GUI editor to tame mod_security rules

⌈⌋ branch:  modseccfg


*.preconf scheme

Quick setup:

Due to how mod_security works, the definition order of rules and exceptions is important (the rule IDs are meaningless to the execution order). In particular conditional SecRules (ctl:removeRule*) have to be declared before the CRS rules.

So for recipes/macros to work you have to have one *.preconf per vhost. And this has to be configured in a way they actually run before the rest of the CRS rules.
To do so:

  • Select /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf in the vhost/conf dropdown.

  • Add the RecipeSetupCRS preconfig includes.
    Change the IncludeOptional path to where your normal vhost.*.conf files reside, if it wasn't autodetected.

  • Lastly open FileSettings (F12)
    and enable ☑ Create and use *.preconf globally

Whenever you declared a recipe that belongs in a *.preconf file, modseccfg would automatically redirect the directive, or create the according preconf first.

So once set up, you can just select the regular *.conf file in the vhost/conf dropdown, and modseccfg will redirect any settings if need be.

What's the resulting file structure?

Normally you'd have one .preconf per vhost..conf:

  • /etc/apache2/sites-enabled/examplecom.preconf
  • /etc/apache2/sites-enabled/examplecom.conf
  • /srv/www/etc/exampleorg.preconf
  • /srv/www/etc/exampleorg.conf

They also show up atop the vhost/conf dropdown, when the 900-EXCLUSION/IncludeOptional was defined correctly. The dropdown matches the order in which Apache sees any configuration files.

Do I really need this?

If you're only using modseccfg for disabling existing rules, then no; the standard vhost.conf files are sufficient. You won't need *.preconf files for that.

Currently it only pertains a handful of recipes and setting CRS variables.

One global *.preconf for all sites?

Auto-created *.preconf files are bound to one DocumentRoot per vhost. So if you want to have one preconf-file for all (or multiple) vhosts, you'll have to remove the <Directory> wrapper; and manually symlink the filenames to one central file.

Implementation notes

  • For auto-creation, file extensions .conf, .dir, .vhost are recognized, else .preconf is just appended
  • For writer insertions, rx.end ought to look for </Directory> in place of </VirtualHost> section markers, and insert before that.
  • Appending should still work for .dir files (single global preconf).

Alternative: …/late-enabled/

Instead of preconf files, you could also set up the mod_security rules to load after any vhosts, with e.g. a sites- oder modules-late-enabled/ directory. Though that's gonna make simpler SecRuleRemove directives largely disfunct.