openrat-cms

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs

commit ec28ff9e279f5bc146698cd9a005405dfcbad620
parent cd1506e51d94145c1538e06f25f14070f2680737
Author: dankert <devnull@localhost>
Date:   Wed, 29 Nov 2006 00:06:40 +0100

Beispielkonfiguration f?r mod-security (in Arbeit)

Diffstat:
doc/examples/mod-security.conf | 113+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 113 insertions(+), 0 deletions(-)

diff --git a/doc/examples/mod-security.conf b/doc/examples/mod-security.conf @@ -0,0 +1,113 @@ + +# Konfiguration für mod-security. +# Status: In Arbeit. + +<IfModule mod_security.c> + + # Filter anschalten - kann per VHost (de-)aktiviert werden + SecFilterEngine On + #SecFilterEngine DynamicOnly + # + + # Pruefung von URL-Encoding aktivieren + SecFilterCheckURLEncoding On + + # Unicode-Validierung aktivieren + SecFilterCheckUnicodeEncoding On + + # HTTP-POST-Daten verarbeiten + SecFilterScanPOST On + SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data;)" + + # Require Content-Length to be provided with + # every POST request + SecFilterSelective REQUEST_METHOD "^POST$" chain + SecFilterSelective HTTP_Content-Length "^$" + + # Deaktivieren von "Chunked Transfer Encoding + SecFilterSelective HTTP_Transfer-Encoding "!^$" + + #SecFilterForceByteRange 32 126 + SecFilterForceByteRange 32 160 + + # Standard-Aktion für zutreffende Filterregeln + SecFilterDefaultAction "deny,log,status:403" + + # Filterregeln aus mod-security.d einbinden + # Include /etc/mod-security.d/[^.#]* + + SecAuditEngine RelevantOnly + SecAuditLog /tmp/security-audit.log + + # ServerSignature fälschen - erfordert ServerTokens Full + #SecServerSignature "OpenRat Server" + + SecFilter /bin/sh + + # Bilder und andere statische Dateien + SecFilterSelective REQUEST_FILENAME "^.*\.(png|jpe?g|gif|css|js)$" allow + + SecFilterSelective ARG_action "^folder$" chain + SecFilterSelective ARG_subaction "^(|show|create|pub|prop|rghts)$" chain + SecFilterSelective ARGS_NAMES "^id$" chain + SecFilterSelective ARG_id "^[0-9-]*$" allow + + SecFilterSelective ARG_action "^page$" chain + SecFilterSelective ARG_subaction "^(|show|edit|el|pub|prop|rghts)$" chain + SecFilterSelective ARGS_NAMES "^id$" chain + SecFilterSelective ARG_id "^[0-9-]*$" allow + + SecFilterSelective ARG_action "^file$" chain + SecFilterSelective ARG_subaction "^(|show|pub|prop|rights)$" chain + SecFilterSelective ARGS_NAMES "^id$" chain + SecFilterSelective ARG_id "^[0-9-]*$" allow + + SecFilterSelective ARG_action "^link$" chain + SecFilterSelective ARG_subaction "^(|show|pub|prop|rghts)$" chain + SecFilterSelective ARGS_NAMES "^id$" chain + SecFilterSelective ARG_id "^[0-9-]*$" allow + + SecFilterSelective ARG_action "^index$" chain + SecFilterSelective ARG_subaction "^(|project|object|projectmenu|administration|changepassword|register|password|showlogin|login|logout)$" chain + SecFilterSelective ARGS_NAMES "^(id|login_name|login_password|dbid)$" chain + SecFilterSelective ARG_id "^[0-9-]*$" allow + + SecFilterSelective ARG_action "^pageelement$" chain + SecFilterSelective ARG_subaction "^(|editlink|editlongtext)$" chain + SecFilterSelective ARGS_NAMES "^id$" chain + SecFilterSelective ARG_id "^[0-9-]*$" allow + + SecFilterSelective ARG_action "^main$" chain + SecFilterSelective ARG_subaction "^(folder|page|pageelement|file|link)$" chain + SecFilterSelective ARGS_NAMES "!^(id)$" chain + SecFilterSelective ARG_id "^[0-9-]*$" allow + + SecFilterSelective ARG_action "^mainmenu$" chain + SecFilterSelective ARG_subaction "^(folder|page|pageelement|link|file)$" allow + + SecFilterSelective ARG_action "^tree$" chain + SecFilterSelective ARG_subaction "^(load|open|close)$" allow + + SecFilterSelective ARG_action "^border$" chain + SecFilterSelective ARG_subaction "^(|show)$" allow + + SecFilterSelective ARG_action "^background$" chain + SecFilterSelective ARG_subaction "^(|show)$" allow + + SecFilterSelective ARG_action "^title$" chain + SecFilterSelective ARG_subaction "^(|show)$" allow + + SecFilterSelective ARG_action "^treetitle$" chain + SecFilterSelective ARG_subaction "^(|show)$" allow + + # Fallback: Alles ablehnen. + SecFilter ".*" + + + + # Ausgabe-Filterung + SecFilterScanOutput On + SecFilterSelective OUTPUT "Fatal error:" deny,status:500 + SecFilterSelective OUTPUT "Parse error:" deny,status:500 + +</IfModule>