From cbbffa1d3de5a19a72dd7bb88fb1bcb14e5384e1 Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Tue, 17 May 2011 22:52:47 +0200
Subject: improve mod_security rules

* handled now by a partial
* possibility to add rules that should be removed
* possibility to add custom mod_sec options"
* use new infrastructure for existing mod_sec tweaks
---
 templates/vhosts/partials/mod_security.erb | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

(limited to 'templates/vhosts/partials')

diff --git a/templates/vhosts/partials/mod_security.erb b/templates/vhosts/partials/mod_security.erb
index 0e0f803..e70b217 100644
--- a/templates/vhosts/partials/mod_security.erb
+++ b/templates/vhosts/partials/mod_security.erb
@@ -1,17 +1,27 @@
   <IfModule mod_security2.c>
-    <%- if mod_security.to_s == 'true' then -%>
+    <% if mod_security.to_s == 'true' then -%>
     SecRuleEngine On
-    <%- if mod_security_relevantonly.to_s == 'true' then -%>
+    <% if mod_security_relevantonly.to_s == 'true' then -%>
     SecAuditEngine RelevantOnly
-    <%- else -%>
+    <% else -%>
     SecAuditEngine On
-    <%- end -%>
-    <%- else -%>
+    <% end -%>
+    <% else -%>
     SecRuleEngine Off
     SecAuditEngine Off
-    <%- end -%>
+    <% end -%>
     SecAuditLogType Concurrent
     SecAuditLogStorageDir <%= logdir %>/
     SecAuditLog <%= logdir %>/mod_security_audit.log
     SecDebugLog <%= logdir %>/mod_security_debug.log
+    <% unless mod_security_rules_to_disable.to_a.empty? -%>
+
+    <% mod_security_rules_to_disable.to_a.each do |rule|
+    SecRuleRemoveById "<%= rule %>"
+    <% end -%>
+    <% end -%>
+    <% unless mod_security_additional_options.to_s == 'absent' -%>
+
+    <%= mod_security_additional_options %>
+    <% end -%>
   </IfModule>
-- 
cgit v1.2.3