Merge pull request 'denc-webcluster: add ModSecurity adjustments' (#30) from import-denc-webcluster-nginx-modsec into production

Reviewed-on: https://git.com.de/LibertaCasa/salt/pulls/30

1 files changed, 9 insertions, 0 deletions

diff --git a/pillar/cluster/denc/web-proxy.sls b/pillar/cluster/denc/web-proxy.sls
index 9424091..61fd653 100644
--- a/pillar/cluster/denc/web-proxy.sls
+++ b/pillar/cluster/denc/web-proxy.sls
@@ -125,6 +125,11 @@ nginx:
               - proxy_pass: https://bookstack.themis.backend.syscid.com
               - proxy_http_version: 1.1
             - client_max_body_size: 20M
+            - modsecurity_rules: |-
+                '
+                SecRuleRemoveById 941160
+                SecAction "id:900200, phase:1, nolog, pass, t:none, setvar:\'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH\'"
+                '
 
       http.conf:
         config:
@@ -147,6 +152,10 @@ nginx:
               - proxy_pass: https://privatebin.themis.backend.syscid.com
               - proxy_http_version: 1.1
             - client_max_body_size: 50M
+            - modsecurity_rules: |-
+                '
+                SecRequestBodyNoFilesLimit 50000000
+                '
 
       sso_private.conf:
         config: