fix CVE-2021-20205 and examples update

examples/multisite-custom-server-confs/docker-compose.yml

@@ -27,9 +27,9 @@ services:
       - wp.website.com_REMOTE_PHP_PATH=/var/www/html
       - nc.website.com_REMOTE_PHP=mync
       - nc.website.com_REMOTE_PHP_PATH=/var/www/html
-      - nc.website.com_LIMIT_REQ_RATE=40r/s
-      - nc.website.com_LIMIT_REQ_BURST=60
-      - nc.website.com_ALLOWED_METHODS=GET|POST|HEAD|PROPFIND|DELETE|PUT|MKCOL|MOVE|COPY|PROPPATCH|REPORT
+      - nc.website.com_LIMIT_REQ_RATE=5r/s
+      - nc.website.com_LIMIT_REQ_BURST=10
+      - nc.website.com_ALLOWED_METHODS=GET|POST|HEAD|COPY|DELETE|LOCK|MKCOL|MOVE|PROPFIND|PROPPATCH|PUT|UNLOCK|OPTIONS
       - nc.website.com_X_FRAME_OPTIONS=SAMEORIGIN
       - nc.website.com_FAIL2BAN_STATUS_CODE=400|401|403|405|444
     networks:

examples/multisite-custom-server-confs/modsec-confs/nc.website.com/nextcloud.conf

@@ -1 +1,2 @@
 SecRuleRemoveById 921110
+SecRule REQUEST_FILENAME "@contains /remote.php/webdav" "id:1,ctl:ruleRemoveByTag=OWASP_CRS"

examples/multisite-custom-server-confs/modsec-confs/wp.website.com/wordpress.conf

@@ -1 +1,4 @@
+SecRule REQUEST_FILENAME "/wp-admin/admin-ajax.php" "id:1,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-rce"
+SecRule REQUEST_FILENAME "/wp-admin/options.php" "id:2,ctl:ruleRemoveByTag=attack-xss"
+SecRule REQUEST_FILENAME "^/wp-json/yoast" "id:3,ctl:ruleRemoveById=930120"
 SecRuleRemoveById 953120

examples/multisite-custom-server-confs/modsec-crs-confs/nc.website.com/nextcloud.conf

@@ -12,4 +12,4 @@ SecAction \
   nolog,\
   pass,\
   t:none,\
-  setvar:'tx.allowed_methods=GET HEAD POST PROPFIND DELETE PUT MKCOL MOVE COPY PROPPATCH REPORT'"
+  setvar:'tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS'"