From 1c5616e60dfaf90259e753b894bba0aab4a99899 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9ophile=20Diot?= Date: Tue, 11 Feb 2025 10:16:03 +0100 Subject: [PATCH] fix: update ModSecurity global CRS rules configuration to handle when USE_MODSECURITY_CRS is set to no --- .../modsecurity-rules-global-crs.conf.modsec | 142 +++++++++--------- 1 file changed, 72 insertions(+), 70 deletions(-) diff --git a/src/common/core/modsecurity/confs/http/modsecurity-rules-global-crs.conf.modsec b/src/common/core/modsecurity/confs/http/modsecurity-rules-global-crs.conf.modsec index 2e1b5743d..6c1e4efe1 100644 --- a/src/common/core/modsecurity/confs/http/modsecurity-rules-global-crs.conf.modsec +++ b/src/common/core/modsecurity/confs/http/modsecurity-rules-global-crs.conf.modsec @@ -84,122 +84,124 @@ SecAction \ t:none,\ setvar:'tx.allowed_methods={{ ALLOWED_METHODS.replace("|", " ") }}'" +{% if USE_MODSECURITY_CRS == "yes" -%} # include OWASP CRS configurations -{% if MODSECURITY_CRS_VERSION == "nightly" %} - {%- if pathlib.Path("/var/cache/bunkerweb/modsecurity/crs/nightly/crs-setup-nightly.conf").is_file() %} + {% if MODSECURITY_CRS_VERSION == "nightly" %} + {%- if pathlib.Path("/var/cache/bunkerweb/modsecurity/crs/nightly/crs-setup-nightly.conf").is_file() %} include /var/cache/bunkerweb/modsecurity/crs/nightly/crs-setup-nightly.conf - {%- else %} + {%- else %} # fallback to the default CRS setup as the nightly one is not available include /usr/share/bunkerweb/core/modsecurity/files/crs-setup-v4.conf - {%- endif %} -{% else %} + {%- endif %} + {% else %} include /usr/share/bunkerweb/core/modsecurity/files/crs-setup-v{{ MODSECURITY_CRS_VERSION }}.conf -{% endif %} + {% endif %} -{% if USE_MODSECURITY_CRS_PLUGINS == "yes" and MODSECURITY_CRS_VERSION != "3" -%} + {% if USE_MODSECURITY_CRS_PLUGINS == "yes" and MODSECURITY_CRS_VERSION != "3" -%} # custom CRS plugins configurations before loading plugins - {% if is_custom_conf("/etc/bunkerweb/configs/crs-plugins-before") %} + {% if is_custom_conf("/etc/bunkerweb/configs/crs-plugins-before") %} include /etc/bunkerweb/configs/crs-plugins-before/*.conf - {% endif %} - {% for service_id in SERVER_NAME.split(" ") %} - {% if is_custom_conf("/etc/bunkerweb/configs/crs-plugins-before/" + service_id) %} -include /etc/bunkerweb/configs/crs-plugins-before/{{ service_id }}/*.conf {% endif %} - {% endfor %} - {% if is_custom_conf("/etc/nginx/crs-plugins-before") %} -include /etc/nginx/crs-plugins-before/*.conf - {% endif %} - {% for service_id in SERVER_NAME.split(" ") %} - {% if is_custom_conf("/etc/nginx/" + service_id + "/crs-plugins-before/") %} + {% for service_id in SERVER_NAME.split(" ") %} + {% if is_custom_conf("/etc/bunkerweb/configs/crs-plugins-before/" + service_id) %} include /etc/bunkerweb/configs/crs-plugins-before/{{ service_id }}/*.conf + {% endif %} + {% endfor %} + {% if is_custom_conf("/etc/nginx/crs-plugins-before") %} +include /etc/nginx/crs-plugins-before/*.conf {% endif %} - {% endfor %} + {% for service_id in SERVER_NAME.split(" ") %} + {% if is_custom_conf("/etc/nginx/" + service_id + "/crs-plugins-before/") %} +include /etc/bunkerweb/configs/crs-plugins-before/{{ service_id }}/*.conf + {% endif %} + {% endfor %} - {% with plugins_path = pathlib.Path("/var/cache/bunkerweb/modsecurity/crs/plugins") %} - {% with plugins_file = pathlib.Path("/var/cache/bunkerweb/modsecurity/crs-plugins.json") %} - {% if plugins_path.is_dir() and plugins_file.is_file() %} - {% with service_plugins = json.loads(plugins_file.read_text()) %} + {% with plugins_path = pathlib.Path("/var/cache/bunkerweb/modsecurity/crs/plugins") %} + {% with plugins_file = pathlib.Path("/var/cache/bunkerweb/modsecurity/crs-plugins.json") %} + {% if plugins_path.is_dir() and plugins_file.is_file() %} + {% with service_plugins = json.loads(plugins_file.read_text()) %} # include downloaded CRS plugins configurations and before rules - {% for service_id in SERVER_NAME.split(" ") %} - {% for plugin_id in service_plugins.get(service_id, []) %} - {% if plugins_path.joinpath(plugin_id).is_dir() %} + {% for service_id in SERVER_NAME.split(" ") %} + {% for plugin_id in service_plugins.get(service_id, []) %} + {% if plugins_path.joinpath(plugin_id).is_dir() %} include /var/cache/bunkerweb/modsecurity/crs/plugins/{{ plugin_id }}/*-config.conf - {% if plugins_path.joinpath(plugin_id).glob("*-before.conf") | list %} + {% if plugins_path.joinpath(plugin_id).glob("*-before.conf") | list %} include /var/cache/bunkerweb/modsecurity/crs/plugins/{{ plugin_id }}/*-before.conf + {% endif %} {% endif %} - {% endif %} + {% endfor %} {% endfor %} - {% endfor %} - {% endwith %} - {% endif %} + {% endwith %} + {% endif %} + {% endwith %} {% endwith %} - {% endwith %} -{% endif %} + {% endif %} # custom CRS configurations before loading rules (e.g. exclusions) -{% if is_custom_conf("/etc/bunkerweb/configs/modsec-crs") %} + {% if is_custom_conf("/etc/bunkerweb/configs/modsec-crs") %} include /etc/bunkerweb/configs/modsec-crs/*.conf -{% endif %} -{% if is_custom_conf("/etc/nginx/modsec-crs") %} + {% endif %} + {% if is_custom_conf("/etc/nginx/modsec-crs") %} include /etc/nginx/modsec-crs/*.conf -{% endif %} + {% endif %} include /etc/nginx/http/*.modsec-crs # Check if client is whitelisted SecRule ENV:is_whitelisted "yes" "id:1000,phase:1,allow,nolog,ctl:ruleEngine=Off" # include OWASP CRS rules -{% if MODSECURITY_CRS_VERSION == "nightly" %} - {%- if pathlib.Path("/var/cache/bunkerweb/modsecurity/crs/nightly/crs-nightly/rules").is_dir() %} + {% if MODSECURITY_CRS_VERSION == "nightly" %} + {%- if pathlib.Path("/var/cache/bunkerweb/modsecurity/crs/nightly/crs-nightly/rules").is_dir() %} include /var/cache/bunkerweb/modsecurity/crs/nightly/crs-nightly/rules/*.conf - {%- else %} + {%- else %} # fallback to the default CRS setup as the nightly one is not available include /usr/share/bunkerweb/core/modsecurity/files/coreruleset-v4/rules/*.conf - {%- endif %} -{% else %} + {%- endif %} + {% else %} include /usr/share/bunkerweb/core/modsecurity/files/coreruleset-v{{ MODSECURITY_CRS_VERSION }}/rules/*.conf -{% endif %} + {% endif %} -{% if USE_MODSECURITY_CRS_PLUGINS == "yes" and MODSECURITY_CRS_VERSION != "3" %} + {% if USE_MODSECURITY_CRS_PLUGINS == "yes" and MODSECURITY_CRS_VERSION != "3" %} # custom CRS plugins configurations after loading plugins - {%- if is_custom_conf("/etc/bunkerweb/configs/crs-plugins-after") %} + {%- if is_custom_conf("/etc/bunkerweb/configs/crs-plugins-after") %} include /etc/bunkerweb/configs/crs-plugins-after/*.conf - {%- endif %} - {% for service_id in SERVER_NAME.split(" ") %} - {% if is_custom_conf("/etc/bunkerweb/configs/crs-plugins-after/" + service_id) %} + {%- endif %} + {% for service_id in SERVER_NAME.split(" ") %} + {% if is_custom_conf("/etc/bunkerweb/configs/crs-plugins-after/" + service_id) %} include /etc/bunkerweb/configs/crs-plugins-after/{{ service_id }}/*.conf - {% endif %} - {% endfor %} - {% if is_custom_conf("/etc/nginx/crs-plugins-after") %} + {% endif %} + {% endfor %} + {% if is_custom_conf("/etc/nginx/crs-plugins-after") %} include /etc/nginx/crs-plugins-after/*.conf - {% endif %} - {% for service_id in SERVER_NAME.split(" ") %} - {% if is_custom_conf("/etc/nginx/" + service_id + "/crs-plugins-after/") %} -include /etc/nginx/{{ service_id }}/crs-plugins-after/*.conf {% endif %} - {% endfor %} + {% for service_id in SERVER_NAME.split(" ") %} + {% if is_custom_conf("/etc/nginx/" + service_id + "/crs-plugins-after/") %} +include /etc/nginx/{{ service_id }}/crs-plugins-after/*.conf + {% endif %} + {% endfor %} - {% with plugins_path = pathlib.Path("/var/cache/bunkerweb/modsecurity/crs/plugins") %} - {% with plugins_file = pathlib.Path("/var/cache/bunkerweb/modsecurity/crs-plugins.json") %} - {% if plugins_path.is_dir() and plugins_file.is_file() %} + {% with plugins_path = pathlib.Path("/var/cache/bunkerweb/modsecurity/crs/plugins") %} + {% with plugins_file = pathlib.Path("/var/cache/bunkerweb/modsecurity/crs-plugins.json") %} + {% if plugins_path.is_dir() and plugins_file.is_file() %} # include downloaded CRS plugins after rules - {% with service_plugins = json.loads(plugins_file.read_text()) %} - {% for service_id in SERVER_NAME.split(" ") %} - {% for plugin_id in service_plugins.get(service_id, []) %} - {% if plugins_path.joinpath(plugin_id).is_dir() and plugins_path.joinpath(plugin_id).glob("*-after.conf") | list %} + {% with service_plugins = json.loads(plugins_file.read_text()) %} + {% for service_id in SERVER_NAME.split(" ") %} + {% for plugin_id in service_plugins.get(service_id, []) %} + {% if plugins_path.joinpath(plugin_id).is_dir() and plugins_path.joinpath(plugin_id).glob("*-after.conf") | list %} include /var/cache/bunkerweb/modsecurity/crs/plugins/{{ plugin_id }}/*-after.conf - {% endif %} + {% endif %} + {% endfor %} {% endfor %} - {% endfor %} - {% endwith %} - {% endif %} + {% endwith %} + {% endif %} + {% endwith %} {% endwith %} - {% endwith %} -{% endif %} + {% endif %} # set REASON env var SecRuleUpdateActionById 949110 "t:none,deny,status:{{ DENY_HTTP_STATUS }},setenv:REASON=modsecurity,setenv:REASON_DATA=%{TX.BUNKERWEB_RULES}" SecRuleUpdateActionById 959100 "t:none,deny,status:{{ DENY_HTTP_STATUS }},setenv:REASON=modsecurity,setenv:REASON_DATA=%{TX.BUNKERWEB_RULES}" # let BW manage when method is not allowed (and save up some computing) -SecRuleUpdateActionById 911100 "t:none,allow,nolog" \ No newline at end of file +SecRuleUpdateActionById 911100 "t:none,allow,nolog" +{% endif +%}