diff options
35 files changed, 193 insertions, 970 deletions
diff --git a/manifests/vhost.pp b/manifests/vhost.pp index 089eb62..af067d1 100644 --- a/manifests/vhost.pp +++ b/manifests/vhost.pp @@ -70,6 +70,8 @@ define apache::vhost( $htpasswd_path = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $use_mod_macro = false, $ldap_auth = false, $ldap_user = 'any' @@ -123,6 +125,9 @@ define apache::vhost( ldap_auth => $ldap_auth, ldap_user => $ldap_user, mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, use_mod_macro => $use_mod_macro, } } diff --git a/manifests/vhost/file.pp b/manifests/vhost/file.pp index bbd2f8c..6c750c1 100644 --- a/manifests/vhost/file.pp +++ b/manifests/vhost/file.pp @@ -70,22 +70,27 @@ define apache::vhost::file( notify => Service[apache], owner => root, group => 0, mode => 0644; } - if $do_includes { + if $ensure != 'absent' { + if $do_includes { include ::apache::includes - } - if $use_mod_macro { + } + if $use_mod_macro { include ::apache::mod_macro - } - if $ensure != 'absent' { + } case $logmode { 'semianonym','anonym': { include apache::noiplog } } case $run_mode { 'itk': { include ::apache::itk::lock + if $mod_security { include mod_security::itk } } 'proxy-itk','static-itk': { include ::apache::itk_plus::lock + if $mod_security { include mod_security::itk_plus } + } + default: { + if $mod_security { include mod_security } } } diff --git a/manifests/vhost/modperl.pp b/manifests/vhost/modperl.pp index 459f424..70a10ea 100644 --- a/manifests/vhost/modperl.pp +++ b/manifests/vhost/modperl.pp @@ -48,6 +48,8 @@ define apache::vhost::modperl( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -123,6 +125,8 @@ define apache::vhost::modperl( htpasswd_path => $htpasswd_path, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, } } diff --git a/manifests/vhost/passenger.pp b/manifests/vhost/passenger.pp index 919f6c9..d09c882 100644 --- a/manifests/vhost/passenger.pp +++ b/manifests/vhost/passenger.pp @@ -36,6 +36,8 @@ define apache::vhost::passenger( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -128,6 +130,8 @@ define apache::vhost::passenger( htpasswd_path => $htpasswd_path, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, } } diff --git a/manifests/vhost/php/drupal.pp b/manifests/vhost/php/drupal.pp index 06601f8..adf1b9e 100644 --- a/manifests/vhost/php/drupal.pp +++ b/manifests/vhost/php/drupal.pp @@ -57,6 +57,8 @@ define apache::vhost::php::drupal( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -117,6 +119,8 @@ define apache::vhost::php::drupal( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, diff --git a/manifests/vhost/php/gallery2.pp b/manifests/vhost/php/gallery2.pp index a43e627..cb4d77d 100644 --- a/manifests/vhost/php/gallery2.pp +++ b/manifests/vhost/php/gallery2.pp @@ -56,6 +56,8 @@ define apache::vhost::php::gallery2( $default_charset = 'absent', $mod_security = false, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -142,6 +144,8 @@ define apache::vhost::php::gallery2( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, diff --git a/manifests/vhost/php/joomla.pp b/manifests/vhost/php/joomla.pp index 96e3ab1..3767c50 100644 --- a/manifests/vhost/php/joomla.pp +++ b/manifests/vhost/php/joomla.pp @@ -56,6 +56,8 @@ define apache::vhost::php::joomla( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -75,6 +77,24 @@ define apache::vhost::php::joomla( }, default => "${path}/www" } + + if $mod_security_additional_options == 'absent' { + $real_mod_security_additional_options = '# http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html + # Exceptions for Joomla Root Directory + <LocationMatch "^/"> + SecRuleRemoveById 950013 + </LocationMatch> + + # Exceptions for Joomla Administration Panel + SecRule REQUEST_FILENAME "/administrator/index2.php" \ + "allow,phase:1,nolog,ctl:ruleEngine=Off" + + # Exceptions for Joomla Component Expose + <LocationMatch "^/components/com_expose/expose/manager/amfphp/gateway.php"> + SecRuleRemoveById 960010 + </LocationMatch> +' + } else { $real_mod_security_additional_options = $mod_security_additional_options } # create vhost configuration file ::apache::vhost::php::webapp{$name: @@ -104,6 +124,8 @@ define apache::vhost::php::joomla( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $real_mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, diff --git a/manifests/vhost/php/mediawiki.pp b/manifests/vhost/php/mediawiki.pp index fe2cbc0..76faceb 100644 --- a/manifests/vhost/php/mediawiki.pp +++ b/manifests/vhost/php/mediawiki.pp @@ -56,6 +56,8 @@ define apache::vhost::php::mediawiki( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -90,6 +92,8 @@ define apache::vhost::php::mediawiki( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, diff --git a/manifests/vhost/php/silverstripe.pp b/manifests/vhost/php/silverstripe.pp index cf67d16..06ee1c4 100644 --- a/manifests/vhost/php/silverstripe.pp +++ b/manifests/vhost/php/silverstripe.pp @@ -56,6 +56,8 @@ define apache::vhost::php::silverstripe( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -73,6 +75,8 @@ define apache::vhost::php::silverstripe( }, default => "${path}/www" } + $modsec_rules = ["960010"] + $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) # create vhost configuration file ::apache::vhost::php::webapp{$name: @@ -102,6 +106,8 @@ define apache::vhost::php::silverstripe( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, @@ -109,8 +115,7 @@ define apache::vhost::php::silverstripe( htpasswd_file => $htpasswd_file, htpasswd_path => $htpasswd_path, manage_directories => $manage_directories, - managed_directories => [ "$documentroot/assets" - ], + managed_directories => [ "$documentroot/assets" ], manage_config => $manage_config, } diff --git a/manifests/vhost/php/simplemachine.pp b/manifests/vhost/php/simplemachine.pp index 0983f17..8632763 100644 --- a/manifests/vhost/php/simplemachine.pp +++ b/manifests/vhost/php/simplemachine.pp @@ -56,6 +56,8 @@ define apache::vhost::php::simplemachine( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -102,6 +104,8 @@ define apache::vhost::php::simplemachine( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, diff --git a/manifests/vhost/php/spip.pp b/manifests/vhost/php/spip.pp index 290082f..4fe9f9a 100644 --- a/manifests/vhost/php/spip.pp +++ b/manifests/vhost/php/spip.pp @@ -56,6 +56,8 @@ define apache::vhost::php::spip( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -99,6 +101,8 @@ define apache::vhost::php::spip( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options=> $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, diff --git a/manifests/vhost/php/standard.pp b/manifests/vhost/php/standard.pp index 9f988d1..143e006 100644 --- a/manifests/vhost/php/standard.pp +++ b/manifests/vhost/php/standard.pp @@ -67,6 +67,8 @@ define apache::vhost::php::standard( $use_mod_macro = false, $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -189,6 +191,8 @@ define apache::vhost::php::standard( htpasswd_path => $htpasswd_path, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, use_mod_macro => $use_mod_macro, } } diff --git a/manifests/vhost/php/typo3.pp b/manifests/vhost/php/typo3.pp index 40c171f..9d404a4 100644 --- a/manifests/vhost/php/typo3.pp +++ b/manifests/vhost/php/typo3.pp @@ -56,6 +56,8 @@ define apache::vhost::php::typo3( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -73,6 +75,18 @@ define apache::vhost::php::typo3( }, default => "${path}/www" } + + $modsec_rules = ["960010"] + $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) + if $mod_security_additional_options == 'absent' { + $real_mod_security_additional_options = '<Location "/typo3"> + SecRuleEngine Off + SecAuditEngine Off + </Location> +' + } else { + $real_mod_security_additional_options = $mod_security_additional_options + } # create vhost configuration file ::apache::vhost::php::webapp{$name: @@ -102,6 +116,8 @@ define apache::vhost::php::typo3( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $real_mod_security_rules_to_disable, + mod_security_additional_options => $real_mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, diff --git a/manifests/vhost/php/webapp.pp b/manifests/vhost/php/webapp.pp index 9716dfb..bd72eb1 100644 --- a/manifests/vhost/php/webapp.pp +++ b/manifests/vhost/php/webapp.pp @@ -59,6 +59,8 @@ define apache::vhost::php::webapp( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -130,6 +132,8 @@ define apache::vhost::php::webapp( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, diff --git a/manifests/vhost/php/wordpress.pp b/manifests/vhost/php/wordpress.pp index 461a2d7..b8ea359 100644 --- a/manifests/vhost/php/wordpress.pp +++ b/manifests/vhost/php/wordpress.pp @@ -56,6 +56,8 @@ define apache::vhost::php::wordpress( $default_charset = 'absent', $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -74,9 +76,11 @@ define apache::vhost::php::wordpress( }, default => "${path}/www" } + $modsec_rules = ["960010", "950018"] + $real_mod_security_rules_to_disable = array_union($mod_security_rules_to_disable,$modsec_rules) # create vhost configuration file - ::apache::vhost::php::webapp{$name: + apache::vhost::php::webapp{$name: ensure => $ensure, domain => $domain, domainalias => $domainalias, @@ -103,6 +107,8 @@ define apache::vhost::php::wordpress( default_charset => $default_charset, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $real_mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, ssl_mode => $ssl_mode, vhost_mode => $vhost_mode, vhost_source => $vhost_source, diff --git a/manifests/vhost/proxy.pp b/manifests/vhost/proxy.pp index 6cfdd16..dfc6a0b 100644 --- a/manifests/vhost/proxy.pp +++ b/manifests/vhost/proxy.pp @@ -29,6 +29,9 @@ define apache::vhost::proxy( $logmode = 'default', $mod_security = false, $ssl_mode = false, + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $additional_options = 'absent' ){ # create vhost configuration file @@ -49,6 +52,9 @@ define apache::vhost::proxy( allow_override => $allow_override, run_mode => 'normal', mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, options => $target_url, ssl_mode => $ssl_mode, additional_options => $additional_options, diff --git a/manifests/vhost/static.pp b/manifests/vhost/static.pp index ab96141..76e2bee 100644 --- a/manifests/vhost/static.pp +++ b/manifests/vhost/static.pp @@ -37,7 +37,9 @@ define apache::vhost::static( $htpasswd_file = 'absent', $htpasswd_path = 'absent', $mod_security = false, - $mod_security_relevantonly = true + $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent' ){ # create webdir ::apache::vhost::webdir{$name: @@ -73,6 +75,8 @@ define apache::vhost::static( htpasswd_path => $htpasswd_path, mod_security => $mod_security, mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, } } diff --git a/manifests/vhost/template.pp b/manifests/vhost/template.pp index 303de0e..3fe78c9 100644 --- a/manifests/vhost/template.pp +++ b/manifests/vhost/template.pp @@ -79,6 +79,8 @@ define apache::vhost::template( $ssl_mode = false, $mod_security = true, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $use_mod_macro = false, $htpasswd_file = 'absent', $htpasswd_path = 'absent', diff --git a/manifests/vhost/webdav.pp b/manifests/vhost/webdav.pp index b4775d5..94b177c 100644 --- a/manifests/vhost/webdav.pp +++ b/manifests/vhost/webdav.pp @@ -46,6 +46,8 @@ define apache::vhost::webdav( $default_charset = 'absent', $mod_security = false, $mod_security_relevantonly = true, + $mod_security_rules_to_disable = [], + $mod_security_additional_options = 'absent', $ssl_mode = false, $vhost_mode = 'template', $vhost_source = 'absent', @@ -113,6 +115,9 @@ define apache::vhost::webdav( ldap_auth => $ldap_auth, ldap_user => $ldap_user, mod_security => $mod_security, + mod_security_relevantonly => $mod_security_relevantonly, + mod_security_rules_to_disable => $mod_security_rules_to_disable, + mod_security_additional_options => $mod_security_additional_options, } } diff --git a/templates/vhosts/gitweb/gitweb.erb b/templates/vhosts/gitweb/gitweb.erb index 2c64b1c..f732eb3 100644 --- a/templates/vhosts/gitweb/gitweb.erb +++ b/templates/vhosts/gitweb/gitweb.erb @@ -61,23 +61,7 @@ <%- end -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -144,23 +128,7 @@ <%- end %> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> diff --git a/templates/vhosts/partials/mod_security.erb b/templates/vhosts/partials/mod_security.erb index 0e0f803..e70b217 100644 --- a/templates/vhosts/partials/mod_security.erb +++ b/templates/vhosts/partials/mod_security.erb @@ -1,17 +1,27 @@ <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> + <% if mod_security.to_s == 'true' then -%> SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> + <% if mod_security_relevantonly.to_s == 'true' then -%> SecAuditEngine RelevantOnly - <%- else -%> + <% else -%> SecAuditEngine On - <%- end -%> - <%- else -%> + <% end -%> + <% else -%> SecRuleEngine Off SecAuditEngine Off - <%- end -%> + <% end -%> SecAuditLogType Concurrent SecAuditLogStorageDir <%= logdir %>/ SecAuditLog <%= logdir %>/mod_security_audit.log SecDebugLog <%= logdir %>/mod_security_debug.log + <% unless mod_security_rules_to_disable.to_a.empty? -%> + + <% mod_security_rules_to_disable.to_a.each do |rule| + SecRuleRemoveById "<%= rule %>" + <% end -%> + <% end -%> + <% unless mod_security_additional_options.to_s == 'absent' -%> + + <%= mod_security_additional_options %> + <% end -%> </IfModule> diff --git a/templates/vhosts/perl/perl.erb b/templates/vhosts/perl/perl.erb index 55e6e56..6e79805 100644 --- a/templates/vhosts/perl/perl.erb +++ b/templates/vhosts/perl/perl.erb @@ -73,23 +73,7 @@ <%- end -%> <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> @@ -164,23 +148,7 @@ <%- end -%> <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> @@ -270,23 +238,7 @@ <%- end -%> <%- end -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -368,23 +320,7 @@ ScriptAlias /cgi-bin/ <%= cgi_binpath %>/ <%- end -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> diff --git a/templates/vhosts/php/php.erb b/templates/vhosts/php/php.erb index ef50008..cbbc736 100644 --- a/templates/vhosts/php/php.erb +++ b/templates/vhosts/php/php.erb @@ -76,23 +76,7 @@ <%- end -%> <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> @@ -170,23 +154,7 @@ </Directory> <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> @@ -265,23 +233,7 @@ <%- end -%> <%- end -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -353,23 +305,7 @@ </Directory> <%- end -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> diff --git a/templates/vhosts/php_drupal/php_drupal.erb b/templates/vhosts/php_drupal/php_drupal.erb index 1e3e0f4..57bf6d9 100644 --- a/templates/vhosts/php_drupal/php_drupal.erb +++ b/templates/vhosts/php_drupal/php_drupal.erb @@ -97,23 +97,7 @@ <%- end -%> <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> @@ -213,23 +197,7 @@ </Directory> <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> @@ -327,23 +295,7 @@ <%- end -%> <%- end -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -433,23 +385,7 @@ </Directory> <%- end -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> diff --git a/templates/vhosts/php_gallery2/php_gallery2.erb b/templates/vhosts/php_gallery2/php_gallery2.erb index d4f210c..ef2444f 100644 --- a/templates/vhosts/php_gallery2/php_gallery2.erb +++ b/templates/vhosts/php_gallery2/php_gallery2.erb @@ -84,23 +84,7 @@ <%- end -%> <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> @@ -186,19 +170,7 @@ </Directory> <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - SecAuditEngine On - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> @@ -287,23 +259,7 @@ <%- end -%> <%- end -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -381,19 +337,7 @@ </Directory> <%- end -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - SecAuditEngine On - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> diff --git a/templates/vhosts/php_joomla/php_joomla.erb b/templates/vhosts/php_joomla/php_joomla.erb index ebaefd8..c7e06d7 100644 --- a/templates/vhosts/php_joomla/php_joomla.erb +++ b/templates/vhosts/php_joomla/php_joomla.erb @@ -85,37 +85,7 @@ </Directory> <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html - # Exceptions for Joomla Root Directory - <LocationMatch '^/'> - SecRuleRemoveById 950013 - </LocationMatch> - - # Exceptions for Joomla Administration Panel - SecRule REQUEST_FILENAME "/administrator/index2.php" \ - "allow,phase:1,nolog,ctl:ruleEngine=Off" - - # Exceptions for Joomla Component Expose - <LocationMatch '^/components/com_expose/expose/manager/amfphp/gateway.php'> - SecRuleRemoveById 960010 - </LocationMatch> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> @@ -193,37 +163,7 @@ </Directory> <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html - # Exceptions for Joomla Root Directory - <LocationMatch '^/'> - SecRuleRemoveById 950013 - </LocationMatch> - - # Exceptions for Joomla Administration Panel - SecRule REQUEST_FILENAME "/administrator/index2.php" \ - "allow,phase:1,nolog,ctl:ruleEngine=Off" - - # Exceptions for Joomla Component Expose - <LocationMatch '^/components/com_expose/expose/manager/amfphp/gateway.php'> - SecRuleRemoveById 960010 - </LocationMatch> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> @@ -313,37 +253,7 @@ <%- end -%> <%- end -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html - # Exceptions for Joomla Root Directory - <LocationMatch '^/'> - SecRuleRemoveById 950013 - </LocationMatch> - - # Exceptions for Joomla Administration Panel - SecRule REQUEST_FILENAME "/administrator/index2.php" \ - "allow,phase:1,nolog,ctl:ruleEngine=Off" - - # Exceptions for Joomla Component Expose - <LocationMatch '^/components/com_expose/expose/manager/amfphp/gateway.php'> - SecRuleRemoveById 960010 - </LocationMatch> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -417,37 +327,7 @@ </Directory> <%- end -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html - # Exceptions for Joomla Root Directory - <LocationMatch '^/'> - SecRuleRemoveById 950013 - </LocationMatch> - - # Exceptions for Joomla Administration Panel - SecRule REQUEST_FILENAME "/administrator/index2.php" \ - "allow,phase:1,nolog,ctl:ruleEngine=Off" - - # Exceptions for Joomla Component Expose - <LocationMatch '^/components/com_expose/expose/manager/amfphp/gateway.php'> - SecRuleRemoveById 960010 - </LocationMatch> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> diff --git a/templates/vhosts/php_mediawiki/php_mediawiki.erb b/templates/vhosts/php_mediawiki/php_mediawiki.erb index 2a33e1f..a5fd4f3 100644 --- a/templates/vhosts/php_mediawiki/php_mediawiki.erb +++ b/templates/vhosts/php_mediawiki/php_mediawiki.erb @@ -71,19 +71,7 @@ <%- end -%> <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - SecAuditEngine On - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> @@ -157,19 +145,7 @@ </Directory> <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - SecAuditEngine On - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> @@ -248,19 +224,7 @@ <%- end -%> <%- end -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - SecAuditEngine On - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -334,19 +298,7 @@ </Directory> <%- end -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - SecAuditEngine On - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> diff --git a/templates/vhosts/php_silverstripe/php_silverstripe.erb b/templates/vhosts/php_silverstripe/php_silverstripe.erb index de4dd5d..c2d8e49 100644 --- a/templates/vhosts/php_silverstripe/php_silverstripe.erb +++ b/templates/vhosts/php_silverstripe/php_silverstripe.erb @@ -95,25 +95,7 @@ <%- end -%> <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html - SecRuleRemoveById "960010" - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> @@ -207,25 +189,7 @@ </Directory> <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html - SecRuleRemoveById "960010" - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> @@ -325,25 +289,7 @@ <%- end -%> <%- end -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html - SecRuleRemoveById "960010" - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -431,25 +377,7 @@ </Directory> <%- end -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html - SecRuleRemoveById "960010" - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> diff --git a/templates/vhosts/php_simplemachine/php_simplemachine.erb b/templates/vhosts/php_simplemachine/php_simplemachine.erb index b53477e..dfe0af2 100644 --- a/templates/vhosts/php_simplemachine/php_simplemachine.erb +++ b/templates/vhosts/php_simplemachine/php_simplemachine.erb @@ -70,23 +70,7 @@ <%- end -%> <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> @@ -158,23 +142,7 @@ </Directory> <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> @@ -253,23 +221,7 @@ <%- end -%> <%- end -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -341,23 +293,7 @@ </Directory> <%- end -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> diff --git a/templates/vhosts/php_spip/php_spip.erb b/templates/vhosts/php_spip/php_spip.erb index 05f8485..ebd9d84 100644 --- a/templates/vhosts/php_spip/php_spip.erb +++ b/templates/vhosts/php_spip/php_spip.erb @@ -76,23 +76,7 @@ <%- end -%> <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> @@ -170,23 +154,7 @@ </Directory> <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> @@ -265,23 +233,7 @@ <%- end -%> <%- end -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -353,23 +305,7 @@ </Directory> <%- end -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> diff --git a/templates/vhosts/php_typo3/php_typo3.erb b/templates/vhosts/php_typo3/php_typo3.erb index bf0bd5d..e65a5c9 100644 --- a/templates/vhosts/php_typo3/php_typo3.erb +++ b/templates/vhosts/php_typo3/php_typo3.erb @@ -83,32 +83,7 @@ <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> - <Location "/typo3"> - <IfModule mod_security2.c> - SecRuleEngine Off - SecAuditEngine Off - </IfModule> - </Location> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html - SecRuleRemoveById "960010" - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> @@ -185,32 +160,7 @@ </Directory> <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> - <Location "/typo3"> - <IfModule mod_security2.c> - SecRuleEngine Off - SecAuditEngine Off - </IfModule> - </Location> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html - SecRuleRemoveById "960010" - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> @@ -298,31 +248,7 @@ <%- end -%> <%- end -%> - <Location "/typo3"> - <IfModule mod_security2.c> - SecRuleEngine Off - </IfModule> - </Location> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html - SecRuleRemoveById "960010" - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -394,31 +320,7 @@ </Directory> <%- end -%> - <Location "/typo3"> - <IfModule mod_security2.c> - SecRuleEngine Off - </IfModule> - </Location> - - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html - SecRuleRemoveById "960010" - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> diff --git a/templates/vhosts/php_wordpress/php_wordpress.erb b/templates/vhosts/php_wordpress/php_wordpress.erb index 5ae6e24..de889ee 100644 --- a/templates/vhosts/php_wordpress/php_wordpress.erb +++ b/templates/vhosts/php_wordpress/php_wordpress.erb @@ -73,23 +73,7 @@ <%- end -%> <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - SecAuditEngine On - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html - SecRuleRemoveById "960010" - SecRuleRemoveById "950018" - </IfModule> - <%- end -%> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -163,22 +147,7 @@ </Directory> <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - SecAuditEngine On - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html - SecRuleRemoveById "960010" - SecRuleRemoveById "950018" - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> @@ -257,22 +226,7 @@ <%- end -%> <%- end -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - SecAuditEngine On - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html - SecRuleRemoveById "960010" - SecRuleRemoveById "950018" - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -344,22 +298,7 @@ </Directory> <%- end -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - SecAuditEngine On - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - # http://optics.csufresno.edu/~kriehn/fedora/fedora_files/f9/howto/modsecurity.html - SecRuleRemoveById "960010" - SecRuleRemoveById "950018" - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> diff --git a/templates/vhosts/proxy/proxy.erb b/templates/vhosts/proxy/proxy.erb index 5b1465f..885bce3 100644 --- a/templates/vhosts/proxy/proxy.erb +++ b/templates/vhosts/proxy/proxy.erb @@ -44,6 +44,8 @@ ProxyPassReverse / <%= options %>/ <%- end -%> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> + <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> <%- end -%> @@ -79,6 +81,8 @@ Header add Strict-Transport-Security "max-age=15768000" +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> + <Proxy *> Order deny,allow Allow from all diff --git a/templates/vhosts/static/static.erb b/templates/vhosts/static/static.erb index 030d588..55ae5ac 100644 --- a/templates/vhosts/static/static.erb +++ b/templates/vhosts/static/static.erb @@ -51,23 +51,7 @@ </Directory> <%- end -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -125,23 +109,7 @@ </Directory> <%- end %> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> diff --git a/templates/vhosts/webdav/webdav.erb b/templates/vhosts/webdav/webdav.erb index fa76b27..e498833 100644 --- a/templates/vhosts/webdav/webdav.erb +++ b/templates/vhosts/webdav/webdav.erb @@ -76,23 +76,7 @@ <%- end -%> <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> @@ -170,23 +154,7 @@ </Directory> <%- unless run_mode.to_s =~ /(proxy\-|static\-)itk/ -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- end -%> <%- unless additional_options.to_s == 'absent' then -%> @@ -239,23 +207,7 @@ AddDefaultCharset <%= default_charset %> <%- end -%> - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> @@ -303,23 +255,7 @@ Header add Strict-Transport-Security "max-age=15768000" - <IfModule mod_security2.c> - <%- if mod_security.to_s == 'true' then -%> - SecRuleEngine On - <%- if mod_security_relevantonly.to_s == 'true' then -%> - SecAuditEngine RelevantOnly - <%- else -%> - SecAuditEngine On - <%- end -%> - <%- else -%> - SecRuleEngine Off - SecAuditEngine Off - <%- end -%> - SecAuditLogType Concurrent - SecAuditLogStorageDir <%= logdir %>/ - SecAuditLog <%= logdir %>/mod_security_audit.log - SecDebugLog <%= logdir %>/mod_security_debug.log - </IfModule> +<%= scope.function_template('apache/vhosts/partials/mod_security.erb') %> <%- unless additional_options.to_s == 'absent' then -%> <%= additional_options %> |