exclude rules
parent
cb183de9cf
commit
fcff698f6f
|
@ -10,6 +10,7 @@ docs.built/
|
||||||
dd-sso/docker/api/src/api/static/templates/*.html
|
dd-sso/docker/api/src/api/static/templates/*.html
|
||||||
dd-sso/docker/api/src/api/static/templates/*.json
|
dd-sso/docker/api/src/api/static/templates/*.json
|
||||||
dd-sso/docker/keycloak/themes/dd-custom
|
dd-sso/docker/keycloak/themes/dd-custom
|
||||||
|
dd-sso/admin/src/admin/node_modules/
|
||||||
.idea/
|
.idea/
|
||||||
*.log
|
*.log
|
||||||
# External, unmodified files
|
# External, unmodified files
|
||||||
|
|
14
dd-ctl
14
dd-ctl
|
@ -870,6 +870,17 @@ special_image_tags() {
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
|
enable_waf() {
|
||||||
|
# Enable waf
|
||||||
|
echo "Enable rules ModSecurity"
|
||||||
|
docker exec dd-waf-apache bash -c 'sed -i.orig -e "s/modsecurity Off/modsecurity On/" /etc/apache2/sites-enabled/000-default.conf'
|
||||||
|
echo "Done"
|
||||||
|
echo "Restart Apache - ModSecurity"
|
||||||
|
docker restart dd-waf-apache
|
||||||
|
echo "Done"
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
push_images() {
|
push_images() {
|
||||||
#
|
#
|
||||||
# Note this requires docker login on the registry
|
# Note this requires docker login on the registry
|
||||||
|
@ -984,6 +995,9 @@ case "$OPERATION" in
|
||||||
securize)
|
securize)
|
||||||
securize
|
securize
|
||||||
;;
|
;;
|
||||||
|
waf)
|
||||||
|
enable_waf
|
||||||
|
;;
|
||||||
setconf)
|
setconf)
|
||||||
setconf "$@"
|
setconf "$@"
|
||||||
;;
|
;;
|
||||||
|
|
|
@ -9,5 +9,6 @@ services:
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
volumes:
|
volumes:
|
||||||
- /etc/localtime:/etc/localtime:ro
|
- /etc/localtime:/etc/localtime:ro
|
||||||
|
- ${SRC_FOLDER}/modsecurity/rules:/etc/apache2/modsecurity.d/dd-rules:rw
|
||||||
networks:
|
networks:
|
||||||
- dd_net
|
- dd_net
|
|
@ -38,6 +38,9 @@ frontend tf_waf
|
||||||
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
|
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
|
||||||
use_backend letsencrypt if letsencrypt-acl
|
use_backend letsencrypt if letsencrypt-acl
|
||||||
|
|
||||||
|
# Internal traffic
|
||||||
|
use_backend bk_web if { src 192.168.0.0/16 }
|
||||||
|
|
||||||
default_backend bk_waf
|
default_backend bk_waf
|
||||||
|
|
||||||
# Traffic secured by the WAF arrives here
|
# Traffic secured by the WAF arrives here
|
||||||
|
|
|
@ -1,13 +1,10 @@
|
||||||
<VirtualHost *:80>
|
<VirtualHost *:80>
|
||||||
modsecurity on
|
modsecurity Off
|
||||||
modsecurity_rules_file /etc/apache2/modsecurity.d/modsec_rules.conf
|
modsecurity_rules_file /etc/apache2/modsecurity.d/modsec_rules.conf
|
||||||
ServerAdmin webmaster@localhost
|
ServerAdmin webmaster@localhost
|
||||||
DocumentRoot /var/www/html
|
DocumentRoot /var/www/html
|
||||||
#ErrorLog ${APACHE_LOG_DIR}/error.log
|
ErrorLog /var/log/apache2/error.log
|
||||||
#CustomLog ${APACHE_LOG_DIR}/access.log combined
|
CustomLog /var/log/apache2/access.log combined
|
||||||
ErrorLog /dev/stderr
|
|
||||||
TransferLog /dev/stdout
|
|
||||||
|
|
||||||
|
|
||||||
ProxyPreserveHost On
|
ProxyPreserveHost On
|
||||||
ProxyRequests off
|
ProxyRequests off
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
# Install Modsecurity in a Docker container;
|
# Install Modsecurity in a Docker container
|
||||||
FROM ubuntu:20.04 as production
|
FROM ubuntu:20.04 as production
|
||||||
ARG DEBIAN_FRONTEND=noninteractive
|
ARG DEBIAN_FRONTEND=noninteractive
|
||||||
# update/upgrade your system
|
# update/upgrade your system
|
||||||
|
@ -9,8 +9,8 @@ RUN apt-get install -y g++ flex bison curl apache2-dev \
|
||||||
doxygen libyajl-dev ssdeep liblua5.2-dev \
|
doxygen libyajl-dev ssdeep liblua5.2-dev \
|
||||||
libgeoip-dev libtool dh-autoreconf \
|
libgeoip-dev libtool dh-autoreconf \
|
||||||
libcurl4-gnutls-dev libxml2 libpcre++-dev \
|
libcurl4-gnutls-dev libxml2 libpcre++-dev \
|
||||||
libxml2-dev git wget tar apache2 \
|
libxml2-dev git wget tar apache2
|
||||||
certbot python3-certbot-apache
|
# certbot python3-certbot-apache
|
||||||
|
|
||||||
# Download LibModsecurity
|
# Download LibModsecurity
|
||||||
RUN wget https://github.com/SpiderLabs/ModSecurity/releases/download/v3.0.8/modsecurity-v3.0.8.tar.gz
|
RUN wget https://github.com/SpiderLabs/ModSecurity/releases/download/v3.0.8/modsecurity-v3.0.8.tar.gz
|
||||||
|
@ -32,23 +32,31 @@ RUN cd ~/ModSecurity-apache && \
|
||||||
make && \
|
make && \
|
||||||
make install
|
make install
|
||||||
|
|
||||||
|
|
||||||
|
# logs should go to stdout / stderr
|
||||||
|
RUN set -ex \
|
||||||
|
&& ln -sfT /dev/stderr /var/log/apache2/error.log \
|
||||||
|
&& ln -sfT /dev/stdout /var/log/apache2/access.log \
|
||||||
|
&& ln -sfT /dev/stdout /var/log/apache2/other_vhosts_access.log
|
||||||
|
|
||||||
# Load the Apache ModSecurity Connector Module
|
# Load the Apache ModSecurity Connector Module
|
||||||
RUN echo "LoadModule security3_module /usr/lib/apache2/modules/mod_security3.so" >> /etc/apache2/apache2.conf
|
RUN echo "LoadModule security3_module /usr/lib/apache2/modules/mod_security3.so" >> /etc/apache2/apache2.conf
|
||||||
|
|
||||||
# Configure ModSecurity
|
# Configure ModSecurity
|
||||||
RUN mkdir /etc/apache2/modsecurity.d && \
|
RUN mkdir -p /etc/apache2/modsecurity.d/dd-rules && \
|
||||||
cp modsecurity-v3.0.8/modsecurity.conf-recommended /etc/apache2/modsecurity.d/modsecurity.conf && \
|
cp modsecurity-v3.0.8/modsecurity.conf-recommended /etc/apache2/modsecurity.d/modsecurity.conf && \
|
||||||
cp modsecurity-v3.0.8/unicode.mapping /etc/apache2/modsecurity.d/ && \
|
cp modsecurity-v3.0.8/unicode.mapping /etc/apache2/modsecurity.d/ && \
|
||||||
sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/apache2/modsecurity.d/modsecurity.conf
|
sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/apache2/modsecurity.d/modsecurity.conf
|
||||||
ADD modsec_rules.conf /etc/apache2/modsecurity.d/
|
ADD modsec_rules.conf /etc/apache2/modsecurity.d/
|
||||||
|
|
||||||
# Install OWASP ModSecurity Core Rule Set (CRS) on Ubuntu
|
# Install OWASP ModSecurity Core Rule Set (CRS) on Ubuntu
|
||||||
RUN git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /etc/apache2/modsecurity.d/owasp-crs && \
|
RUN git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /etc/apache2/modsecurity.d/owasp-crs
|
||||||
cp /crs-setup.conf /etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf
|
ADD crs-setup.conf /etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf
|
||||||
|
|
||||||
# Activate ModSecurity
|
# Activate ModSecurity
|
||||||
RUN mv /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/000-default.conf.old
|
RUN mv /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/000-default.conf.old
|
||||||
ADD 000-default.conf /etc/apache2/sites-available/
|
ADD 000-default.conf /etc/apache2/sites-available/
|
||||||
|
ADD rules_apps.conf /etc/apache2/modsecurity.d/owasp-crs/rules/000-dd-apps.conf
|
||||||
|
|
||||||
RUN a2enmod proxy_http
|
RUN a2enmod proxy_http
|
||||||
|
|
||||||
|
@ -57,3 +65,8 @@ CMD apachectl -D FOREGROUND
|
||||||
|
|
||||||
# Testing ModSecurity
|
# Testing ModSecurity
|
||||||
#curl http://<SERVER-IP/DOMAIN>/index.php?exec=/bin/bash
|
#curl http://<SERVER-IP/DOMAIN>/index.php?exec=/bin/bash
|
||||||
|
|
||||||
|
# TODO
|
||||||
|
# Juntas capas y reducir peso
|
||||||
|
# user no root
|
||||||
|
|
||||||
|
|
|
@ -379,13 +379,13 @@ SecAction \
|
||||||
# Example: for WebDAV, add the following methods: CHECKOUT COPY DELETE LOCK
|
# Example: for WebDAV, add the following methods: CHECKOUT COPY DELETE LOCK
|
||||||
# MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK
|
# MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK
|
||||||
# Uncomment this rule to change the default.
|
# Uncomment this rule to change the default.
|
||||||
#SecAction \
|
SecAction \
|
||||||
# "id:900200,\
|
"id:900200,\
|
||||||
# phase:1,\
|
phase:1,\
|
||||||
# nolog,\
|
nolog,\
|
||||||
# pass,\
|
pass,\
|
||||||
# t:none,\
|
t:none,\
|
||||||
# setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
|
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT'"
|
||||||
|
|
||||||
# Content-Types that a client is allowed to send in a request.
|
# Content-Types that a client is allowed to send in a request.
|
||||||
# Default: |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related|
|
# Default: |application/x-www-form-urlencoded| |multipart/form-data| |multipart/related|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
Include "/etc/apache2/modsecurity.d/modsecurity.conf"
|
Include "/etc/apache2/modsecurity.d/modsecurity.conf"
|
||||||
Include "/etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf"
|
Include "/etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf"
|
||||||
|
#Include "/etc/apache2/modsecurity.d/dd-rules/*.conf"
|
||||||
Include "/etc/apache2/modsecurity.d/owasp-crs/rules/*.conf"
|
Include "/etc/apache2/modsecurity.d/owasp-crs/rules/*.conf"
|
||||||
Include "/etc/apache2/modsecurity.d/dd-rules.conf"
|
|
|
@ -0,0 +1,67 @@
|
||||||
|
# Rules
|
||||||
|
#######
|
||||||
|
|
||||||
|
SecRule REQUEST_FILENAME "@endsWith /apps/user_status/heartbeat" \
|
||||||
|
"id:99000001,\
|
||||||
|
phase:1,\
|
||||||
|
pass,\
|
||||||
|
t:none,\
|
||||||
|
nolog,\
|
||||||
|
ctl:ruleRemoveById=911100"
|
||||||
|
|
||||||
|
SecRule REQUEST_FILENAME "@rx /apps/text/session/(?:create|fetch|sync|close)$" \
|
||||||
|
"id:99000002,\
|
||||||
|
phase:1,\
|
||||||
|
pass,\
|
||||||
|
t:none,\
|
||||||
|
nolog,\
|
||||||
|
ver:'OWASP_CRS/3.2.0',\
|
||||||
|
setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT DELETE'"
|
||||||
|
|
||||||
|
SecRule REQUEST_FILENAME "@contains /auth/saml2/sp/saml2-acs.php" \
|
||||||
|
"id:99000003,\
|
||||||
|
phase:1,\
|
||||||
|
pass,\
|
||||||
|
t:none,\
|
||||||
|
nolog,\
|
||||||
|
ctl:ruleRemoveById=920440"
|
||||||
|
|
||||||
|
SecRule REQUEST_FILENAME "@contains /auth/saml2/sp/saml2-logout.php" \
|
||||||
|
"id:99000004,\
|
||||||
|
phase:1,\
|
||||||
|
pass,\
|
||||||
|
t:none,\
|
||||||
|
nolog,\
|
||||||
|
ctl:ruleRemoveById=920440"
|
||||||
|
|
||||||
|
SecRule REQUEST_FILENAME "@contains /apps/text/session" \
|
||||||
|
"id:99000005,\
|
||||||
|
phase:1,\
|
||||||
|
pass,\
|
||||||
|
t:none,\
|
||||||
|
nolog,\
|
||||||
|
ctl:ruleRemoveById=911100"
|
||||||
|
|
||||||
|
SecRule REQUEST_FILENAME "@contains /apps/user_status/heartbeat" "phase:1,id:99000006,nolog,chain"
|
||||||
|
SecRule REQUEST_BODY_LENGTH "@eq 0" "ctl:requestBodyAccess=off"
|
||||||
|
|
||||||
|
SecRule REQUEST_FILENAME "@contains /remote.php/dav" "phase:1,id:99000007,nolog,chain"
|
||||||
|
SecRule REQUEST_BODY_LENGTH "@eq 0" "ctl:requestBodyAccess=off"
|
||||||
|
|
||||||
|
SecRule REQUEST_FILENAME "@contains /apps/text/session" "phase:1,id:99000008,nolog,chain"
|
||||||
|
SecRule REQUEST_BODY_LENGTH "@eq 0" "ctl:requestBodyAccess=off"
|
||||||
|
|
||||||
|
SecRule REQUEST_FILENAME "@contains /socket.io" "phase:1,id:99000009,nolog,chain"
|
||||||
|
SecRule REQUEST_BODY_LENGTH "@eq 0" "ctl:requestBodyAccess=off"
|
||||||
|
|
||||||
|
SecRule REQUEST_FILENAME "@contains /auth/realms/master/avatar-provider" "phase:1,id:99000010,nolog,chain"
|
||||||
|
SecRule REQUEST_BODY_LENGTH "@eq 0" "ctl:requestBodyAccess=off"
|
||||||
|
|
||||||
|
SecRule REQUEST_FILENAME "@contains /lib/ajax/service-nologin.php" "phase:1,id:99000011,nolog,chain"
|
||||||
|
SecRule REQUEST_BODY_LENGTH "@eq 0" "ctl:requestBodyAccess=off"
|
||||||
|
|
||||||
|
SecRule REQUEST_FILENAME "@contains /lib/ajax/service.php" "phase:1,id:99000012,nolog,chain"
|
||||||
|
SecRule REQUEST_BODY_LENGTH "@eq 0" "ctl:requestBodyAccess=off"
|
||||||
|
|
||||||
|
SecRule REQUEST_FILENAME "@contains /apps/polls/poll" "phase:1,id:99000013,nolog,chain"
|
||||||
|
SecRule REQUEST_BODY_LENGTH "@eq 0" "ctl:requestBodyAccess=off"
|
Loading…
Reference in New Issue