diff options
| author | mh <mh@immerda.ch> | 2011-05-17 22:52:47 +0200 |
|---|---|---|
| committer | mh <mh@immerda.ch> | 2011-05-17 22:55:50 +0200 |
| commit | cbbffa1d3de5a19a72dd7bb88fb1bcb14e5384e1 (patch) | |
| tree | ed24e2d85aa47f9e70ecfcc45bf20c7a2495da93 /manifests/vhost/php | |
| parent | 9081a3c7c3b9f956d0491712bae3ed5e94529e82 (diff) | |
improve mod_security rules
* handled now by a partial
* possibility to add rules that should be removed
* possibility to add custom mod_sec options"
* use new infrastructure for existing mod_sec tweaks
Diffstat (limited to 'manifests/vhost/php')
| -rw-r--r-- | manifests/vhost/php/drupal.pp | 4 | ||||
| -rw-r--r-- | manifests/vhost/php/gallery2.pp | 4 | ||||
| -rw-r--r-- | manifests/vhost/php/joomla.pp | 22 | ||||
| -rw-r--r-- | manifests/vhost/php/mediawiki.pp | 4 | ||||
| -rw-r--r-- | manifests/vhost/php/silverstripe.pp | 9 | ||||
| -rw-r--r-- | manifests/vhost/php/simplemachine.pp | 4 | ||||
| -rw-r--r-- | manifests/vhost/php/spip.pp | 4 | ||||
| -rw-r--r-- | manifests/vhost/php/standard.pp | 4 | ||||
| -rw-r--r-- | manifests/vhost/php/typo3.pp | 16 | ||||
| -rw-r--r-- | manifests/vhost/php/webapp.pp | 4 | ||||
| -rw-r--r-- | manifests/vhost/php/wordpress.pp | 8 |
11 files changed, 80 insertions, 3 deletions
diff --git a/manifests/vhost/php/drupal.pp b/manifests/vhost/php/drupal.pp index 06601f8..adf1b9e 100644 --- a/manifests/vhost/php/drupal.pp +++ b/manifests/vhost/php/drupal.pp @@ -57,6 +57,8 @@ define apache::vhost::php::drupal( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -117,6 +119,8 @@ define apache::vhost::php::drupal( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, diff --git a/manifests/vhost/php/gallery2.pp b/manifests/vhost/php/gallery2.pp index a43e627..cb4d77d 100644 --- a/manifests/vhost/php/gallery2.pp +++ b/manifests/vhost/php/gallery2.pp @@ -56,6 +56,8 @@ define apache::vhost::php::gallery2( $default_charset = 'absent', $mod_security = false, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -142,6 +144,8 @@ define apache::vhost::php::gallery2( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, diff --git a/manifests/vhost/php/joomla.pp b/manifests/vhost/php/joomla.pp index 96e3ab1..3767c50 100644 --- a/manifests/vhost/php/joomla.pp +++ b/manifests/vhost/php/joomla.pp @@ -56,6 +56,8 @@ define apache::vhost::php::joomla( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -75,6 +77,24 @@ define apache::vhost::php::joomla( }, default => "${path}/www" } + + if $mod_security_additional_options == 'absent' { + $real_mod_security_additional_options = '# http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + # Exceptions for Joomla Root Directory + <LocationMatch "^/"> + SecRuleRemoveById 950013 + </LocationMatch> + + # Exceptions for Joomla Administration Panel + SecRule REQUEST_FILENAME "/administrator/index2.php" \ + "allow,phase:1,nolog,ctl:ruleEngine=Off" + + # Exceptions for Joomla Component Expose + <LocationMatch "^/components/com_expose/expose/manager/amfphp/gateway.php"> + SecRuleRemoveById 960010 + </LocationMatch> +' + } else { $real_mod_security_additional_options = $mod_security_additional_options } # create vhost configuration file ::apache::vhost::php::webapp{$name: @@ -104,6 +124,8 @@ define apache::vhost::php::joomla( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $real_mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, diff --git a/manifests/vhost/php/mediawiki.pp b/manifests/vhost/php/mediawiki.pp index fe2cbc0..76faceb 100644 --- a/manifests/vhost/php/mediawiki.pp +++ b/manifests/vhost/php/mediawiki.pp @@ -56,6 +56,8 @@ define apache::vhost::php::mediawiki( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -90,6 +92,8 @@ define apache::vhost::php::mediawiki( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, diff --git a/manifests/vhost/php/silverstripe.pp b/manifests/vhost/php/silverstripe.pp index cf67d16..06ee1c4 100644 --- a/manifests/vhost/php/silverstripe.pp +++ b/manifests/vhost/php/silverstripe.pp @@ -56,6 +56,8 @@ define apache::vhost::php::silverstripe( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -73,6 +75,8 @@ define apache::vhost::php::silverstripe( }, default => "${path}/www" } + $modsec_rules = ["960010"] + $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) # create vhost configuration file ::apache::vhost::php::webapp{$name: @@ -102,6 +106,8 @@ define apache::vhost::php::silverstripe( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, @@ -109,8 +115,7 @@ define apache::vhost::php::silverstripe( htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, manage_directories => $manage_directories, - managed_directories => [ "$documentroot/assets" - ], + managed_directories => [ "$documentroot/assets" ], manage_config => $manage_config, } diff --git a/manifests/vhost/php/simplemachine.pp b/manifests/vhost/php/simplemachine.pp index 0983f17..8632763 100644 --- a/manifests/vhost/php/simplemachine.pp +++ b/manifests/vhost/php/simplemachine.pp @@ -56,6 +56,8 @@ define apache::vhost::php::simplemachine( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -102,6 +104,8 @@ define apache::vhost::php::simplemachine( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, diff --git a/manifests/vhost/php/spip.pp b/manifests/vhost/php/spip.pp index 290082f..4fe9f9a 100644 --- a/manifests/vhost/php/spip.pp +++ b/manifests/vhost/php/spip.pp @@ -56,6 +56,8 @@ define apache::vhost::php::spip( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -99,6 +101,8 @@ define apache::vhost::php::spip( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options=> $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index 9f988d1..143e006 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -67,6 +67,8 @@ define apache::vhost::php::standard( $use_mod_macro = false, $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -189,6 +191,8 @@ define apache::vhost::php::standard( htpasswd_path => $htpasswd_path, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, use_mod_macro => $use_mod_macro, } } diff --git a/manifests/vhost/php/typo3.pp b/manifests/vhost/php/typo3.pp index 40c171f..9d404a4 100644 --- a/manifests/vhost/php/typo3.pp +++ b/manifests/vhost/php/typo3.pp @@ -56,6 +56,8 @@ define apache::vhost::php::typo3( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -73,6 +75,18 @@ define apache::vhost::php::typo3( }, default => "${path}/www" } + + $modsec_rules = ["960010"] + $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) + if $mod_security_additional_options == 'absent' { + $real_mod_security_additional_options = '<Location "/typo3"> + SecRuleEngine Off + SecAuditEngine Off + </Location> +' + } else { + $real_mod_security_additional_options = $mod_security_additional_options + } # create vhost configuration file ::apache::vhost::php::webapp{$name: @@ -102,6 +116,8 @@ define apache::vhost::php::typo3( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $real_mod_security_rules_to_disable, + mod_security_additional_options => $real_mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, diff --git a/manifests/vhost/php/webapp.pp b/manifests/vhost/php/webapp.pp index 9716dfb..bd72eb1 100644 --- a/manifests/vhost/php/webapp.pp +++ b/manifests/vhost/php/webapp.pp @@ -59,6 +59,8 @@ define apache::vhost::php::webapp( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -130,6 +132,8 @@ define apache::vhost::php::webapp( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, diff --git a/manifests/vhost/php/wordpress.pp b/manifests/vhost/php/wordpress.pp index 461a2d7..b8ea359 100644 --- a/manifests/vhost/php/wordpress.pp +++ b/manifests/vhost/php/wordpress.pp @@ -56,6 +56,8 @@ define apache::vhost::php::wordpress( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -74,9 +76,11 @@ define apache::vhost::php::wordpress( }, default => "${path}/www" } + $modsec_rules = ["960010", "950018"] + $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) # create vhost configuration file - ::apache::vhost::php::webapp{$name: + apache::vhost::php::webapp{$name: ensure => $ensure, domain => $domain, domainalias => $domainalias, @@ -103,6 +107,8 @@ define apache::vhost::php::wordpress( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $real_mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, |