commit 8ee3c4179ae8619adff5c61d2ce90f70264c92d8
parent 00f64cc90aff33fed6489df26b63bd99036d4059
Author: dankert <devnull@localhost>
Date: Thu, 30 Nov 2006 23:22:29 +0100
Kopfkommentar.
Diffstat:
1 file changed, 14 insertions(+), 8 deletions(-)
diff --git a/doc/examples/mod-security.conf b/doc/examples/mod-security.conf
@@ -1,7 +1,14 @@
-# Konfiguration für mod-security.
+# OpenRat content managegement system - mod-security
+# ..................................................
+#
+# This is a configuration file for mod-security users.
+# If you do not use mod-security, you do not need this file :)
+#
# Status: In Arbeit.
+# $Id$
+
<IfModule mod_security.c>
# Filter anschalten - kann per VHost (de-)aktiviert werden
@@ -38,6 +45,8 @@
# Include /etc/mod-security.d/[^.#]*
SecAuditEngine RelevantOnly
+
+ # don't forget to rotate the logfile.
SecAuditLog /tmp/security-audit.log
# ServerSignature fälschen - erfordert ServerTokens Full
@@ -46,24 +55,17 @@
SecFilter /bin/sh
-
-
# Bilder und andere statische Dateien
SecFilterSelective REQUEST_FILENAME "^.*\.(png|jpe?g|gif|css|js)$" allow
- # SecFilterSelective ARG_action "^$" chain
- # SecFilterSelective ARG_subaction "^$" chain
# Startseite
SecFilterSelective REQUEST_URI "^.*/$" allow
#SecFilterSelective SCRIPT_FILENAME "!^do\.php[3-5]?$"
-
# Parameter Whitelist
SecFilterSelective ARGS_NAMES "!^(subaction|action|oi|id|login_name|login_password|elementid|dbid|ok|screenwidth)$"
- #
- SecFilterSelective ARGS_NAMES "xxx"
@@ -140,9 +142,13 @@
SecFilterSelective ARG_action "^group$" chain
SecFilterSelective ARG_subaction "^(|listing|edit|save|add|remove|users)$" allow
+
+
# Fallback: Alles ablehnen.
SecFilter ".*"
+
+
# Ausgabe-Filterung
SecFilterScanOutput On
SecFilterSelective OUTPUT "Fatal error:" deny,status:500