# process rules with disruptive actions SecRuleEngine On # allow body checks SecRequestBodyAccess On # enable XML parsing SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \ "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" # enable JSON parsing SecRule REQUEST_HEADERS:Content-Type "application/json" \ "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON" # maximum data size SecRequestBodyLimit 13107200 SecRequestBodyNoFilesLimit 131072 # reject requests if bigger than max data size SecRequestBodyLimitAction Reject # reject if we can't process the body SecRule REQBODY_ERROR "!@eq 0" \ "id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2" # be strict with multipart/form-data body SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ "id:'200003',phase:2,t:none,log,deny,status:400, \ msg:'Multipart request body failed strict validation: \ PE %{REQBODY_PROCESSOR_ERROR}, \ BQ %{MULTIPART_BOUNDARY_QUOTED}, \ BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ DB %{MULTIPART_DATA_BEFORE}, \ DA %{MULTIPART_DATA_AFTER}, \ HF %{MULTIPART_HEADER_FOLDING}, \ LF %{MULTIPART_LF_LINE}, \ SM %{MULTIPART_MISSING_SEMICOLON}, \ IQ %{MULTIPART_INVALID_QUOTING}, \ IP %{MULTIPART_INVALID_PART}, \ IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \ "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'" # enable response body checks SecResponseBodyAccess On SecResponseBodyMimeType text/plain text/html text/xml application/json SecResponseBodyLimit 524288 SecResponseBodyLimitAction ProcessPartial # log usefull stuff SecAuditEngine {{ MODSECURITY_SEC_AUDIT_ENGINE }} SecAuditLogType Serial SecAuditLog /var/log/nginx/modsec_audit.log # include OWASP CRS configurations {% if USE_MODSECURITY_CRS == "yes" %} include /opt/bunkerweb/core/modsecurity/files/crs-setup.conf # custom CRS configurations before loading rules (e.g. exclusions) {% if is_custom_conf("/opt/bunkerweb/configs/modsec-crs") %} include /opt/bunkerweb/configs/modsec-crs/*.conf {% endif %} {% if MULTISITE == "yes" and is_custom_conf("/opt/bunkerweb/configs/modsec-crs/" + SERVER_NAME.split(" ")[0]) %} include /opt/bunkerweb/configs/modsec-crs/{{ SERVER_NAME.split(" ")[0] }}/*.conf {% endif %} {% if is_custom_conf("/etc/nginx/modsec-crs") %} include /etc/nginx/modsec-crs/*.conf {% endif %} {% if MULTISITE == "yes" and is_custom_conf("/etc/nginx/" + SERVER_NAME.split(" ")[0] + "/modsec-crs/") %} include /etc/nginx/{{ SERVER_NAME.split(" ")[0] }}/modsec-crs/*.conf {% endif %} # unset REASON env var SecAction "nolog,phase:1,setenv:REASON=none" # Auto update allowed methods {% if ALLOWED_METHODS != "" +%} SecAction \ "id:900200,\ phase:1,\ nolog,\ pass,\ t:none,\ setvar:'tx.allowed_methods={{ ALLOWED_METHODS.replace("|", " ") }}'" {% endif +%} # include OWASP CRS rules include /opt/bunkerweb/core/modsecurity/files/coreruleset/rules/*.conf {% endif %} # custom rules after loading the CRS {% if is_custom_conf("/opt/bunkerweb/configs/modsec") %} include /opt/bunkerweb/configs/modsec/*.conf {% endif %} {% if MULTISITE == "yes" and is_custom_conf("/opt/bunkerweb/configs/modsec/" + SERVER_NAME.split(" ")[0]) %} include /opt/bunkerweb/configs/modsec/{{ SERVER_NAME.split(" ")[0] }}/*.conf {% endif %} {% if is_custom_conf("/etc/nginx/modsec") %} include /etc/nginx/modsec/*.conf {% endif %} {% if MULTISITE == "yes" and is_custom_conf("/etc/nginx/" + SERVER_NAME.split(" ")[0] + "/modsec") %} include /etc/nginx/{{ SERVER_NAME.split(" ")[0] }}/modsec/*.conf {% endif %} # set REASON env var {% if USE_MODSECURITY_CRS == "yes" %} SecRuleUpdateActionById 949110 "t:none,deny,status:403,setenv:REASON=modsecurity" SecRuleUpdateActionById 959100 "t:none,deny,status:403,setenv:REASON=modsecurity" {% endif %}