Skip to content

Commit

Permalink
bugfix: fix the vhost security configuration
Browse files Browse the repository at this point in the history
The modified variable was never passed to the template, resulting in a
bad configuration of the vhost security if secrule were removed.

Signed-off-by: Julien Godin <julien.godin@camptocamp.com>
  • Loading branch information
JGodin-C2C committed Feb 28, 2024
1 parent bde17ea commit a668633
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 7 deletions.
8 changes: 4 additions & 4 deletions manifests/vhost.pp
Original file line number Diff line number Diff line change
Expand Up @@ -2828,14 +2828,14 @@
}
}

if $modsec_disable_vhost or $modsec_disable_ids or !empty($modsec_disable_ips) or $modsec_disable_msgs or $modsec_disable_tags or $modsec_audit_log_destination or ($modsec_inbound_anomaly_threshold and $modsec_outbound_anomaly_threshold) or $modsec_allowed_methods {
if $modsec_disable_vhost or $_modsec_disable_ids or !empty($_modsec_disable_ips) or $_modsec_disable_msgs or $_modsec_disable_tags or $modsec_audit_log_destination or ($modsec_inbound_anomaly_threshold and $modsec_outbound_anomaly_threshold) or $modsec_allowed_methods {
$security_params = {
'modsec_disable_vhost' => $modsec_disable_vhost,
'modsec_audit_log_destination' => $modsec_audit_log_destination,
'_modsec_disable_ids' => $modsec_disable_ids,
'_modsec_disable_ids' => $_modsec_disable_ids,
'modsec_disable_ips' => $modsec_disable_ips,
'_modsec_disable_msgs' => $modsec_disable_msgs,
'_modsec_disable_tags' => $modsec_disable_tags,
'_modsec_disable_msgs' => $_modsec_disable_msgs,
'_modsec_disable_tags' => $_modsec_disable_tags,
'modsec_body_limit' => $modsec_body_limit,
'modsec_inbound_anomaly_threshold' => $modsec_inbound_anomaly_threshold,
'modsec_outbound_anomaly_threshold' => $modsec_outbound_anomaly_threshold,
Expand Down
4 changes: 1 addition & 3 deletions templates/vhost/_security.epp
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
<IfModule mod_security2.c>
<% if $modsec_disable_vhost {-%>
SecRuleEngine Off
<% } -%>
SecRuleEngine <%= apache::bool2httpd(!$modsec_disable_vhost) %>
<% if $modsec_audit_log_destination {-%>
SecAuditLog "<%= $modsec_audit_log_destination %>"
<% } -%>
Expand Down

0 comments on commit a668633

Please sign in to comment.