Skip to content

Commit

Permalink
bugfix: fix the vhost security configuration
Browse files Browse the repository at this point in the history
The modified variable was never passed to the template, resulting in a
bad configuration of the vhost security if secrule were removed.

Signed-off-by: Julien Godin <julien.godin@camptocamp.com>
  • Loading branch information
JGodin-C2C committed Feb 28, 2024
1 parent bde17ea commit bf1f318
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 25 deletions.
38 changes: 16 additions & 22 deletions manifests/vhost.pp
Original file line number Diff line number Diff line change
Expand Up @@ -2170,28 +2170,22 @@
}

## Create a global LocationMatch if locations aren't defined
if $modsec_disable_ids {
if $modsec_disable_ids =~ Array {
$_modsec_disable_ids = { '.*' => $modsec_disable_ids }
} else {
$_modsec_disable_ids = $modsec_disable_ids
}
if $modsec_disable_ids =~ Array {
$_modsec_disable_ids = { '.*' => $modsec_disable_ids }
} else {
$_modsec_disable_ids = $modsec_disable_ids
}

if $modsec_disable_msgs {
if $modsec_disable_msgs =~ Array {
$_modsec_disable_msgs = { '.*' => $modsec_disable_msgs }
} else {
$_modsec_disable_msgs = $modsec_disable_msgs
}
if $modsec_disable_msgs =~ Array {
$_modsec_disable_msgs = { '.*' => $modsec_disable_msgs }
} else {
$_modsec_disable_msgs = $modsec_disable_msgs
}

if $modsec_disable_tags {
if $modsec_disable_tags =~ Array {
$_modsec_disable_tags = { '.*' => $modsec_disable_tags }
} else {
$_modsec_disable_tags = $modsec_disable_tags
}
if $modsec_disable_tags =~ Array {
$_modsec_disable_tags = { '.*' => $modsec_disable_tags }
} else {
$_modsec_disable_tags = $modsec_disable_tags
}

concat { "${priority_real}${filename}.conf":
Expand Down Expand Up @@ -2828,14 +2822,14 @@
}
}

if $modsec_disable_vhost or $modsec_disable_ids or !empty($modsec_disable_ips) or $modsec_disable_msgs or $modsec_disable_tags or $modsec_audit_log_destination or ($modsec_inbound_anomaly_threshold and $modsec_outbound_anomaly_threshold) or $modsec_allowed_methods {
if $modsec_disable_vhost or $_modsec_disable_ids or !empty($modsec_disable_ips) or $_modsec_disable_msgs or $_modsec_disable_tags or $modsec_audit_log_destination or ($modsec_inbound_anomaly_threshold and $modsec_outbound_anomaly_threshold) or $modsec_allowed_methods {
$security_params = {
'modsec_disable_vhost' => $modsec_disable_vhost,
'modsec_audit_log_destination' => $modsec_audit_log_destination,
'_modsec_disable_ids' => $modsec_disable_ids,
'_modsec_disable_ids' => $_modsec_disable_ids,
'modsec_disable_ips' => $modsec_disable_ips,
'_modsec_disable_msgs' => $modsec_disable_msgs,
'_modsec_disable_tags' => $modsec_disable_tags,
'_modsec_disable_msgs' => $_modsec_disable_msgs,
'_modsec_disable_tags' => $_modsec_disable_tags,
'modsec_body_limit' => $modsec_body_limit,
'modsec_inbound_anomaly_threshold' => $modsec_inbound_anomaly_threshold,
'modsec_outbound_anomaly_threshold' => $modsec_outbound_anomaly_threshold,
Expand Down
4 changes: 1 addition & 3 deletions templates/vhost/_security.epp
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
<IfModule mod_security2.c>
<% if $modsec_disable_vhost {-%>
SecRuleEngine Off
<% } -%>
SecRuleEngine <%= apache::bool2httpd(!$modsec_disable_vhost) %>
<% if $modsec_audit_log_destination {-%>
SecAuditLog "<%= $modsec_audit_log_destination %>"
<% } -%>
Expand Down

0 comments on commit bf1f318

Please sign in to comment.