding is valid
-    SecFilterCheckURLEncoding On
-    
-    # Unicode encoding check
-    SecFilterCheckUnicodeEncoding Off
-    
-    # Only allow bytes from this range
-    SecFilterForceByteRange 0 255
-    
-    # Only log suspicious requests
-    SecAuditEngine RelevantOnly
-    
-    # The name of the audit log file
-    SecAuditLog logs/audit_log
-    # Debug level set to a minimum
-    SecFilterDebugLog logs/modsec_debug_log    
-    SecFilterDebugLevel 0
-    
-    # Should mod_security inspect POST payloads
-    SecFilterScanPOST On
-    
-    # By default log and deny suspicious requests
-    # with HTTP status 500
-    SecFilterDefaultAction "deny,log,status:500"
-</IfModule>
+# Mod security
+{$mod_security}
 
-# Mod_security and proxy settings
+# Proxysettings
 {$mod_proxy}
 
 # Include anything else
diff --git a/config/apache_mod_security/apache_mod_security_settings.xml b/config/apache_mod_security/apache_mod_security_settings.xml
index 2bfff47b..1aed0256 100644
--- a/config/apache_mod_security/apache_mod_security_settings.xml
+++ b/config/apache_mod_security/apache_mod_security_settings.xml
@@ -54,6 +54,13 @@
 		</tab>
 	</tabs>
 	<fields>
+		<field>
+			<fielddescr>Enable mod_security protection</fielddescr>
+			<fieldname>enablemodsecurity</fieldname>
+			<description>Enables mod_security protection for all sites being proxied</description>
+			<type>input</type>
+		</field>
+
 		<field>
 			<fielddescr>Global site E-mail administrator</fielddescr>
 			<fieldname>globalsiteadminemail</fieldname>
-- 
cgit v1.2.3