From c75e31c14542cd8db89e9b7616adb82e22e945ea Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sun, 12 Feb 2023 23:46:22 +0100 Subject: denc-webcluster: add ModSecurity adjustments With the rollout of our Salted configuration, ModSecurity came enforced. This adds necessary rules to PrivateBin and BookStack for correct operation. Signed-off-by: Georg Pfuetzenreuter --- pillar/cluster/denc/web-proxy.sls | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'pillar/cluster') diff --git a/pillar/cluster/denc/web-proxy.sls b/pillar/cluster/denc/web-proxy.sls index 9424091..61fd653 100644 --- a/pillar/cluster/denc/web-proxy.sls +++ b/pillar/cluster/denc/web-proxy.sls @@ -125,6 +125,11 @@ nginx: - proxy_pass: https://bookstack.themis.backend.syscid.com - proxy_http_version: 1.1 - client_max_body_size: 20M + - modsecurity_rules: |- + ' + SecRuleRemoveById 941160 + SecAction "id:900200, phase:1, nolog, pass, t:none, setvar:\'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH\'" + ' http.conf: config: @@ -147,6 +152,10 @@ nginx: - proxy_pass: https://privatebin.themis.backend.syscid.com - proxy_http_version: 1.1 - client_max_body_size: 50M + - modsecurity_rules: |- + ' + SecRequestBodyNoFilesLimit 50000000 + ' sso_private.conf: config: -- cgit v1.2.3