diff --git a/dd-sso/docker/haproxy/haproxy.cnf.parts/tail-waf.cnf b/dd-sso/docker/haproxy/haproxy.cnf.parts/tail-waf.cnf index 76e7691..32b48f7 100644 --- a/dd-sso/docker/haproxy/haproxy.cnf.parts/tail-waf.cnf +++ b/dd-sso/docker/haproxy/haproxy.cnf.parts/tail-waf.cnf @@ -1,8 +1,11 @@ # # BEGIN: waf-tail.cnf # + # Internal network + acl network_allowed src 172.16.0.0/12 + # Internal traffic - use_backend bk_web if { src 172.16.0.0/12 } + use_backend bk_web if network_allowed default_backend bk_waf diff --git a/dd-sso/docker/waf-modsecurity/rules_apps.conf b/dd-sso/docker/waf-modsecurity/rules_apps.conf index 87c88cf..a1e239c 100644 --- a/dd-sso/docker/waf-modsecurity/rules_apps.conf +++ b/dd-sso/docker/waf-modsecurity/rules_apps.conf @@ -65,3 +65,19 @@ SecRule REQUEST_FILENAME "@contains /lib/ajax/service.php" "phase:1,id:99000012, SecRule REQUEST_FILENAME "@contains /apps/polls/poll" "phase:1,id:99000013,nolog,chain" SecRule REQUEST_BODY_LENGTH "@eq 0" "ctl:requestBodyAccess=off" + +SecRule REQUEST_URI "^/status.php" \ + "phase:1,id:99000014,t:none,t:lowercase,deny,status:403,msg:'403 Access Denied',chain" + SecRule SERVER_NAME "@contains nextcloud." + +SecRule REQUEST_URI "@contains /wp-json/wp/v2/users" \ + "phase:1,id:99000015,t:none,t:lowercase,deny,status:403,msg:'403 Access Denied',chain" + SecRule SERVER_NAME "@contains wp." + +SecRule REQUEST_URI "@contains /report/security/index.php" \ + "phase:1,id:99000016,t:none,t:lowercase,deny,status:403,msg:'403 Access Denied',chain" + SecRule SERVER_NAME "@contains moodle." \ + "t:none,\ + chain" + SecRule ARGS:detail "@streq core_publicpaths" \ + "t:none"