Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
tutorial:adm:server_preparation_tmp [2020/06/18 13:16]
urbanl [Disabling mod_security rules] Changed modsec crs to 3.0 		tutorial:adm:server_preparation_tmp [2020/06/24 12:00]
kolarikj [mod_security configuration - CentOS8]
Line 584: Line 584:
 ==== Disabling mod_security rules ==== ==== Disabling mod_security rules ====
  
-These rules are disabled for modsec_crs 3.0+These rules are disabled for modsec_crs 3.0
 In the file ''/etc/httpd/conf.d/ssl.conf'' deactivate following rules and set their logging: In the file ''/etc/httpd/conf.d/ssl.conf'' deactivate following rules and set their logging:
 +
 <code xml> <code xml>
 <IfModule mod_security2.c> <IfModule mod_security2.c>
Line 592: Line 594:
         SecRuleRemoveById 920300         SecRuleRemoveById 920300
         SecRuleRemoveById 920230         SecRuleRemoveById 920230
 +        
         # Allow Czech signs         # Allow Czech signs
         SecRuleRemoveById 942110         SecRuleRemoveById 942110
Line 601: Line 603:
         # Too restrictive for login format         # Too restrictive for login format
         SecRuleRemoveById 920440         SecRuleRemoveById 920440
 +        
         # Needed by Websockets          # Needed by Websockets 
         <Location "/idm/api/v1/websocket-info/">         <Location "/idm/api/v1/websocket-info/">
                 SecRuleRemoveById 950100                 SecRuleRemoveById 950100
         </Location>         </Location>
 +        
         # do not log request/response body         # do not log request/response body
         SecAuditLogParts ABFHZ         SecAuditLogParts ABFHZ
Line 614: Line 616:
 ==== mod_security configuration - CentOS8  ==== ==== mod_security configuration - CentOS8  ====
  
-In the file /etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conffind the rule 900200 and 900220 then add support for content\_type=application/json, application/hal+json and text/plain on the line starting with tx.allowed\_request\_content\_type, then allow PUT DELETE and PATCH methods on the line with tx.allowed\_methods. +In the file /etc/httpd/modsecurity.d/activated_rules/REQUEST-901-INITIALIZATION.conf 
-Whole rules after the changes looks like this:+ 
 +  * find the rule 900200 and add methods PUT DELETE and PATCH on the line with tx.allowed\_methods. It look like this after change:
  
 <code> <code>
Line 625: Line 628:
     nolog,\     nolog,\
     setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'"     setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE'"
 +</code>
  
 +  * find the rule 900220 and add support for content\_type=application/json, application/hal+json and text/plain on the line starting with tx.allowed\_request\_content\_type, after change:
 +
 +<code>
 # Default HTTP policy: allowed_request_content_type (rule 900220) # Default HTTP policy: allowed_request_content_type (rule 900220)
 SecRule &TX:allowed_request_content_type "@eq 0" \ SecRule &TX:allowed_request_content_type "@eq 0" \