modsecurity.conf

SecRuleEngine On
SecRequestBodyAccess On

#SecRule REQUEST_HEADERS:Content-Type "^(?:application(?:/soap\+|/)|text/)xml" \
#     "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
#
#SecRule REQUEST_HEADERS:Content-Type "^application/json" \
#     "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"

#SecRule REQUEST_HEADERS:Content-Type "^application/[a-z0-9.-]+[+]json" \
#     "id:'200006',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"

# Maximum request body size we will accept for buffering. If you support
# file uploads then the value given on the first line has to be as large
# as the largest file you are willing to accept. The second value refers
# to the size of data, with files excluded. You want to keep that value as
# low as practical.
#
#SecRequestBodyLimit 13107200
SecRequestBodyLimit 1048576
SecRequestBodyNoFilesLimit 131072
SecRequestBodyLimitAction Reject

SecRequestBodyJsonDepthLimit 512
SecArgumentsLimit 1000

#SecRule &ARGS "@ge 1000" \
#"id:'200007', phase:2,t:none,log,deny,status:400,msg:'Failed to fully parse request body due to large argument count',severity:2"
#
#SecRule REQBODY_ERROR "!@eq 0" \
#"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"

#SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
#"id:'200003',phase:2,t:none,log,deny,status:400, \
#msg:'Multipart request body failed strict validation: \
#PE %{REQBODY_PROCESSOR_ERROR}, \
#BQ %{MULTIPART_BOUNDARY_QUOTED}, \
#BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
#DB %{MULTIPART_DATA_BEFORE}, \
#DA %{MULTIPART_DATA_AFTER}, \
#HF %{MULTIPART_HEADER_FOLDING}, \
#LF %{MULTIPART_LF_LINE}, \
#SM %{MULTIPART_MISSING_SEMICOLON}, \
#IQ %{MULTIPART_INVALID_QUOTING}, \
#IP %{MULTIPART_INVALID_PART}, \
#IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
#FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

# Did we see anything that might be a boundary?
#
# Here is a short description about the ModSecurity Multipart parser: the
# parser returns with value 0, if all "boundary-like" line matches with
# the boundary string which given in MIME header. In any other cases it returns
# with different value, eg. 1 or 2.
#
# The RFC 1341 descript the multipart content-type and its syntax must contains
# only three mandatory lines (above the content):
# * Content-Type: multipart/mixed; boundary=BOUNDARY_STRING
# * --BOUNDARY_STRING
# * --BOUNDARY_STRING--
#
# First line indicates, that this is a multipart content, second shows that
# here starts a part of the multipart content, third shows the end of content.
#
# If there are any other lines, which starts with "--", then it should be
# another boundary id - or not.
#
# After 3.0.3, there are two kinds of types of boundary errors: strict and permissive.
#
# If multipart content contains the three necessary lines with correct order, but
# there are one or more lines with "--", then parser returns with value 2 (non-zero).
#
# If some of the necessary lines (usually the start or end) misses, or the order
# is wrong, then parser returns with value 1 (also a non-zero).
#
# You can choose, which one is what you need. The example below contains the
# 'strict' mode, which means if there are any lines with start of "--", then
# ModSecurity blocked the content. But the next, commented example contains
# the 'permissive' mode, then you check only if the necessary lines exists in
# correct order. Whit this, you can enable to upload PEM files (eg "----BEGIN.."),
# or other text files, which contains eg. HTTP headers.
#
# The difference is only the operator - in strict mode (first) the content blocked
# in case of any non-zero value. In permissive mode (second, commented) the
# content blocked only if the value is explicit 1. If it 0 or 2, the content will
# allowed.
#

#
# See #1747 and #1924 for further information on the possible values for
# MULTIPART_UNMATCHED_BOUNDARY.
#
#SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \
#    "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"


# PCRE Tuning
# We want to avoid a potential RegEx DoS condition
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000

# Some internal errors will set flags in TX and we will need to look for these.
# All of these are prefixed with "MSC_".  The following flags currently exist:
#
# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
#
#SecRule TX:/^MSC_/ "!@streq 0" \
#        "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"


SecResponseBodyAccess On
SecResponseBodyMimeType text/plain text/html text/xml
SecResponseBodyLimit 524288
SecResponseBodyLimitAction ProcessPartial

SecTmpDir /tmp/
SecDataDir /tmp/

#SecUploadDir /opt/modsecurity/var/upload/
#SecUploadKeepFiles RelevantOnly
#SecUploadFileMode 0600

#SecDebugLog /opt/modsecurity/var/log/debug.log
#SecDebugLogLevel 3


SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/modsec_audit.log
#SecAuditLogStorageDir /opt/modsecurity/var/audit/


SecArgumentSeparator &
SecCookieFormat 0
SecUnicodeMapFile unicode.mapping 20127
SecStatusEngine On

SecAuditLogFormat JSON

#SecRule ARGS:testparam "@contains test" "id:1234,deny,log,status:403"
#SecRule REQUEST_BODY "@rx ^bash" "phase:2,id:1235,deny,log,status:402"
#SecRule REQUEST_BODY "@rx bash" "phase:2,id:1235,deny,log,status:402"
SecRule REQUEST_BODY "@rx world" "phase:2,id:1235,deny,log,status:402"