diff options
| author | mh <mh@immerda.ch> | 2011-05-17 22:52:47 +0200 |
|---|---|---|
| committer | mh <mh@immerda.ch> | 2011-05-17 22:55:50 +0200 |
| commit | cbbffa1d3de5a19a72dd7bb88fb1bcb14e5384e1 (patch) | |
| tree | ed24e2d85aa47f9e70ecfcc45bf20c7a2495da93 /manifests | |
| parent | 9081a3c7c3b9f956d0491712bae3ed5e94529e82 (diff) | |
improve mod_security rules
* handled now by a partial
* possibility to add rules that should be removed
* possibility to add custom mod_sec options"
* use new infrastructure for existing mod_sec tweaks
Diffstat (limited to 'manifests')
| -rw-r--r-- | manifests/vhost.pp | 5 | ||||
| -rw-r--r-- | manifests/vhost/file.pp | 15 | ||||
| -rw-r--r-- | manifests/vhost/modperl.pp | 4 | ||||
| -rw-r--r-- | manifests/vhost/passenger.pp | 4 | ||||
| -rw-r--r-- | manifests/vhost/php/drupal.pp | 4 | ||||
| -rw-r--r-- | manifests/vhost/php/gallery2.pp | 4 | ||||
| -rw-r--r-- | manifests/vhost/php/joomla.pp | 22 | ||||
| -rw-r--r-- | manifests/vhost/php/mediawiki.pp | 4 | ||||
| -rw-r--r-- | manifests/vhost/php/silverstripe.pp | 9 | ||||
| -rw-r--r-- | manifests/vhost/php/simplemachine.pp | 4 | ||||
| -rw-r--r-- | manifests/vhost/php/spip.pp | 4 | ||||
| -rw-r--r-- | manifests/vhost/php/standard.pp | 4 | ||||
| -rw-r--r-- | manifests/vhost/php/typo3.pp | 16 | ||||
| -rw-r--r-- | manifests/vhost/php/webapp.pp | 4 | ||||
| -rw-r--r-- | manifests/vhost/php/wordpress.pp | 8 | ||||
| -rw-r--r-- | manifests/vhost/proxy.pp | 6 | ||||
| -rw-r--r-- | manifests/vhost/static.pp | 6 | ||||
| -rw-r--r-- | manifests/vhost/template.pp | 2 | ||||
| -rw-r--r-- | manifests/vhost/webdav.pp | 5 |
19 files changed, 121 insertions, 9 deletions
diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 089eb62..af067d1 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -70,6 +70,8 @@ define apache::vhost( $htpasswd_path = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $use_mod_macro = false, $ldap_auth = false, $ldap_user = 'any' @@ -123,6 +125,9 @@ define apache::vhost( ldap_auth => $ldap_auth, ldap_user => $ldap_user, mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, use_mod_macro => $use_mod_macro, } } diff --git a/manifests/vhost/file.pp b/manifests/vhost/file.pp index bbd2f8c..6c750c1 100644 --- a/manifests/vhost/file.pp +++ b/manifests/vhost/file.pp @@ -70,22 +70,27 @@ define apache::vhost::file( notify => Service[apache], owner => root, group => 0, mode => 0644; } - if $do_includes { + if $ensure != 'absent' { + if $do_includes { include ::apache::includes - } - if $use_mod_macro { + } + if $use_mod_macro { include ::apache::mod_macro - } - if $ensure != 'absent' { + } case $logmode { 'semianonym','anonym': { include apache::noiplog } } case $run_mode { 'itk': { include ::apache::itk::lock + if $mod_security { include mod_security::itk } } 'proxy-itk','static-itk': { include ::apache::itk_plus::lock + if $mod_security { include mod_security::itk_plus } + } + default: { + if $mod_security { include mod_security } } } diff --git a/manifests/vhost/modperl.pp b/manifests/vhost/modperl.pp index 459f424..70a10ea 100644 --- a/manifests/vhost/modperl.pp +++ b/manifests/vhost/modperl.pp @@ -48,6 +48,8 @@ define apache::vhost::modperl( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -123,6 +125,8 @@ define apache::vhost::modperl( htpasswd_path => $htpasswd_path, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, } } diff --git a/manifests/vhost/passenger.pp b/manifests/vhost/passenger.pp index 919f6c9..d09c882 100644 --- a/manifests/vhost/passenger.pp +++ b/manifests/vhost/passenger.pp @@ -36,6 +36,8 @@ define apache::vhost::passenger( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -128,6 +130,8 @@ define apache::vhost::passenger( htpasswd_path => $htpasswd_path, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, } } diff --git a/manifests/vhost/php/drupal.pp b/manifests/vhost/php/drupal.pp index 06601f8..adf1b9e 100644 --- a/manifests/vhost/php/drupal.pp +++ b/manifests/vhost/php/drupal.pp @@ -57,6 +57,8 @@ define apache::vhost::php::drupal( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -117,6 +119,8 @@ define apache::vhost::php::drupal( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, diff --git a/manifests/vhost/php/gallery2.pp b/manifests/vhost/php/gallery2.pp index a43e627..cb4d77d 100644 --- a/manifests/vhost/php/gallery2.pp +++ b/manifests/vhost/php/gallery2.pp @@ -56,6 +56,8 @@ define apache::vhost::php::gallery2( $default_charset = 'absent', $mod_security = false, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -142,6 +144,8 @@ define apache::vhost::php::gallery2( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, diff --git a/manifests/vhost/php/joomla.pp b/manifests/vhost/php/joomla.pp index 96e3ab1..3767c50 100644 --- a/manifests/vhost/php/joomla.pp +++ b/manifests/vhost/php/joomla.pp @@ -56,6 +56,8 @@ define apache::vhost::php::joomla( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -75,6 +77,24 @@ define apache::vhost::php::joomla( }, default => "${path}/www" } + + if $mod_security_additional_options == 'absent' { + $real_mod_security_additional_options = '# http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + # Exceptions for Joomla Root Directory + <LocationMatch "^/"> + SecRuleRemoveById 950013 + </LocationMatch> + + # Exceptions for Joomla Administration Panel + SecRule REQUEST_FILENAME "/administrator/index2.php" \ + "allow,phase:1,nolog,ctl:ruleEngine=Off" + + # Exceptions for Joomla Component Expose + <LocationMatch "^/components/com_expose/expose/manager/amfphp/gateway.php"> + SecRuleRemoveById 960010 + </LocationMatch> +' + } else { $real_mod_security_additional_options = $mod_security_additional_options } # create vhost configuration file ::apache::vhost::php::webapp{$name: @@ -104,6 +124,8 @@ define apache::vhost::php::joomla( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $real_mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, diff --git a/manifests/vhost/php/mediawiki.pp b/manifests/vhost/php/mediawiki.pp index fe2cbc0..76faceb 100644 --- a/manifests/vhost/php/mediawiki.pp +++ b/manifests/vhost/php/mediawiki.pp @@ -56,6 +56,8 @@ define apache::vhost::php::mediawiki( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -90,6 +92,8 @@ define apache::vhost::php::mediawiki( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, diff --git a/manifests/vhost/php/silverstripe.pp b/manifests/vhost/php/silverstripe.pp index cf67d16..06ee1c4 100644 --- a/manifests/vhost/php/silverstripe.pp +++ b/manifests/vhost/php/silverstripe.pp @@ -56,6 +56,8 @@ define apache::vhost::php::silverstripe( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -73,6 +75,8 @@ define apache::vhost::php::silverstripe( }, default => "${path}/www" } + $modsec_rules = ["960010"] + $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) # create vhost configuration file ::apache::vhost::php::webapp{$name: @@ -102,6 +106,8 @@ define apache::vhost::php::silverstripe( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, @@ -109,8 +115,7 @@ define apache::vhost::php::silverstripe( htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, manage_directories => $manage_directories, - managed_directories => [ "$documentroot/assets" - ], + managed_directories => [ "$documentroot/assets" ], manage_config => $manage_config, } diff --git a/manifests/vhost/php/simplemachine.pp b/manifests/vhost/php/simplemachine.pp index 0983f17..8632763 100644 --- a/manifests/vhost/php/simplemachine.pp +++ b/manifests/vhost/php/simplemachine.pp @@ -56,6 +56,8 @@ define apache::vhost::php::simplemachine( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -102,6 +104,8 @@ define apache::vhost::php::simplemachine( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, diff --git a/manifests/vhost/php/spip.pp b/manifests/vhost/php/spip.pp index 290082f..4fe9f9a 100644 --- a/manifests/vhost/php/spip.pp +++ b/manifests/vhost/php/spip.pp @@ -56,6 +56,8 @@ define apache::vhost::php::spip( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -99,6 +101,8 @@ define apache::vhost::php::spip( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options=> $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index 9f988d1..143e006 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -67,6 +67,8 @@ define apache::vhost::php::standard( $use_mod_macro = false, $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -189,6 +191,8 @@ define apache::vhost::php::standard( htpasswd_path => $htpasswd_path, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, use_mod_macro => $use_mod_macro, } } diff --git a/manifests/vhost/php/typo3.pp b/manifests/vhost/php/typo3.pp index 40c171f..9d404a4 100644 --- a/manifests/vhost/php/typo3.pp +++ b/manifests/vhost/php/typo3.pp @@ -56,6 +56,8 @@ define apache::vhost::php::typo3( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -73,6 +75,18 @@ define apache::vhost::php::typo3( }, default => "${path}/www" } + + $modsec_rules = ["960010"] + $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) + if $mod_security_additional_options == 'absent' { + $real_mod_security_additional_options = '<Location "/typo3"> + SecRuleEngine Off + SecAuditEngine Off + </Location> +' + } else { + $real_mod_security_additional_options = $mod_security_additional_options + } # create vhost configuration file ::apache::vhost::php::webapp{$name: @@ -102,6 +116,8 @@ define apache::vhost::php::typo3( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $real_mod_security_rules_to_disable, + mod_security_additional_options => $real_mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, diff --git a/manifests/vhost/php/webapp.pp b/manifests/vhost/php/webapp.pp index 9716dfb..bd72eb1 100644 --- a/manifests/vhost/php/webapp.pp +++ b/manifests/vhost/php/webapp.pp @@ -59,6 +59,8 @@ define apache::vhost::php::webapp( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -130,6 +132,8 @@ define apache::vhost::php::webapp( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, diff --git a/manifests/vhost/php/wordpress.pp b/manifests/vhost/php/wordpress.pp index 461a2d7..b8ea359 100644 --- a/manifests/vhost/php/wordpress.pp +++ b/manifests/vhost/php/wordpress.pp @@ -56,6 +56,8 @@ define apache::vhost::php::wordpress( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -74,9 +76,11 @@ define apache::vhost::php::wordpress( }, default => "${path}/www" } + $modsec_rules = ["960010", "950018"] + $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) # create vhost configuration file - ::apache::vhost::php::webapp{$name: + apache::vhost::php::webapp{$name: ensure => $ensure, domain => $domain, domainalias => $domainalias, @@ -103,6 +107,8 @@ define apache::vhost::php::wordpress( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $real_mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, diff --git a/manifests/vhost/proxy.pp b/manifests/vhost/proxy.pp index 6cfdd16..dfc6a0b 100644 --- a/manifests/vhost/proxy.pp +++ b/manifests/vhost/proxy.pp @@ -29,6 +29,9 @@ define apache::vhost::proxy( $logmode = 'default', $mod_security = false, $ssl_mode = false, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $additional_options = 'absent' ){ # create vhost configuration file @@ -49,6 +52,9 @@ define apache::vhost::proxy( allow_override => $allow_override, run_mode => 'normal', mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, options => $target_url, ssl_mode => $ssl_mode, additional_options => $additional_options, diff --git a/manifests/vhost/static.pp b/manifests/vhost/static.pp index ab96141..76e2bee 100644 --- a/manifests/vhost/static.pp +++ b/manifests/vhost/static.pp @@ -37,7 +37,9 @@ define apache::vhost::static( $htpasswd_file = 'absent', $htpasswd_path = 'absent', $mod_security = false, - $mod_security_relevantonly = true + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent' ){ # create webdir ::apache::vhost::webdir{$name: @@ -73,6 +75,8 @@ define apache::vhost::static( htpasswd_path => $htpasswd_path, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, } } diff --git a/manifests/vhost/template.pp b/manifests/vhost/template.pp index 303de0e..3fe78c9 100644 --- a/manifests/vhost/template.pp +++ b/manifests/vhost/template.pp @@ -79,6 +79,8 @@ define apache::vhost::template( $ssl_mode = false, $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $use_mod_macro = false, $htpasswd_file = 'absent', $htpasswd_path = 'absent', diff --git a/manifests/vhost/webdav.pp b/manifests/vhost/webdav.pp index b4775d5..94b177c 100644 --- a/manifests/vhost/webdav.pp +++ b/manifests/vhost/webdav.pp @@ -46,6 +46,8 @@ define apache::vhost::webdav( $default_charset = 'absent', $mod_security = false, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -113,6 +115,9 @@ define apache::vhost::webdav( ldap_auth => $ldap_auth, ldap_user => $ldap_user, mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, } } |