diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md new file mode 100644 index 0000000..643a1e9 --- /dev/null +++ b/CONTRIBUTORS.md @@ -0,0 +1,3 @@ +# Contributors to Openhab Proxy Rule Exclusions Plugin + +- [Daniel Demus](https://git.demus.dk/demus) diff --git a/INSTALL b/INSTALL new file mode 100644 index 0000000..4afc243 --- /dev/null +++ b/INSTALL @@ -0,0 +1 @@ +See [README](README.md). diff --git a/README.md b/README.md index 3863709..f7f2e3f 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,27 @@ -# gitea-proxy-rule-exclusions-plugin +# OWASP CRS - Gitea Proxy Rule Exclusions Plugin -Allow running gitea behind a proxy using the ModSecurity CRS \ No newline at end of file +## Description + +This plugin contains rule exclusions for proxying an external address to a local +[Gitea](https://about.gitea.com/) instance, a git devops platform, so it can be +run together with OWASP CRS (CRS). + +## Installation + +For full and up to date instructions for the different available plugin +installation methods, refer to [How to Install a Plugin](https://coreruleset.org/docs/concepts/plugins/#how-to-install-a-plugin) +in the official CRS documentation. + +## Testing + +After the plugin is enabled, your Gitea instance should be accessible without +any problems possibly caused by CRS (for example, false positives while blocking +requests). If you are still having any problems, please file a new issue on +[gitea](https://git.demus.dk/demus/gitea-proxy-rule-exclusions-plugin/). + +## License + +Copyright (c) 2024 Daniel Demus. All rights reserved. + +This plugin is distributed under Apache Software License (ASL) version 2. +Please see the enclosed LICENSE file for full details. diff --git a/plugins/gitea-proxy-rule-exclusions-before.conf b/plugins/gitea-proxy-rule-exclusions-before.conf new file mode 100644 index 0000000..8080ecf --- /dev/null +++ b/plugins/gitea-proxy-rule-exclusions-before.conf @@ -0,0 +1,54 @@ +# ------------------------------------------------------------------------ +# Gitea proxy rule exclusions plugin +# Copyright (c) 2024 Daniel Demus +# +# This plugin is distributed under Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# Plugin name: gitea-proxy-rule-exclusions +# Plugin description: OWASP CRS 3rd party plugin for Gitea via proxy +# Rule ID block base: 92,000 - 92,999 +# Plugin version: 1.0.0 + +# Documentation can be found here: +# https://git.demus.dk/demus/gitea-proxy-rule-exclusions-plugin.git + +# Generic rule to disable plugin +SecRule TX:gitea-proxy-rule-exclusions-plugin_enabled "@eq 0" "id:92001,phase:1,pass,nolog,ctl:ruleRemoveById=92002-92999" + +# +# [ Local CRS initialization ] +# +# We need to initialize some of the CRS variables also here because plugin setup runs before +# CRS initialization (this is a known limitation of the current plugin architecture). Must be +# kept in sync with CRS default setting. + +# Copy of CRS rule 901162. +SecRule &TX:allowed_request_content_type "@eq 0" \ + "id:92902,\ + phase:1,\ + pass,\ + nolog,\ + ver:'gitea-proxy-rule-exclusions-plugin/1.0.0',\ + setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'" + +# Modify CRS rule 901164 +SecRule &TX:restricted_extensions "@eq 0" \ + "id:92903,\ + phase:1,\ + pass,\ + nolog,\ + ver:'gitea-proxy-rule-exclusions-plugin/1.0.0',\ + setvar:'tx.restricted_extensions=.backup/ .bak/ .cdx/ .cer/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .key/ .printer/ .rdb/ .swp/ .sys/'" + +# Modify CRS rule 901165. git-upload-pack has it's own content-type and uses the content-encoding header +SecRule REQUEST_URI "@endsWith git-upload-pack" \ + "id:92010,\ + phase:1,\ + pass,\ + t:none,\ + ver:'gitea-proxy-rule-exclusions-plugin/1.0.0',\ + nolog,\ + setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |application/x-git-upload-pack-request|',\ + setvar:'tx.restricted_headers_basic=/proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'" diff --git a/plugins/gitea-proxy-rule-exclusions-config.conf b/plugins/gitea-proxy-rule-exclusions-config.conf new file mode 100644 index 0000000..591e33d --- /dev/null +++ b/plugins/gitea-proxy-rule-exclusions-config.conf @@ -0,0 +1,43 @@ +# ------------------------------------------------------------------------ +# Gitea proxy rule exclusions plugin +# Copyright (c) 2024 Daniel Demus +# +# This plugin is distributed under Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# Plugin name: gitea-proxy-rule-exclusions +# Plugin description: OWASP CRS 3rd party plugin for Gitea via proxy +# Rule ID block base: 92,000 - 92,999 +# Plugin version: 1.0.0 + +# Documentation can be found here: +# https://git.demus.dk/demus/gitea-proxy-rule-exclusions-plugin.git + +# Generic rule to disable the plugin +# +# Plugins are enabled by default. +# +# They become active by placing them in the plugin folder. It is possible to +# control plugin activation via setting a variable. This can be done in the +# plugin config file here. +# +# The predefined variable name is meant to be "-plugin_enabled". +# For the gitea-proxy-rule-exclusions-plugin, this means it can be disabled by setting +# tx.gitea-proxy-rule-exclusions-plugin_enabled=0. +# +# Note that a global setting of this variable overrides the setting here. +# That means the "enabled" variable is only set by this rule if it has not +# been set before. +# +# Feel free to set the variable unconditionally here by replacing the +# SecRule line with an unconditional SecAction statement. +# +# SecRule &TX:gitea-proxy-rule-exclusions-plugin_enabled "@eq 0" \ +# "id:92000,\ +# phase:1,\ +# pass,\ +# nolog,\ +# ver:'gitea-proxy-rule-exclusions-plugin/1.0.0',\ +# setvar:'tx.gitea-proxy-rule-exclusions-plugin_enabled=0'" +