From 825583514effedf4c801cb23ad48dadacc0eec60 Mon Sep 17 00:00:00 2001
From: florian <fpitance@bunkerity.com>
Date: Tue, 11 Feb 2025 21:45:05 +0100
Subject: [PATCH] modsec - fix global CRS usage and wrong multisite condition

---
 .../modsecurity/confs/http/http3.modsec-crs   | 12 +++
 .../modsecurity-rules-global-crs.conf.modsec  | 77 +++++--------------
 .../modsecurity/confs/http/modsecurity.conf   |  2 +-
 .../confs/server-http/modsecurity.conf        |  2 +-
 4 files changed, 34 insertions(+), 59 deletions(-)
 create mode 100644 src/common/core/modsecurity/confs/http/http3.modsec-crs

diff --git a/src/common/core/modsecurity/confs/http/http3.modsec-crs b/src/common/core/modsecurity/confs/http/http3.modsec-crs
new file mode 100644
index 000000000..2c1621c05
--- /dev/null
+++ b/src/common/core/modsecurity/confs/http/http3.modsec-crs
@@ -0,0 +1,12 @@
+{%- if USE_MODSECURITY == "yes" and "TLSv1.3" in SSL_PROTOCOLS and HTTP3 == "yes" and USE_PROXY_PROTOCOL == "no" %}
+  {%- if MODSECURITY_CRS_VERSION == "3" %}
+SecAction \
+"id:900230,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0'"
+  {% endif %}
+SecRuleRemoveById 920280
+{%- endif %}
diff --git a/src/common/core/modsecurity/confs/http/modsecurity-rules-global-crs.conf.modsec b/src/common/core/modsecurity/confs/http/modsecurity-rules-global-crs.conf.modsec
index 301b75979..80e5847cb 100644
--- a/src/common/core/modsecurity/confs/http/modsecurity-rules-global-crs.conf.modsec
+++ b/src/common/core/modsecurity/confs/http/modsecurity-rules-global-crs.conf.modsec
@@ -76,6 +76,7 @@ SecAuditLog /var/log/bunkerweb/modsec_audit.log
 # unset REASON* env vars
 SecAction "nolog,phase:1,setenv:REASON=none,setenv:REASON_DATA=none"
 
+{% if MULTISITE == "no" %}
 # Auto update allowed methods (Generated from ALLOWED_METHODS)
 SecAction \
  "id:900200,\
@@ -84,6 +85,25 @@ SecAction \
   pass,\
   t:none,\
   setvar:'tx.allowed_methods={{ ALLOWED_METHODS.replace("|", " ") }}'"
+{% else %}
+  {%- set allowed_methods_list = [] -%}
+  {%- for server_name in SERVER_NAME.split(" ") -%}
+    {%- set server_allowed_methods = all[server_name + "_ALLOWED_METHODS"].split("|") -%}
+    {%- for method in server_allowed_methods -%}
+      {%- if method not in allowed_methods_list -%}
+        {%- set tmp = allowed_methods_list.append(method) -%}
+      {%- endif -%}
+    {%- endfor -%}
+  {%- endfor -%}
+# Auto update allowed methods (Generated from all server-specific ALLOWED_METHODS)
+SecAction \
+ "id:900200,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:'tx.allowed_methods={{ allowed_methods_list | join(" ") }}'"
+{% endif %}
 
 {% if USE_MODSECURITY_CRS == "yes" -%}
 # include OWASP CRS configurations
@@ -103,39 +123,9 @@ include /usr/share/bunkerweb/core/modsecurity/files/crs-setup-v{{ MODSECURITY_CR
     {% if is_custom_conf("/etc/bunkerweb/configs/crs-plugins-before") %}
 include /etc/bunkerweb/configs/crs-plugins-before/*.conf
     {% endif %}
-    {% for service_id in SERVER_NAME.split(" ") %}
-      {% if is_custom_conf("/etc/bunkerweb/configs/crs-plugins-before/" + service_id) %}
-include /etc/bunkerweb/configs/crs-plugins-before/{{ service_id }}/*.conf
-      {% endif %}
-    {% endfor %}
     {% if is_custom_conf("/etc/nginx/crs-plugins-before") %}
 include /etc/nginx/crs-plugins-before/*.conf
     {% endif %}
-    {% for service_id in SERVER_NAME.split(" ") %}
-      {% if is_custom_conf("/etc/nginx/" + service_id + "/crs-plugins-before/") %}
-include /etc/bunkerweb/configs/crs-plugins-before/{{ service_id }}/*.conf
-      {% endif %}
-    {% endfor %}
-
-    {% with plugins_path = pathlib.Path("/var/cache/bunkerweb/modsecurity/crs/plugins") %}
-      {% with plugins_file = pathlib.Path("/var/cache/bunkerweb/modsecurity/crs-plugins.json") %}
-        {% if plugins_path.is_dir() and plugins_file.is_file() %}
-          {% with service_plugins = json.loads(plugins_file.read_text()) %}
-# include downloaded CRS plugins configurations and before rules
-            {% for service_id in SERVER_NAME.split(" ") %}
-              {% for plugin_id in service_plugins.get(service_id, []) %}
-                {% if plugins_path.joinpath(plugin_id).is_dir() %}
-include /var/cache/bunkerweb/modsecurity/crs/plugins/{{ plugin_id }}/*-config.conf
-                  {% if plugins_path.joinpath(plugin_id).glob("*-before.conf") | list %}
-include /var/cache/bunkerweb/modsecurity/crs/plugins/{{ plugin_id }}/*-before.conf
-                  {% endif %}
-                {% endif %}
-              {% endfor %}
-            {% endfor %}
-          {% endwith %}
-        {% endif %}
-      {% endwith %}
-    {% endwith %}
   {% endif %}
 
 # custom CRS configurations before loading rules (e.g. exclusions)
@@ -167,36 +157,9 @@ include /usr/share/bunkerweb/core/modsecurity/files/coreruleset-v{{ MODSECURITY_
     {%- if is_custom_conf("/etc/bunkerweb/configs/crs-plugins-after") %}
 include /etc/bunkerweb/configs/crs-plugins-after/*.conf
     {%- endif %}
-    {% for service_id in SERVER_NAME.split(" ") %}
-      {% if is_custom_conf("/etc/bunkerweb/configs/crs-plugins-after/" + service_id) %}
-include /etc/bunkerweb/configs/crs-plugins-after/{{ service_id }}/*.conf
-      {% endif %}
-    {% endfor %}
     {% if is_custom_conf("/etc/nginx/crs-plugins-after") %}
 include /etc/nginx/crs-plugins-after/*.conf
     {% endif %}
-    {% for service_id in SERVER_NAME.split(" ") %}
-      {% if is_custom_conf("/etc/nginx/" + service_id + "/crs-plugins-after/") %}
-include /etc/nginx/{{ service_id }}/crs-plugins-after/*.conf
-      {% endif %}
-    {% endfor %}
-
-    {% with plugins_path = pathlib.Path("/var/cache/bunkerweb/modsecurity/crs/plugins") %}
-      {% with plugins_file = pathlib.Path("/var/cache/bunkerweb/modsecurity/crs-plugins.json") %}
-        {% if plugins_path.is_dir() and plugins_file.is_file() %}
-# include downloaded CRS plugins after rules
-          {% with service_plugins = json.loads(plugins_file.read_text()) %}
-            {% for service_id in SERVER_NAME.split(" ") %}
-              {% for plugin_id in service_plugins.get(service_id, []) %}
-                {% if plugins_path.joinpath(plugin_id).is_dir() and plugins_path.joinpath(plugin_id).glob("*-after.conf") | list %}
-include /var/cache/bunkerweb/modsecurity/crs/plugins/{{ plugin_id }}/*-after.conf
-                {% endif %}
-              {% endfor %}
-            {% endfor %}
-          {% endwith %}
-        {% endif %}
-      {% endwith %}
-    {% endwith %}
   {% endif %}
 
 # set REASON env var
diff --git a/src/common/core/modsecurity/confs/http/modsecurity.conf b/src/common/core/modsecurity/confs/http/modsecurity.conf
index e59a9bdf9..c62b612c2 100644
--- a/src/common/core/modsecurity/confs/http/modsecurity.conf
+++ b/src/common/core/modsecurity/confs/http/modsecurity.conf
@@ -1,4 +1,4 @@
-{%- if USE_MODSECURITY == "yes" and (USE_MODSECURITY_GLOBAL_CRS == "yes" or MULTISITE == "no") -%}
+{%- if USE_MODSECURITY == "yes" and USE_MODSECURITY_GLOBAL_CRS == "yes" -%}
 modsecurity on;
 modsecurity_rules_file {{ NGINX_PREFIX }}http/modsecurity-rules-global-crs.conf.modsec;
 {%- endif %}
diff --git a/src/common/core/modsecurity/confs/server-http/modsecurity.conf b/src/common/core/modsecurity/confs/server-http/modsecurity.conf
index 674ea26d7..d82e9b523 100644
--- a/src/common/core/modsecurity/confs/server-http/modsecurity.conf
+++ b/src/common/core/modsecurity/confs/server-http/modsecurity.conf
@@ -1,6 +1,6 @@
 {%- if USE_MODSECURITY == "yes" -%}
 modsecurity on;
-    {%- if USE_MODSECURITY_GLOBAL_CRS == "yes" or MULTISITE == "no" -%}
+    {%- if USE_MODSECURITY_GLOBAL_CRS == "yes" -%}
 modsecurity_rules_file {{ NGINX_PREFIX }}server-http/modsecurity-rules-global-crs.conf.modsec;
     {%- else -%}
 modsecurity_rules_file {{ NGINX_PREFIX }}server-http/modsecurity-rules.conf.modsec;