#
# $Id: modsecurity-2.6.8.conf,v 1.1 2012/10/06 13:58:57 raptor Exp $
#
# modsecurity-2.6.8.conf - ModSecurity configuration file
# Copyright (c) 2012 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# ModSecurity is an open source web application firewall. Working embedded in 
# the web server, or standalone as a network appliance, it detects and prevents 
# attacks against web applications.
#
# This sample configuration file has been tested on Red Hat Enterprise and SUSE 
# Linux with ModSecurity v2.6.8 and Core Ruleset v2.2.5. Modify it to fit your
# needs.
#
# See also http://www.modsecurity.org/documentation/.
# 

########## Base Configuration ##########

# Rule engine
#SecRuleEngine DetectionOnly
SecRuleEngine On

# Request body
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
     "phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
#SecRequestBodyLimit 131072
SecRequestBodyLimit 213909504
#SecRequestBodyNoFilesLimit 131072
SecRequestBodyNoFilesLimit 1048576
#SecRequestBodyInMemoryLimit 131072
SecRequestBodyInMemoryLimit 262144
#SecRequestBodyLimitAction Reject
SecRequestBodyLimitAction ProcessPartial
SecRule REQBODY_ERROR "!@eq 0" \
"phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_SEMICOLON_MISSING}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
# PCRE tuning
#SecPcreMatchLimit 3500
SecPcreMatchLimit 50000
#SecPcreMatchLimitRecursion 3500
SecPcreMatchLimitRecursion 10000
SecRule TX:/^MSC_/ "!@streq 0" \
        "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

# Response body
SecResponseBodyAccess On
#SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyMimeType text/plain text/html text/xml
#SecResponseBodyLimit 524288
SecResponseBodyLimit 1048576
SecResponseBodyLimitAction ProcessPartial

# Filesystem
SecTmpDir /srv/www/modsec
SecDataDir /srv/www/modsec
SecUploadDir /srv/www/modsec
SecUploadFileLimit 10
#SecUploadKeepFiles RelevantOnly
SecUploadKeepFiles Off

# Debug log
#SecDebugLog /var/log/apache2/modsec_debug.log
#SecDebugLogLevel 0

# Audit log
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^5
#SecAuditLogRelevantStatus "^(?:5|4(?!04))"
#SecAuditLogParts ABIFHZ
#SecAuditLogParts ABIJDEFHZ
SecAuditLogParts ABIDEFGHZ
#SecAuditLogType Serial
SecAuditLogType Concurrent
SecAuditLog "|/usr/bin/mlogc /etc/mlogc.conf"
SecAuditLog2 /var/log/apache2/modsec_audit.log
SecAuditLogStorageDir /srv/www/modsec/audit

# Misc
SecArgumentSeparator &
SecCookieFormat 0

########## Ruleset Configuration ##########

# Core ruleset
Include /etc/httpd/rules/modsecurity_crs_10_setup.conf
Include /etc/httpd/rules/base_rules/*.conf
#Include /etc/httpd/rules/optional_rules/*.conf
#Include /etc/httpd/rules/experimental_rules/*.conf
#Include /etc/httpd/rules/slr_rules/*.conf

# Core Ruleset v2.2.5 configuration for Collaborative Detection Blocking
# diff modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
# 66c66,67
# < SecDefaultAction "phase:2,deny,log"
# ---
# > #SecDefaultAction "phase:2,deny,log"
# > SecDefaultAction "phase:2,pass,log"
# 146c147
# < #SecAction \
# ---
# > SecAction \

########## Global Exceptions ##########

# 21_protocol_anomalies
# Request Missing a Host Header
SecRuleRemoveById 960008
# Request Missing a User Agent Header
SecRuleRemoveById 960009
# Request Missing an Accept Header
SecRuleRemoveById 960015
# Host header is a numeric IP address
SecRuleRemoveById 960017

# 30_http_policy
# Request content type is not allowed by policy
SecRuleRemoveById 960010
# HTTP header is restricted by policy
SecRuleRemoveById 960038

# 35_bad_robots
# Rogue web site crawler
SecRuleRemoveById 990012

########## Application Exceptions ##########

# Admin
<Directory ~ "^/srv/www/vhosts/.*/admin">
SecRuleEngine Off
</Directory>

# WordPress Admin
<Directory ~ "^/srv/www/vhosts/.*/wp-admin">
SecRuleEngine Off
</Directory>

########## Virtual Hosts Exceptions ##########

<Directory "/srv/www/vhosts/webmail.fnord.bob/">
SecRuleEngine Off
</Directory>

<Directory "/srv/www/vhosts/keys.fnord.bob/">
# URL file extension is restricted by policy
SecRuleRemoveById 960035
</Directory>

########## Tests ##########