From 995421f33b5692e6851fcf8341dce30c702529db Mon Sep 17 00:00:00 2001 From: 2803 MEDIA Date: Wed, 25 Sep 2024 11:44:59 +0200 Subject: [PATCH 1/3] Update README.md Add modsecurity info --- reverse-proxy/README.md | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/reverse-proxy/README.md b/reverse-proxy/README.md index 44270a9..5cb3676 100644 --- a/reverse-proxy/README.md +++ b/reverse-proxy/README.md @@ -45,3 +45,42 @@ $ sudo a2ensite plausible.conf $ sudo systemctl restart apache2 $ sudo certbot --apache ``` +#### Apache2 Modsecurity +If you use Modsecurity as a Waff to your Apache2 configuration you will need to add some custom rules in order to not block Plausible. Here are some rules, feel free to adapt to your specific case: + +```shell +# Autoriser text/plain pour la route /api/event +SecRule REQUEST_URI "@streq /api/event" \ + "id:1000005,phase:1,t:none,pass,nolog,ctl:requestBodyAccess=On" + +# Désactiver les règles spécifiques uniquement pour /api/event +SecRule REQUEST_URI "@streq /api/event" \ + "id:1000006,phase:1,t:none,pass,nolog,ctl:ruleRemoveById=920420,ctl:ruleRemoveById=949110" + +# Autoriser toutes les requêtes .com pour l'agent utilisateur Plausible +SecRule REQUEST_HEADERS:User-Agent "@contains Plausible" \ + "id:1000008,phase:1,t:none,pass,nolog,ctl:ruleRemoveById=920440,ctl:ruleRemoveById=949110" + +# Autoriser l'accès aux requêtes .com pour l'agent utilisateur Plausible +SecRule REQUEST_URI "@contains .com" \ + "id:1000010,phase:1,t:none,pass,nolog,ctl:ruleRemoveById=920440,ctl:ruleRemoveById=949110" +``` + +Save this as +```shell +/etc/modsecurity/customrules/customrules.conf +``` + +And add those custom rules to +```shell +/etc/modsecurity/modsecurity.conf +``` +Like that +```shell +Include /etc/modsecurity/crs/crs-setup.conf +Include /etc/modsecurity/customrules/customrules.conf + +#SecRuleEngine DetectionOnly +SecRuleEngine On +``` +And test and adapt! From c85633423b596f283769344d5a63e0a828b97f5f Mon Sep 17 00:00:00 2001 From: 2803 MEDIA Date: Wed, 25 Sep 2024 11:55:31 +0200 Subject: [PATCH 2/3] Update README.md add reasons --- reverse-proxy/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reverse-proxy/README.md b/reverse-proxy/README.md index 5cb3676..44bf5d8 100644 --- a/reverse-proxy/README.md +++ b/reverse-proxy/README.md @@ -46,7 +46,7 @@ $ sudo systemctl restart apache2 $ sudo certbot --apache ``` #### Apache2 Modsecurity -If you use Modsecurity as a Waff to your Apache2 configuration you will need to add some custom rules in order to not block Plausible. Here are some rules, feel free to adapt to your specific case: +Modsecurity block with CRS the "plain/text" used by Plausible and ".com" in headers so if you use Modsecurity as a Waff to your Apache2 configuration you will need to add some custom rules in order to not block Plausible. Here are some rules, feel free to adapt to your specific case: ```shell # Autoriser text/plain pour la route /api/event From fc3da2d9b761248a51b6c858b5c7c1da73d7b722 Mon Sep 17 00:00:00 2001 From: 2803 MEDIA Date: Wed, 25 Sep 2024 11:57:15 +0200 Subject: [PATCH 3/3] Update README.md add modsecurity for apache --- reverse-proxy/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reverse-proxy/README.md b/reverse-proxy/README.md index 44bf5d8..17f6e23 100644 --- a/reverse-proxy/README.md +++ b/reverse-proxy/README.md @@ -46,7 +46,7 @@ $ sudo systemctl restart apache2 $ sudo certbot --apache ``` #### Apache2 Modsecurity -Modsecurity block with CRS the "plain/text" used by Plausible and ".com" in headers so if you use Modsecurity as a Waff to your Apache2 configuration you will need to add some custom rules in order to not block Plausible. Here are some rules, feel free to adapt to your specific case: +Modsecurity block with CRS the `plain/text` used by Plausible and `.com` in headers so if you use Modsecurity as a Waff to your Apache2 configuration you will need to add some custom rules in order to not block Plausible. Here are some rules, feel free to adapt to your specific case: ```shell # Autoriser text/plain pour la route /api/event