improve mod_security rules

* handled now by a partial
* possibility to add rules that should be removed
* possibility to add custom mod_sec options"
* use new infrastructure for existing mod_sec tweaks

1 files changed, 16 insertions, 6 deletions

diff --git a/templates/vhosts/partials/mod_security.erb b/templates/vhosts/partials/mod_security.erb
index 0e0f803..e70b217 100644
--- a/templates/vhosts/partials/mod_security.erb
+++ b/templates/vhosts/partials/mod_security.erb
@@ -1,17 +1,27 @@
   <IfModule mod_security2.c>
-    <%- if mod_security.to_s == 'true' then -%>
+    <% if mod_security.to_s == 'true' then -%>
     SecRuleEngine On
-    <%- if mod_security_relevantonly.to_s == 'true' then -%>
+    <% if mod_security_relevantonly.to_s == 'true' then -%>
     SecAuditEngine RelevantOnly
-    <%- else -%>
+    <% else -%>
     SecAuditEngine On
-    <%- end -%>
-    <%- else -%>
+    <% end -%>
+    <% else -%>
     SecRuleEngine Off
     SecAuditEngine Off
-    <%- end -%>
+    <% end -%>
     SecAuditLogType Concurrent
     SecAuditLogStorageDir <%= logdir %>/
     SecAuditLog <%= logdir %>/mod_security_audit.log
     SecDebugLog <%= logdir %>/mod_security_debug.log
+    <% unless mod_security_rules_to_disable.to_a.empty? -%>
+
+    <% mod_security_rules_to_disable.to_a.each do |rule|
+    SecRuleRemoveById "<%= rule %>"
+    <% end -%>
+    <% end -%>
+    <% unless mod_security_additional_options.to_s == 'absent' -%>
+
+    <%= mod_security_additional_options %>
+    <% end -%>
   </IfModule>