Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:server_preparation_tmp [2020/06/18 10:36]
urbanl [mod_security configuration] changed basic configuration file 		tutorial:adm:server_preparation_tmp [2020/06/24 12:00]
kolarikj [mod_security configuration - CentOS8]
Line 583: Line 583:
  
 ==== Disabling mod_security rules ==== ==== Disabling mod_security rules ====
 +
 +These rules are disabled for modsec_crs 3.0.
  
 In the file ''/etc/httpd/conf.d/ssl.conf'' deactivate following rules and set their logging: In the file ''/etc/httpd/conf.d/ssl.conf'' deactivate following rules and set their logging:
 +
 <code xml> <code xml>
 <IfModule mod_security2.c> <IfModule mod_security2.c>
-        SecRuleRemoveById 981173 +        SecRuleRemoveById 942430 
-        SecRuleRemoveById 960015 +        SecRuleRemoveById 942431 
-        SecRuleRemoveById 950109 +        SecRuleRemoveById 920300 
 +        SecRuleRemoveById 920230 
 +        
         # Allow Czech signs         # Allow Czech signs
-        SecRuleRemoveById 981318 +        SecRuleRemoveById 942110 
-        SecRuleRemoveById 981242 +        SecRuleRemoveById 942330 
-        SecRuleRemoveById 960024 +        SecRuleRemoveById 942460 
-        SecRuleRemoveById 981245+        SecRuleRemoveById 942260
                  
         # Too restrictive for login format         # Too restrictive for login format
-        SecRuleRemoveById 960035 +        SecRuleRemoveById 920440 
 +        
         # Needed by Websockets          # Needed by Websockets 
         <Location "/idm/api/v1/websocket-info/">         <Location "/idm/api/v1/websocket-info/">
-                SecRuleRemoveById 970901+                SecRuleRemoveById 950100
         </Location>         </Location>
                  
-        # These break Certificate Authority module 
- <Location "/idm/api/v1/crt/certificates/action/validate"> 
- SecRuleRemoveById 960915 
- SecRuleRemoveById 200003 
- </Location> 
- 
- # Modsec can throw false positives on some files due to multipart boundary check 
- <Location "/idm/api/v1/attachments/upload"> 
- SecRuleRemoveById 960915 
- SecRuleRemoveById 200003 
- </Location> 
- 
         # do not log request/response body         # do not log request/response body
         SecAuditLogParts ABFHZ         SecAuditLogParts ABFHZ
Line 624: Line 616:
 ==== mod_security configuration - CentOS8  ==== ==== mod_security configuration - CentOS8  ====
  
-In the file /etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conffind the rule 900200 and 900220 then add support for content\_type=application/json, application/hal+json and text/plain on the line starting with tx.allowed\_request\_content\_type, then allow PUT DELETE and PATCH methods on the line with tx.allowed\_methods. +In the file /etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conf 
-Whole rules after the changes looks like this:+ 
 +  * find the rule 900200 and add methods PUT DELETE and PATCH on the line with tx.allowed\_methods. It look like this after change:
  
 <code> <code>
Line 635: Line 628:
     nolog,\     nolog,\
     setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'"     setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'"
 +</code>
  
 +  * find the rule 900220 and add support for content\_type=application/json, application/hal+json and text/plain on the line starting with tx.allowed\_request\_content\_type, after change:
 +
 +<code>
 # Default HTTP policy: allowed_request_content_type (rule 900220) # Default HTTP policy: allowed_request_content_type (rule 900220)
 SecRule &TX:allowed_request_content_type "@eq 0" \ SecRule &TX:allowed_request_content_type "@eq 0" \