fix: update ModSecurity global CRS rules configuration to handle when…

… USE_MODSECURITY_CRS is set to no
bunkerity · Feb 11, 2025 · 1c5616e · 1c5616e
1 parent 3021912
commit 1c5616e
Showing 1 changed file with 72 additions and 70 deletions.
diff --git a/src/common/core/modsecurity/confs/http/modsecurity-rules-global-crs.conf.modsec b/src/common/core/modsecurity/confs/http/modsecurity-rules-global-crs.conf.modsec
@@ -84,122 +84,124 @@ SecAction \
   t:none,\
   setvar:'tx.allowed_methods={{ ALLOWED_METHODS.replace("|", " ") }}'"
 
+{% if USE_MODSECURITY_CRS == "yes" -%}
 # include OWASP CRS configurations
-{% if MODSECURITY_CRS_VERSION == "nightly" %}
-  {%- if pathlib.Path("/var/cache/bunkerweb/modsecurity/crs/nightly/crs-setup-nightly.conf").is_file() %}
+  {% if MODSECURITY_CRS_VERSION == "nightly" %}
+    {%- if pathlib.Path("/var/cache/bunkerweb/modsecurity/crs/nightly/crs-setup-nightly.conf").is_file() %}
 include /var/cache/bunkerweb/modsecurity/crs/nightly/crs-setup-nightly.conf
-  {%- else %}
+    {%- else %}
 # fallback to the default CRS setup as the nightly one is not available
 include /usr/share/bunkerweb/core/modsecurity/files/crs-setup-v4.conf
-  {%- endif %}
-{% else %}
+    {%- endif %}
+  {% else %}
 include /usr/share/bunkerweb/core/modsecurity/files/crs-setup-v{{ MODSECURITY_CRS_VERSION }}.conf
-{% endif %}
+  {% endif %}
 
-{% if USE_MODSECURITY_CRS_PLUGINS == "yes" and MODSECURITY_CRS_VERSION != "3" -%}
+  {% if USE_MODSECURITY_CRS_PLUGINS == "yes" and MODSECURITY_CRS_VERSION != "3" -%}
 # custom CRS plugins configurations before loading plugins
-  {% if is_custom_conf("/etc/bunkerweb/configs/crs-plugins-before") %}
+    {% if is_custom_conf("/etc/bunkerweb/configs/crs-plugins-before") %}
 include /etc/bunkerweb/configs/crs-plugins-before/*.conf
-  {% endif %}
-  {% for service_id in SERVER_NAME.split(" ") %}
-    {% if is_custom_conf("/etc/bunkerweb/configs/crs-plugins-before/" + service_id) %}
-include /etc/bunkerweb/configs/crs-plugins-before/{{ service_id }}/*.conf
     {% endif %}
-  {% endfor %}
-  {% if is_custom_conf("/etc/nginx/crs-plugins-before") %}
-include /etc/nginx/crs-plugins-before/*.conf
-  {% endif %}
-  {% for service_id in SERVER_NAME.split(" ") %}
-    {% if is_custom_conf("/etc/nginx/" + service_id + "/crs-plugins-before/") %}
+    {% for service_id in SERVER_NAME.split(" ") %}
+      {% if is_custom_conf("/etc/bunkerweb/configs/crs-plugins-before/" + service_id) %}
 include /etc/bunkerweb/configs/crs-plugins-before/{{ service_id }}/*.conf
+      {% endif %}
+    {% endfor %}
+    {% if is_custom_conf("/etc/nginx/crs-plugins-before") %}
+include /etc/nginx/crs-plugins-before/*.conf
     {% endif %}
-  {% endfor %}
+    {% for service_id in SERVER_NAME.split(" ") %}
+      {% if is_custom_conf("/etc/nginx/" + service_id + "/crs-plugins-before/") %}
+include /etc/bunkerweb/configs/crs-plugins-before/{{ service_id }}/*.conf
+      {% endif %}
+    {% endfor %}
 
-  {% with plugins_path = pathlib.Path("/var/cache/bunkerweb/modsecurity/crs/plugins") %}
-    {% with plugins_file = pathlib.Path("/var/cache/bunkerweb/modsecurity/crs-plugins.json") %}
-      {% if plugins_path.is_dir() and plugins_file.is_file() %}
-        {% with service_plugins = json.loads(plugins_file.read_text()) %}
+    {% with plugins_path = pathlib.Path("/var/cache/bunkerweb/modsecurity/crs/plugins") %}
+      {% with plugins_file = pathlib.Path("/var/cache/bunkerweb/modsecurity/crs-plugins.json") %}
+        {% if plugins_path.is_dir() and plugins_file.is_file() %}
+          {% with service_plugins = json.loads(plugins_file.read_text()) %}
 # include downloaded CRS plugins configurations and before rules
-          {% for service_id in SERVER_NAME.split(" ") %}
-            {% for plugin_id in service_plugins.get(service_id, []) %}
-              {% if plugins_path.joinpath(plugin_id).is_dir() %}
+            {% for service_id in SERVER_NAME.split(" ") %}
+              {% for plugin_id in service_plugins.get(service_id, []) %}
+                {% if plugins_path.joinpath(plugin_id).is_dir() %}
 include /var/cache/bunkerweb/modsecurity/crs/plugins/{{ plugin_id }}/*-config.conf
-                {% if plugins_path.joinpath(plugin_id).glob("*-before.conf") | list %}
+                  {% if plugins_path.joinpath(plugin_id).glob("*-before.conf") | list %}
 include /var/cache/bunkerweb/modsecurity/crs/plugins/{{ plugin_id }}/*-before.conf
+                  {% endif %}
                 {% endif %}
-              {% endif %}
+              {% endfor %}
             {% endfor %}
-          {% endfor %}
-        {% endwith %}
-      {% endif %}
+          {% endwith %}
+        {% endif %}
+      {% endwith %}
     {% endwith %}
-  {% endwith %}
-{% endif %}
+  {% endif %}
 
 # custom CRS configurations before loading rules (e.g. exclusions)
-{% if is_custom_conf("/etc/bunkerweb/configs/modsec-crs") %}
+  {% if is_custom_conf("/etc/bunkerweb/configs/modsec-crs") %}
 include /etc/bunkerweb/configs/modsec-crs/*.conf
-{% endif %}
-{% if is_custom_conf("/etc/nginx/modsec-crs") %}
+  {% endif %}
+  {% if is_custom_conf("/etc/nginx/modsec-crs") %}
 include /etc/nginx/modsec-crs/*.conf
-{% endif %}
+  {% endif %}
 include /etc/nginx/http/*.modsec-crs
 
 # Check if client is whitelisted
 SecRule ENV:is_whitelisted "yes" "id:1000,phase:1,allow,nolog,ctl:ruleEngine=Off"
 
 # include OWASP CRS rules
-{% if MODSECURITY_CRS_VERSION == "nightly" %}
-  {%- if pathlib.Path("/var/cache/bunkerweb/modsecurity/crs/nightly/crs-nightly/rules").is_dir() %}
+  {% if MODSECURITY_CRS_VERSION == "nightly" %}
+    {%- if pathlib.Path("/var/cache/bunkerweb/modsecurity/crs/nightly/crs-nightly/rules").is_dir() %}
 include /var/cache/bunkerweb/modsecurity/crs/nightly/crs-nightly/rules/*.conf
-  {%- else %}
+    {%- else %}
 # fallback to the default CRS setup as the nightly one is not available
 include /usr/share/bunkerweb/core/modsecurity/files/coreruleset-v4/rules/*.conf
-  {%- endif %}
-{% else %}
+    {%- endif %}
+  {% else %}
 include /usr/share/bunkerweb/core/modsecurity/files/coreruleset-v{{ MODSECURITY_CRS_VERSION }}/rules/*.conf
-{% endif %}
+  {% endif %}
 
-{% if USE_MODSECURITY_CRS_PLUGINS == "yes" and MODSECURITY_CRS_VERSION != "3" %}
+  {% if USE_MODSECURITY_CRS_PLUGINS == "yes" and MODSECURITY_CRS_VERSION != "3" %}
 # custom CRS plugins configurations after loading plugins
-  {%- if is_custom_conf("/etc/bunkerweb/configs/crs-plugins-after") %}
+    {%- if is_custom_conf("/etc/bunkerweb/configs/crs-plugins-after") %}
 include /etc/bunkerweb/configs/crs-plugins-after/*.conf
-  {%- endif %}
-  {% for service_id in SERVER_NAME.split(" ") %}
-    {% if is_custom_conf("/etc/bunkerweb/configs/crs-plugins-after/" + service_id) %}
+    {%- endif %}
+    {% for service_id in SERVER_NAME.split(" ") %}
+      {% if is_custom_conf("/etc/bunkerweb/configs/crs-plugins-after/" + service_id) %}
 include /etc/bunkerweb/configs/crs-plugins-after/{{ service_id }}/*.conf
-    {% endif %}
-  {% endfor %}
-  {% if is_custom_conf("/etc/nginx/crs-plugins-after") %}
+      {% endif %}
+    {% endfor %}
+    {% if is_custom_conf("/etc/nginx/crs-plugins-after") %}
 include /etc/nginx/crs-plugins-after/*.conf
-  {% endif %}
-  {% for service_id in SERVER_NAME.split(" ") %}
-    {% if is_custom_conf("/etc/nginx/" + service_id + "/crs-plugins-after/") %}
-include /etc/nginx/{{ service_id }}/crs-plugins-after/*.conf
     {% endif %}
-  {% endfor %}
+    {% for service_id in SERVER_NAME.split(" ") %}
+      {% if is_custom_conf("/etc/nginx/" + service_id + "/crs-plugins-after/") %}
+include /etc/nginx/{{ service_id }}/crs-plugins-after/*.conf
+      {% endif %}
+    {% endfor %}
 
-  {% with plugins_path = pathlib.Path("/var/cache/bunkerweb/modsecurity/crs/plugins") %}
-    {% with plugins_file = pathlib.Path("/var/cache/bunkerweb/modsecurity/crs-plugins.json") %}
-      {% if plugins_path.is_dir() and plugins_file.is_file() %}
+    {% with plugins_path = pathlib.Path("/var/cache/bunkerweb/modsecurity/crs/plugins") %}
+      {% with plugins_file = pathlib.Path("/var/cache/bunkerweb/modsecurity/crs-plugins.json") %}
+        {% if plugins_path.is_dir() and plugins_file.is_file() %}
 # include downloaded CRS plugins after rules
-        {% with service_plugins = json.loads(plugins_file.read_text()) %}
-          {% for service_id in SERVER_NAME.split(" ") %}
-            {% for plugin_id in service_plugins.get(service_id, []) %}
-              {% if plugins_path.joinpath(plugin_id).is_dir() and plugins_path.joinpath(plugin_id).glob("*-after.conf") | list %}
+          {% with service_plugins = json.loads(plugins_file.read_text()) %}
+            {% for service_id in SERVER_NAME.split(" ") %}
+              {% for plugin_id in service_plugins.get(service_id, []) %}
+                {% if plugins_path.joinpath(plugin_id).is_dir() and plugins_path.joinpath(plugin_id).glob("*-after.conf") | list %}
 include /var/cache/bunkerweb/modsecurity/crs/plugins/{{ plugin_id }}/*-after.conf
-              {% endif %}
+                {% endif %}
+              {% endfor %}
             {% endfor %}
-          {% endfor %}
-        {% endwith %}
-      {% endif %}
+          {% endwith %}
+        {% endif %}
+      {% endwith %}
     {% endwith %}
-  {% endwith %}
-{% endif %}
+  {% endif %}
 
 # set REASON env var
 SecRuleUpdateActionById 949110 "t:none,deny,status:{{ DENY_HTTP_STATUS }},setenv:REASON=modsecurity,setenv:REASON_DATA=%{TX.BUNKERWEB_RULES}"
 SecRuleUpdateActionById 959100 "t:none,deny,status:{{ DENY_HTTP_STATUS }},setenv:REASON=modsecurity,setenv:REASON_DATA=%{TX.BUNKERWEB_RULES}"
 
 # let BW manage when method is not allowed (and save up some computing)
-SecRuleUpdateActionById 911100 "t:none,allow,nolog"
+SecRuleUpdateActionById 911100 "t:none,allow,nolog"
+{% endif +%}