From 20ac9963e6f161754df5e1a59a7d968cd0bab091 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Tue, 15 Sep 2015 22:36:11 +0200 Subject: apache_mod_security - pfSense 2.1.x and 2.2.x and other fixes apache_mod_security_settings.xml - Add input validation - Remove no-op/useless tags - base64_encode() the textarea fields - Code style and indentation fixes - Improve descriptions and other cosmetics --- .../apache_mod_security_settings.xml | 241 ++++++++++++--------- 1 file changed, 140 insertions(+), 101 deletions(-) (limited to 'config') diff --git a/config/apache_mod_security/apache_mod_security_settings.xml b/config/apache_mod_security/apache_mod_security_settings.xml index 479e7509..c5f1da5c 100644 --- a/config/apache_mod_security/apache_mod_security_settings.xml +++ b/config/apache_mod_security/apache_mod_security_settings.xml @@ -1,52 +1,57 @@ - - + + - - + - + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ====================================================================================== */ + ]]> + apache_mod_security_settings - 1.0 + 0.1.8 Services: Mod_Security+Apache+Proxy: Settings - pkg_edit.php?xml=apache_mod_security_settings.xml&id=0 + /usr/local/pkg/apache_mod_security.inc + pkg_edit.php?xml=apache_mod_security_settings.xml + enabled Proxy Server Settings - /pkg_edit.php?xml=apache_mod_security_settings.xml&id=0 - + /pkg_edit.php?xml=apache_mod_security_settings.xml + Site Proxies @@ -59,19 +64,23 @@ - Global site E-mail administrator + General Proxy Settings + listtopic + + + Global Site Administrator E-Mail Address globalsiteadminemail - Enter the site administrators e-mail address + Enter the e-mail address of the global site administrator. input + admin@example.com - Server hostname + Server Hostname hostname - NOTE: Leave blank to use this devices hostname. + Enter the server's hostname.
+ NOTE: Leave blank to use the hostname of this device. ]]>
input @@ -81,47 +90,43 @@ globalbindtoipaddr - NOTE: Leave blank to bind to * + This is the IP address the Proxy Server will listen on.
+ NOTE: Leave blank to bind to * (any). ]]>
input
- Default Bind to port + Default Bind to Port globalbindtoport - NOTE: Leave blank to bind to 80 - ]]> + This is the port the Proxy Server will listen on.
+ NOTE: Leaving this blank will bind to default port 80. + ]]>
input + 80
- Do not edit. This field will be automatically populated from Site Proxies settings. + Additional Addresses
+ DO NOT EDIT! This field will be automatically populated from Site Proxies settings. ]]>
additionaladdresses - rowhelper IP Address ipaddress - input 45 Port ipport - input 10 @@ -132,99 +137,133 @@ mod_mem_cache + Enables mod_mem_cache which stores cached documents in memory. + ]]> checkbox + mod_mem_cache_size
- mod_mem_cache memory usage + mod_mem_cache Memory Usage mod_mem_cache_size + The maximum amount of memory used by mod_mem_cache in KBytes. (Default: 100) + ]]> input + 100 Use mod_disk_cache mod_disk_cache + mod_disk_cache implements a disk based storage manager. It is primarily of use in conjunction with mod_cache. + ]]> checkbox + mod_disk_cache_max_filesize - mod_disk_cache memory usage - mod_disk_cache_size + mod_disk_cache CacheMaxFileSize + mod_disk_cache_max_filesize + The maximum size (in bytes) of a document to be placed in the cache. (Default: 1000000) + ]]> input + 1000000 - Limits number of POSTS accepted from same IP address - SecReadStateLimit - - - - input + mod_security Settings + listtopic + + + Enable mod_security Protection + enablemodsecurity + Enables mod_security protection for all sites being proxied. + checkbox + secrequestbodyinmemorylimit,secrequestbodylimit - Configures the maximum request body size ModSecurity will store in memory. + SecRequestBodyInMemoryLimit secrequestbodyinmemorylimit - Configures the maximum request body size ModSecurity will store in memory. + + + input + 131072 - Configures the maximum request body size ModSecurity will accept for buffering. + SecRequestBodyLimit secrequestbodylimit - Configures the maximum request body size ModSecurity will accept for buffering. + + + input + 10485760 - Enable mod_security protection - enablemodsecurity - Enables mod_security protection for all sites being proxied - checkbox - - - Configures the audit logging engine. + SecAuditEngine secauditengine - Configures the audit logging engine. - select + +
+ On: Log all transactions.
+ Off: Do not log any transactions.
+ RelevantOnly: Only the log transactions that have triggered a warning or an error, or have a status code that is considered to be relevant. + ]]> +
+ select - - - + + +
Custom mod_security ErrorDocument - errordocument - + errordocument_custom textarea - 10 - 75 + 10 + 75 + + Apache Core Features - ErrorDocument Directive for documentation.

+ Example:
+ ErrorDocument 403 "Sorry, can't allow you access today"
+ ErrorDocument 404 http://banned.example.com/notfound.php
+ ErrorDocument 500 /denied.html + ]]> +
+ base64
- Custom mod_security rules - modsecuritycustom - Paste any custom mod_security rules that you would like to use + Custom mod_security Rules + modsecuritycustom_adv + + + See ModSecurity Reference Manual. + ]]> + textarea - 10 - 75 + 10 + 75 + base64 +
apache_mod_security_resync(); - /usr/local/pkg/apache_mod_security.inc -
\ No newline at end of file + + apache_mod_security_validate_input($_POST, $input_errors); + + -- cgit v1.2.3