Add configuration and script to enable mod-security 2.6.0.

git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@1135046 13f79535-47bb-0310-9956-ffa450edef68

5 files changed, 220 insertions, 1 deletions

diff --git a/sca-cpp/trunk/modules/edit/ssl-start b/sca-cpp/trunk/modules/edit/ssl-start
index 1c85c74b5b..5b982f45ff 100755
--- a/sca-cpp/trunk/modules/edit/ssl-start
+++ b/sca-cpp/trunk/modules/edit/ssl-start
@@ -38,6 +38,10 @@ jsprefix=`readlink -f $here/../js`
 ../../modules/http/open-auth-conf tmp
 ../../modules/http/passwd-auth-conf tmp john john
 ../../modules/http/passwd-auth-conf tmp jane jane
+../../modules/http/passwd-auth-conf tmp admin admin
+
+# Configure mod-security
+../../modules/http/mod-security-conf tmp
 
 # Configure Python component support
 ../../modules/server/server-conf tmp
diff --git a/sca-cpp/trunk/modules/http/Makefile.am b/sca-cpp/trunk/modules/http/Makefile.am
index a47b83fbf0..f6e95b3996 100644
--- a/sca-cpp/trunk/modules/http/Makefile.am
+++ b/sca-cpp/trunk/modules/http/Makefile.am
@@ -21,7 +21,7 @@ incl_HEADERS = *.hpp
 incldir = $(prefix)/include/modules/http
 
 dist_mod_SCRIPTS = httpd-conf httpd-addr httpd-start httpd-stop httpd-restart ssl-ca-conf ssl-cert-conf ssl-cert-find httpd-ssl-conf basic-auth-conf cert-auth-conf form-auth-conf open-auth-conf passwd-auth-conf group-auth-conf proxy-conf proxy-ssl-conf proxy-member-conf proxy-ssl-member-conf vhost-conf vhost-ssl-conf tunnel-ssl-conf httpd-worker-conf httpd-event-conf
-moddir=$(prefix)/modules/http
+moddir = $(prefix)/modules/http
 
 curl_test_SOURCES = curl-test.cpp
 curl_test_LDFLAGS = -lxml2 -lcurl -lmozjs
@@ -59,6 +59,17 @@ httpd-modules.prefix: $(top_builddir)/config.status
 curl.prefix: $(top_builddir)/config.status
 	echo ${CURL_PREFIX} >curl.prefix
 
+if WANT_MODSECURITY
+
+modsecurity.prefix: $(top_builddir)/config.status
+	echo ${MODSECURITY_PREFIX} >modsecurity.prefix
+
+dist_modsecurity_SCRIPTS = mod-security-conf
+modsecurity_DATA = modsecurity.prefix
+modsecuritydir = $(prefix)/modules/http
+
+endif
+
 dist_noinst_SCRIPTS = httpd-test http-test proxy-test
 noinst_PROGRAMS = curl-test curl-get curl-connect
 TESTS = httpd-test http-test proxy-test
diff --git a/sca-cpp/trunk/modules/http/httpd-conf b/sca-cpp/trunk/modules/http/httpd-conf
index 7c9190d08c..199eec8301 100755
--- a/sca-cpp/trunk/modules/http/httpd-conf
+++ b/sca-cpp/trunk/modules/http/httpd-conf
@@ -61,6 +61,7 @@ Group $group
 ServerSignature Off
 ServerTokens Prod
 Timeout 45
+RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
 LimitRequestBody 1048576
 HostNameLookups Off
 
@@ -132,6 +133,12 @@ SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
 Header append Vary User-Agent env=!dont-vary
 </Location>
 
+# Enable per client bandwidth rate limt
+<Location />
+SetOutputFilter RATE_LIMIT
+SetEnv rate-limit 400 
+</Location>
+
 # Listen on HTTP port
 Listen $listen
 
@@ -200,10 +207,12 @@ LoadModule socache_shmcb_module ${modules_prefix}/modules/mod_socache_shmcb.so
 LoadModule rewrite_module ${modules_prefix}/modules/mod_rewrite.so
 LoadModule mime_module ${modules_prefix}/modules/mod_mime.so
 LoadModule status_module ${modules_prefix}/modules/mod_status.so
+LoadModule info_module ${modules_prefix}/modules/mod_info.so
 LoadModule asis_module ${modules_prefix}/modules/mod_asis.so
 LoadModule negotiation_module ${modules_prefix}/modules/mod_negotiation.so
 LoadModule dir_module ${modules_prefix}/modules/mod_dir.so
 LoadModule setenvif_module ${modules_prefix}/modules/mod_setenvif.so
+LoadModule env_module ${modules_prefix}/modules/mod_env.so
 <IfModule !log_config_module>
 LoadModule log_config_module ${modules_prefix}/modules/mod_log_config.so
 </IfModule>
diff --git a/sca-cpp/trunk/modules/http/httpd-ssl-conf b/sca-cpp/trunk/modules/http/httpd-ssl-conf
index 5882a18cb4..9933d1c7d9 100755
--- a/sca-cpp/trunk/modules/http/httpd-ssl-conf
+++ b/sca-cpp/trunk/modules/http/httpd-ssl-conf
@@ -69,6 +69,11 @@ HostnameLookups on
 Require user admin
 </Location>
 
+<Location /server-info>
+SetHandler server-info
+HostnameLookups on
+Require user admin
+</Location>
 </VirtualHost>
 
 EOF
diff --git a/sca-cpp/trunk/modules/http/mod-security-conf b/sca-cpp/trunk/modules/http/mod-security-conf
new file mode 100755
index 0000000000..f988163cf4
--- /dev/null
+++ b/sca-cpp/trunk/modules/http/mod-security-conf
@@ -0,0 +1,190 @@
+#!/bin/sh
+
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#  
+#    http://www.apache.org/licenses/LICENSE-2.0
+#    
+#  Unless required by applicable law or agreed to in writing,
+#  software distributed under the License is distributed on an
+#  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#  KIND, either express or implied.  See the License for the
+#  specific language governing permissions and limitations
+#  under the License.
+
+# Generate a minimal mod-security configuration.
+here=`readlink -f $0`; here=`dirname $here`
+mkdir -p $1
+root=`readlink -f $1`
+
+modules_prefix=`cat $here/httpd-modules.prefix`
+modsecurity_prefix=`cat $here/modsecurity.prefix`
+
+mkdir -p $root/tmp
+
+cat >>$root/conf/modules.conf <<EOF
+# Generated by: mod-security-conf $*
+# Load support for mod-security
+LoadModule unique_id_module ${modules_prefix}/modules/mod_unique_id.so
+LoadModule security2_module $modsecurity_prefix/lib/mod_security2.so
+
+EOF
+
+cat >>$root/conf/httpd.conf <<EOF
+# Generated by: mod-security-conf $*
+# Enable mod-security
+Include conf/mod-security.conf
+
+EOF
+
+cat >$root/conf/mod-security.conf <<EOF
+# Generated by: mod-security-conf $*
+# Enable mod-security rules
+SecRuleEngine On
+SecDefaultAction "phase:2,pass,log"
+
+#SecDebugLog $root/logs//modsec_debug_log
+#SecDebugLogLevel 3
+
+# Allow mod-security to access request bodies
+SecRequestBodyAccess On
+SecRule REQUEST_HEADERS:Content-Type "text/xml" "phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
+SecRule REQUEST_HEADERS:Content-Type "application/xml" "phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
+SecRequestBodyLimit 13107200
+SecRequestBodyNoFilesLimit 131072
+SecRequestBodyInMemoryLimit 131072
+SecRequestBodyLimitAction Reject
+
+# Verify that we've correctly processed the request body
+SecRule REQBODY_ERROR "!@eq 0" "phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+
+# By default be strict with what we accept in multipart/form-data request body
+SecRule MULTIPART_STRICT_ERROR "!@eq 0" "phase:2,t:none,log,deny,status:44,msg:'Multipart request body failed strict validation: \
+PE %{REQBODY_PROCESSOR_ERROR}, \
+BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+DB %{MULTIPART_DATA_BEFORE}, \
+DA %{MULTIPART_DATA_AFTER}, \
+HF %{MULTIPART_HEADER_FOLDING}, \
+LF %{MULTIPART_LF_LINE}, \
+SM %{MULTIPART_SEMICOLON_MISSING}, \
+IQ %{MULTIPART_INVALID_QUOTING}, \
+IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
+
+# Did we see anything that might be a boundary?
+SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" "phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"
+
+# Avoid a potential RegEx DoS condition
+SecPcreMatchLimit 1000
+SecPcreMatchLimitRecursion 1000
+SecRule TX:/^MSC_/ "!@streq 0" "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
+
+# Detect slow DoS attacks
+SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,nolog,pass, setvar:ip.slow_dos_counter=+1,expirevar:ip.slow_dos_counter=60"
+SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,t:none,log,drop, msg:'Client Connection Dropped due to high # of slow DoS alerts'"
+SecWriteStateLimit 50
+
+# Allow mod-security to access response bodies
+SecResponseBodyAccess On
+SecResponseBodyMimeType text/plain text/html text/xml application/xml
+SecResponseBodyLimit 524288
+SecResponseBodyLimitAction ProcessPartial
+
+# The location where mod-security stores temporary files
+SecTmpDir $root/tmp/
+SecDataDir $root/tmp/
+
+# Enable mod-security audit
+SecAuditEngine RelevantOnly
+SecAuditLogRelevantStatus "^(?:5|4(?!04))"
+SecAuditLogParts ABIJDEFHKZ
+SecAuditLogType Serial
+SecAuditLog $root/logs/modsec_audit_log
+
+# Use & as application/x-www-form-urlencoded parameter separator
+SecArgumentSeparator &
+
+# Settle on version 0 (zero) cookies.
+SecCookieFormat 0
+
+# Enable anomaly scoring
+SecAction "phase:1,id:'981206',t:none,nolog,pass,setvar:tx.anomaly_score_blocking=on"
+SecAction "phase:1,id:'981207',t:none,nolog,pass, \
+setvar:tx.critical_anomaly_score=5, \
+setvar:tx.error_anomaly_score=4, \
+setvar:tx.warning_anomaly_score=3, \
+setvar:tx.notice_anomaly_score=2"
+SecAction "phase:1,id:'981208',t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=5"
+SecAction "phase:1,id:'981209',t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=4"
+
+# Paranoid mode
+SecAction "phase:1,id:'981210',t:none,nolog,pass,setvar:tx.paranoid_mode=0"
+
+# HTTP policy settings
+SecAction "phase:1,id:'981211',t:none,nolog,pass,setvar:tx.max_num_args=255"
+SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_name_length=100"
+SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_length=400"
+SecAction "phase:1,t:none,nolog,pass,setvar:tx.total_arg_length=64000"
+SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_file_size=1048576"
+SecAction "phase:1,t:none,nolog,pass,setvar:tx.combined_file_sizes=1048576"
+SecAction "phase:1,id:'981212',t:none,nolog,pass, \
+setvar:'tx.allowed_methods=GET HEAD POST PUT OPTIONS DELETE CONNECT', \
+setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded multipart/form-data text/xml application/xml application/json application/json-rpc application/atom+xml', \
+setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
+setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
+setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/'"
+
+# Brute force protection
+SecAction "phase:1,id:'981214',t:none,nolog,pass, \
+setvar:'tx.brute_force_protected_urls=/login', \
+setvar:'tx.brute_force_burst_time_slice=60', \
+setvar:'tx.brute_force_counter_threshold=10', \
+setvar:'tx.brute_force_block_timeout=300'"
+
+# DoS protection
+SecAction "phase:1,id:'981215',t:none,nolog,pass, \
+setvar:'tx.dos_burst_time_slice=60', \
+setvar:'tx.dos_counter_threshold=100', \
+setvar:'tx.dos_block_timeout=600'"
+
+# Check UTF-8 encoding
+SecAction "phase:1,id:'981216',t:none,nolog,pass,setvar:tx.crs_validate_utf8_encoding=1"
+
+# Global and IP collections
+SecRule REQUEST_HEADERS:User-Agent "^(.*)$" "phase:1,id:'981217',t:none,pass,nolog,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_var}"
+SecRule REQUEST_HEADERS:x-forwarded-for "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b" "phase:1,id:'981225',t:none,pass,nolog,capture,setvar:tx.real_ip=%{tx.1}"
+SecRule &TX:REAL_IP "!@eq 0" "phase:1,id:'981226',t:none,pass,nolog,initcol:global=global,initcol:ip=%{tx.real_ip}_%{tx.ua_hash}"
+SecRule &TX:REAL_IP "@eq 0"  "phase:1,id:'981218',t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash}"
+
+# Include all base mod-security CRS rules
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_20_protocol_violations.conf
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_41_xss_attacks.conf
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_50_outbound.conf
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_35_bad_robots.conf
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_47_common_exceptions.conf
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_60_correlation.conf
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_40_generic_attacks.conf
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_21_protocol_anomalies.conf
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_30_http_policy.conf
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_49_inbound_blocking.conf
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_45_trojans.conf
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_59_outbound_blocking.conf
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_23_request_limits.conf
+Include ${modsecurity_prefix}/base_rules/modsecurity_crs_42_tight_security.conf
+
+# Include some optional mod-security CRS rules
+Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_10_ignore_static.conf
+Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_13_xml_enabler.conf
+Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_25_cc_known.conf
+Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_42_comment_spam.conf
+Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_47_skip_outbound_checks.conf
+Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_55_application_defects.conf
+EOF
+