[mod-security-users] Configuration concept
Brought to you by:
victorhora,
zimmerletw
From: Armin A. <a.a...@gm...> - 2011-05-27 10:14:10
|
Hi, I am currently working on a configuration concept for mod_security with which I want to achieve clarity and simplicity in the Apache configuration, especially when configuration become large and complex. Another goal is to make automated adaptations per virtual hosts and locations (e.g. with a Web GUI) so that I'll need a structure that removes dispersions of settings all around the Apache configuration. I would like to show you the main concept with a configuration example and want to ask you for any feedback. I would appreciate any suggestions for improvements or criticism regarding structure, performance, etc. or possible use-cases that could not be realized that way. I have tested the configuration and it worked in accordance with my requirements. Regards, Armin The explanation of the includes follows after the configuraton example. ================= configuration example ============================ Include mod_security_10_main.conf Include mod_security_20_flow.conf Include mod_security_30_glob_excp.conf <VirtualHost ONE> Include mod_security_40_vhost_one.conf Include mod_security_50_locations_vhost_one.conf Include mod_security_60_flow.conf <Location /one> </Location> <Location /two> </Location> </VirtualHost> <VirtualHost TWO> Include mod_security_40_vhost_two.conf Include mod_security_50_locations_vhost_two.conf Include mod_security_60_flow.conf <Location /one> </Location> <Location /two> </Location> </VirtualHost> Include mod_security_70_crs_base.conf Include mod_security_80_crs_optional.conf Include mod_security_90_crs_own.conf Include mod_security_100_flow.conf ======================================================= Explanation of included configuratons === mod_security_10_main.conf === This inlcude sets the basic configuration like log files, data dirs, etc. It also enables the mod_security engine globally! e.g. > SecRuleEngine On > SecResponseBodyAccess Off === mod_security_20_flow.conf === Sets the anomolay scoring settings, nothing special here. === mod_security_30_glob_excp.conf === Used for global exceptions... e.g. ...whitelisting > SecRule REMOTE_ADDR "@pmFromFile whitelist.conf" "phase:1,t:none,allow,msg:'whitelisted IP'" === mod_security_40_vhost_one.conf === Is used for coarse configuration of virtual host one, especially to define the rule set to be used. Other virtual hosts (in the example, virtual host TWO) are configured in an analogous manner. e.g. enable protocol violation checks > SecAction "phase:1,t:none,nolog,pass,setvar:tx.protocol_violations_crs_enabled=yes" === mod_security_50_locations_vhost_one.conf === Fine-grain configuration of locations of virtual host ONE, e.g. to turn on or off mod_security per location, to remove/add certain rules, etc. The configuration of locations of other virtual hosts (in the example, virtual host TWO) are similar. in this file, mod_security is turned off per default via > SecRule REQUEST_URI "^(.*)$" "phase:1,pass,nolog,setvar:tx.location_secured=no" ...and turned on explicitly via > SecRule REQUEST_URI "@beginsWith /one" "phase:1,pass,nolog,setvar:tx.location_secured=yes" Or remove rules by ID > SecRule REQUEST_URI "@beginsWith /one" "phase:1,pass,nolog,ctl:ruleRemoveById=973433" in addition, overdriving of VHost settings are possible > SecRule REQUEST_URI "@beginsWith /two" "phase:1,pass,nolog,setvar:tx.protocol_violations_crs_enabled=no" === mod_security_60_flow.conf === this file controls the flow > SecRule tx:location_secured "@streq no" "phase:1,pass,nolog,skipAfter:MOD_SEC_EXIT" > SecRule tx:location_secured "@streq yes" "phase:1,pass,nolog,ctl:requestBodyAccess=on" === mod_security_70_crs_base.conf === Includes all mod_security Core Rule Sets, the markes ensure the flow control e.g. the protocol violation rule set > SecRule tx:protocol_violations_crs_enabled "@streq no" "phase:1,nolog,skipAfter:CRS_20" > Include modsecurity_crs_20_protocol_violations.conf > SecMarker CRS_20 === mod_security_80_crs_optional.conf === same as previous include, but for optional Core Rule Sets === mod_security_90_crs_own.conf === same as previous include, but for individual Core Rule Sets === mod_security_100_flow.conf === this file defines the end marker to ensure the flow control defined in mod_security_60_flow.conf > SecMarker MOD_SEC_EXIT |