diff options
author | nachoparker <nacho@ownyourbits.com> | 2017-05-25 01:07:27 +0300 |
---|---|---|
committer | nachoparker <nacho@ownyourbits.com> | 2017-05-25 19:20:34 +0300 |
commit | c02bc6b520f37e11bcfeaad61f04694ee3f5bba7 (patch) | |
tree | f64e23199ed88adf0889fb81b5a5d903685aea72 | |
parent | e3a4878ef2e2e9f6b6ae6a701a449c024d1982ef (diff) |
revisited modsecurity rules. Fixed photo uploads and notes appv0.12.1
-rw-r--r-- | etc/nextcloudpi-config.d/modsecurity.sh | 57 |
1 files changed, 38 insertions, 19 deletions
diff --git a/etc/nextcloudpi-config.d/modsecurity.sh b/etc/nextcloudpi-config.d/modsecurity.sh index ce53f662..70d07aff 100644 --- a/etc/nextcloudpi-config.d/modsecurity.sh +++ b/etc/nextcloudpi-config.d/modsecurity.sh @@ -23,6 +23,7 @@ install() { apt-get update apt-get install -y --no-install-recommends libapache2-mod-security2 modsecurity-crs + a2dismod security2 # COPY RULES cd /usr/share/modsecurity-crs/base_rules/ @@ -56,7 +57,27 @@ install() --- > setvar:'\''tx.allowed_http_versions=HTTP/1.1 HTTP/2.0'\'', \' -cat >> /etc/modsecurity/modsecurity_crs_99_whitelist.conf <<EOF + cat >> /etc/apache2/apache2.conf <<EOF +<IfModule mod_security2.c> + SecServerSignature " " +</IfModule> +EOF +} + +show_info() +{ + whiptail --yesno \ + --backtitle "NextCloudPi configuration" \ + --title "Experimental feature warning" \ +"This feature is highly experimental and has only been tested with +a basic NextCloud installation. If a new App does not work disable it" \ + 20 90 +} + +configure() +{ + + cat >> /etc/modsecurity/modsecurity_crs_99_whitelist.conf <<EOF <Directory $NCDIR_> # VIDEOS SecRuleRemoveById 958291 # Range Header Checks @@ -79,29 +100,27 @@ cat >> /etc/modsecurity/modsecurity_crs_99_whitelist.conf <<EOF # COMING BACK FROM OLD SESSION SecRuleRemoveById 970903 # Microsoft Office document properties leakage + + # NOTES APP + SecRuleRemoveById 981401 # Content-Type Response Header is Missing and X-Content-Type-Options is either missing or not set to 'nosniff' + SecRuleRemoveById 200002 # Failed to parse request body + + # UPLOADS ( 5 MB max excluding file size ) + SecRequestBodyNoFilesLimit 5242880 + + # GENERAL + SecRuleRemoveById 960017 # Host header is a numeric IP address + + # REGISTERED WARNINGS, BUT DID NOT HAVE TO DISABLE THEM + #SecRuleRemoveById 981220 900046 981407 + #SecRuleRemoveById 981222 981405 981185 981184 + </Directory> EOF - cat >> /etc/apache2/apache2.conf <<EOF -<IfModule mod_security2.c> - SecServerSignature " " -</IfModule> -EOF -} -show_info() -{ - whiptail --yesno \ - --backtitle "NextCloudPi configuration" \ - --title "Experimental feature warning" \ -"This feature is highly experimental and has only been tested with -a basic NextCloud installation. If a new App does not work disable it" \ - 20 90 -} - -configure() -{ [[ $ACTIVE_ == "yes" ]] && local STATE=On || local STATE=Off sed -i "s|SecRuleEngine .*|SecRuleEngine $STATE|" /etc/modsecurity/modsecurity.conf + a2enmod security2 service apache2 restart } |