/usr/share/puppet/modules.available/puppetlabs-apache/templates/mod/security.conf.erb is in puppet-module-puppetlabs-apache 3.0.0-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 | <IfModule mod_security2.c>
# Default recommended configuration
SecRuleEngine <%= @modsec_secruleengine %>
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRequestBodyLimit <%= @secrequestbodylimit %>
SecRequestBodyNoFilesLimit <%= @secrequestbodynofileslimit %>
SecRequestBodyInMemoryLimit <%= @secrequestbodyinmemorylimit %>
SecRequestBodyLimitAction Reject
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule &REQUEST_HEADERS:Proxy "@gt 0" "id:1000005,log,deny,msg:'httpoxy denied'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
SecPcreMatchLimit <%= @secpcrematchlimit %>
SecPcreMatchLimitRecursion <%= @secpcrematchlimitrecursion %>
SecRule TX:/^MSC_/ "!@streq 0" \
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
SecResponseBodyAccess Off
SecResponseBodyMimeType text/plain text/html text/xml
SecResponseBodyLimit 524288
SecResponseBodyLimitAction ProcessPartial
SecDebugLogLevel 0
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "<%= @audit_log_relevant_status %>"
SecAuditLogParts <%= @audit_log_parts %>
SecAuditLogType Serial
SecArgumentSeparator &
SecCookieFormat 0
<%- if scope.lookupvar('::osfamily') == 'Debian' -%>
SecDebugLog <%= @logroot %>/modsec_debug.log
SecAuditLog <%= @logroot %>/modsec_audit.log
SecTmpDir /var/cache/modsecurity
SecDataDir /var/cache/modsecurity
SecUploadDir /var/cache/modsecurity
<%- elsif scope.lookupvar('::osfamily') == 'Suse' -%>
SecDebugLog /var/log/apache2/modsec_debug.log
SecAuditLog /var/log/apache2/modsec_audit.log
SecTmpDir /var/lib/mod_security
SecDataDir /var/lib/mod_security
SecUploadDir /var/lib/mod_security
<% else -%>
SecDebugLog <%= @logroot %>/modsec_debug.log
SecAuditLog <%= @logroot %>/modsec_audit.log
SecTmpDir /var/lib/mod_security
SecDataDir /var/lib/mod_security
SecUploadDir /var/lib/mod_security
<% end -%>
SecUploadKeepFiles Off
# ModSecurity Core Rules Set configuration
<%- if scope.function_versioncmp([scope.lookupvar('::apache::apache_version'), '2.4']) >= 0 -%>
IncludeOptional <%= @modsec_dir %>/*.conf
IncludeOptional <%= @modsec_dir %>/activated_rules/*.conf
<%- else -%>
Include <%= @modsec_dir %>/*.conf
Include <%= @modsec_dir %>/activated_rules/*.conf
<%- end -%>
</IfModule>
|