From c75e31c14542cd8db89e9b7616adb82e22e945ea Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter
Date: Sun, 12 Feb 2023 23:46:22 +0100
Subject: denc-webcluster: add ModSecurity adjustments

With the rollout of our Salted configuration, ModSecurity came enforced.
This adds necessary rules to PrivateBin and BookStack for correct
operation.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
 pillar/cluster/denc/web-proxy.sls | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'pillar/cluster')

diff --git a/pillar/cluster/denc/web-proxy.sls b/pillar/cluster/denc/web-proxy.sls
index 9424091..61fd653 100644
--- a/pillar/cluster/denc/web-proxy.sls
+++ b/pillar/cluster/denc/web-proxy.sls
@@ -125,6 +125,11 @@ nginx:
               - proxy_pass: https://bookstack.themis.backend.syscid.com
               - proxy_http_version: 1.1
             - client_max_body_size: 20M
+            - modsecurity_rules: |-
+                '
+                SecRuleRemoveById 941160
+                SecAction "id:900200, phase:1, nolog, pass, t:none, setvar:\'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH\'"
+                '
 
       http.conf:
         config:
@@ -147,6 +152,10 @@ nginx:
               - proxy_pass: https://privatebin.themis.backend.syscid.com
               - proxy_http_version: 1.1
             - client_max_body_size: 50M
+            - modsecurity_rules: |-
+                '
+                SecRequestBodyNoFilesLimit 50000000
+                '
 
       sso_private.conf:
         config:
-- 
cgit v1.2.3