Re: [mod-security-users] Elegantly adding more allowed_methods

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,

On 2/27/2018 5:43 AM, Christian Folini wrote:
> On Mon, Feb 26, 2018 at 11:14:11PM +0100, jm+...@ro... wrote:
>> How would I modify tx:allowed_methods without actually touching the system
>> file /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf as
>> it might be replaced during an upgrade?
> SLES 11 seems to leave you with a CRS 2.2.x setup. I suggest you move to
> CRS3 where this question is answered / solved in the crs-setup.conf file.
>
> My tutorial 7 at https://www.netnea.com/cms/apache-tutorials/ also brings
> an example in this regard.
>

Well, crs v3 would require modsec > 2.8.0 and even SLES12-SP3 comes with 
modsec 2.7 only.

What you probably mean is that the setup file included with crs v3 states:
# The order of file inclusion in your webserver configuration should 
always be:
# 1. modsecurity.conf
# 2. crs-setup.conf (this file)
# 3. rules/*.conf (the CRS rule files)

I have now done something similar with 
"/etc/apache2/conf.d/mod_security2.conf" in SLES12. By default, that 
file says at the bottom:

Include /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf
# as set up with symlinks for files that are placed here:
Include /etc/apache2/mod_security2.d/*.conf

I have added a statement in-between, which seems to also do the trick

Include /usr/share/apache2-mod_security2/rules/modsecurity_crs_10_setup.conf
SecAction \
   "id:'999989', \
   phase:1, \
   t:none, \
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|text/calendar', 
\
   nolog, \
   pass"
Include /etc/apache2/mod_security2.d/*.conf

For some reason using SecRuleRemoveById on the actual rule 900012 that I 
wanted to override did not work. When I put up a new rule 900012 after 
removing the old one I still got the error that the ID would already 
exist... So that is why I did the above.

marki