From 6abe1f9648d0b3ea16c5901d7490d829a2d78063 Mon Sep 17 00:00:00 2001
From: Scott Ullrich <sullrich@G5.local>
Date: Tue, 27 Oct 2009 19:59:57 -0400
Subject: Add more tunables

---
 config/apache_mod_security/apache_mod_security.inc | 34 ++++++++++++++++------
 .../apache_mod_security_settings.xml               | 23 +++++++++++++++
 2 files changed, 48 insertions(+), 9 deletions(-)

(limited to 'config')

diff --git a/config/apache_mod_security/apache_mod_security.inc b/config/apache_mod_security/apache_mod_security.inc
index c45f426d..eee5af4c 100644
--- a/config/apache_mod_security/apache_mod_security.inc
+++ b/config/apache_mod_security/apache_mod_security.inc
@@ -36,7 +36,7 @@ conf_mount_rw();
 // Needed mod_security directories
 if(!is_dir("/usr/local/apachemodsecurity"))  	
 	safe_mkdir("/usr/local/apachemodsecurity");
-if(!is_dir("/usr/local/apachemodsecurity")) 
+if(!is_dir("/usr/local/apachemodsecurity/rules")) 
 	safe_mkdir("/usr/local/apachemodsecurity/rules");
 
 // Startup function	
@@ -166,7 +166,25 @@ function generate_apache_configuration() {
 		safe_mkdir("/var/db/apachemodsecuritycache");
 		$cache_root .= "CacheRoot /var/db/apachemodsecuritycache\n";
 	}
-		
+
+	// SecRequestBodyInMemoryLimit Directive
+	if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['secrequestbodyinmemorylimit']) 
+		$secrequestbodyinmemorylimit = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['secrequestbodyinmemorylimit'];
+	else 
+		$secrequestbodyinmemorylimit = "131072";
+
+	// SecRequestBodyLimit
+	if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['secrequestbodylimit']) 
+		$secrequestbodylimit = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['secrequestbodylimit'];
+	else 
+		$secrequestbodylimit = "10485760";
+
+	// SecAuditEngine
+	if($config['installedpackages']['apachemodsecuritysettings']['config'][0]['secauditengine']) 
+		$secauditengine = $config['installedpackages']['apachemodsecuritysettings']['config'][0]['secauditengine'];
+	else 
+		$secauditengine = "RelevantOnly";
+
 	$mod_proxy .= <<<EOF
 
 # Off when using ProxyPass
@@ -325,10 +343,9 @@ EOF;
 	SecRuleEngine On
 	SecRequestBodyAccess On
 	SecResponseBodyAccess On
-	
-	# XXX Add knobs for these
-	SecRequestBodyInMemoryLimit 131072
-	SecRequestBodyLimit 10485760
+
+	SecRequestBodyInMemoryLimit {$secrequestbodyinmemorylimit}
+	SecRequestBodyLimit {$secrequestbodylimit}
 
 	{$mod_security_custom}
 
@@ -339,11 +356,10 @@ EOF;
 	SecUploadDir /var/spool/apache/private
 	SecUploadKeepFiles Off
 
-	# XXX Add knobs for these
     # The audit engine works independently and
     # can be turned On of Off on the per-server or
     # on the per-directory basis
-    SecAuditEngine RelevantOnly
+    SecAuditEngine {$secauditengine}
 
 	# XXX Add knobs for these
     # Make sure that URL encoding is valid
@@ -373,8 +389,8 @@ EOF;
 
 EOF;
 
-		
 }
+
 	$apache_config = <<<EOF
 ##################################################################################
 # NOTE: This file was generated by the pfSense package management system.        #
diff --git a/config/apache_mod_security/apache_mod_security_settings.xml b/config/apache_mod_security/apache_mod_security_settings.xml
index 4382d731..9f1fd2c2 100644
--- a/config/apache_mod_security/apache_mod_security_settings.xml
+++ b/config/apache_mod_security/apache_mod_security_settings.xml
@@ -141,12 +141,35 @@
 			</description>
 			<type>input</type>
 		</field>
+		<field>
+			<fielddescr>Configures the maximum request body size ModSecurity will store in memory.</fielddescr>
+			<fieldname>secrequestbodyinmemorylimit</fieldname>
+			<description>Configures the maximum request body size ModSecurity will store in memory.</description>
+			<type>input</type>
+		</field>
+		<field>
+			<fielddescr>Configures the maximum request body size ModSecurity will accept for buffering.</fielddescr>
+			<fieldname>secrequestbodylimit</fieldname>
+			<description>Configures the maximum request body size ModSecurity will accept for buffering.</description>
+			<type>input</type>
+		</field
 		<field>
 			<fielddescr>Enable mod_security protection</fielddescr>
 			<fieldname>enablemodsecurity</fieldname>
 			<description>Enables mod_security protection for all sites being proxied</description>
 			<type>checkbox</type>
 		</field>
+		<field>
+			<fielddescr>Configures the audit logging engine.</fielddescr>
+			<fieldname>secauditengine</fieldname>
+			<description>Configures the audit logging engine.</description>
+			<type>select</type>			
+			<options>
+			    <option><name>RelevantOnly</name><value>RelevantOnly</value></option>
+			    <option><name>All</name><value>On</value></option>
+			    <option><name>Off</name><value>Off</value></option>
+			</options>
+		</field>
 		<field>
 			<fielddescr>Custom mod_security rules</fielddescr>
 			<fieldname>modsecuritycustom</fieldname>
-- 
cgit v1.2.3