Gitea proxy rule exclusions plugin

CONTRIBUTORS.md

@@ -0,0 +1,3 @@
+# Contributors to Openhab Proxy Rule Exclusions Plugin
+
+- [Daniel Demus](https://git.demus.dk/demus)

INSTALL

@@ -0,0 +1 @@
+See [README](README.md).

README.md

@@ -1,3 +1,27 @@
-# gitea-proxy-rule-exclusions-plugin
+# OWASP CRS - Gitea Proxy Rule Exclusions Plugin
 
-Allow running gitea behind a proxy using the ModSecurity CRS
+## Description
+
+This plugin contains rule exclusions for proxying an external address to a local
+[Gitea](https://about.gitea.com/) instance, a git devops platform, so it can be
+run together with OWASP CRS (CRS).
+
+## Installation
+
+For full and up to date instructions for the different available plugin
+installation methods, refer to [How to Install a Plugin](https://coreruleset.org/docs/concepts/plugins/#how-to-install-a-plugin)
+in the official CRS documentation.
+
+## Testing
+
+After the plugin is enabled, your Gitea instance should be accessible without
+any problems possibly caused by CRS (for example, false positives while blocking
+requests). If you are still having any problems, please file a new issue on
+[gitea](https://git.demus.dk/demus/gitea-proxy-rule-exclusions-plugin/).
+
+## License
+
+Copyright (c) 2024 Daniel Demus. All rights reserved.
+
+This plugin is distributed under Apache Software License (ASL) version 2.
+Please see the enclosed LICENSE file for full details.

plugins/gitea-proxy-rule-exclusions-before.conf

@@ -0,0 +1,54 @@
+# ------------------------------------------------------------------------
+# Gitea proxy rule exclusions plugin
+# Copyright (c) 2024 Daniel Demus
+#
+# This plugin is distributed under Apache Software License (ASL) version 2
+# Please see the enclosed LICENSE file for full details.
+# ------------------------------------------------------------------------
+
+# Plugin name: gitea-proxy-rule-exclusions
+# Plugin description: OWASP CRS 3rd party plugin for Gitea via proxy
+# Rule ID block base: 92,000 - 92,999
+# Plugin version: 1.0.0
+
+# Documentation can be found here:
+# https://git.demus.dk/demus/gitea-proxy-rule-exclusions-plugin.git
+
+# Generic rule to disable plugin
+SecRule TX:gitea-proxy-rule-exclusions-plugin_enabled "@eq 0" "id:92001,phase:1,pass,nolog,ctl:ruleRemoveById=92002-92999"
+
+#
+# [ Local CRS initialization ]
+#
+# We need to initialize some of the CRS variables also here because plugin setup runs before
+# CRS initialization (this is a known limitation of the current plugin architecture). Must be
+# kept in sync with CRS default setting.
+
+# Copy of CRS rule 901162.
+SecRule &TX:allowed_request_content_type "@eq 0" \
+    "id:92902,\
+    phase:1,\
+    pass,\
+    nolog,\
+    ver:'gitea-proxy-rule-exclusions-plugin/1.0.0',\
+    setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
+
+# Modify CRS rule 901164
+SecRule &TX:restricted_extensions "@eq 0" \
+    "id:92903,\
+    phase:1,\
+    pass,\
+    nolog,\
+    ver:'gitea-proxy-rule-exclusions-plugin/1.0.0',\
+    setvar:'tx.restricted_extensions=.backup/ .bak/ .cdx/ .cer/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .key/ .printer/ .rdb/ .swp/ .sys/'"
+
+# Modify CRS rule 901165. git-upload-pack has it's own content-type and uses the content-encoding header
+SecRule REQUEST_URI "@endsWith git-upload-pack" \
+    "id:92010,\
+    phase:1,\
+    pass,\
+    t:none,\
+    ver:'gitea-proxy-rule-exclusions-plugin/1.0.0',\
+    nolog,\
+    setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |application/x-git-upload-pack-request|',\
+    setvar:'tx.restricted_headers_basic=/proxy/ /lock-token/ /content-range/ /if/ /x-http-method-override/ /x-http-method/ /x-method-override/'"

plugins/gitea-proxy-rule-exclusions-config.conf

@@ -0,0 +1,43 @@
+# ------------------------------------------------------------------------
+# Gitea proxy rule exclusions plugin
+# Copyright (c) 2024 Daniel Demus
+#
+# This plugin is distributed under Apache Software License (ASL) version 2
+# Please see the enclosed LICENSE file for full details.
+# ------------------------------------------------------------------------
+
+# Plugin name: gitea-proxy-rule-exclusions
+# Plugin description: OWASP CRS 3rd party plugin for Gitea via proxy
+# Rule ID block base: 92,000 - 92,999
+# Plugin version: 1.0.0
+
+# Documentation can be found here:
+# https://git.demus.dk/demus/gitea-proxy-rule-exclusions-plugin.git
+
+# Generic rule to disable the plugin
+#
+# Plugins are enabled by default.
+#
+# They become active by placing them in the plugin folder. It is possible to
+# control plugin activation via setting a variable. This can be done in the
+# plugin config file here.
+#
+# The predefined variable name is meant to be "<plugin name>-plugin_enabled".
+# For the gitea-proxy-rule-exclusions-plugin, this means it can be disabled by setting
+# tx.gitea-proxy-rule-exclusions-plugin_enabled=0.
+#
+# Note that a global setting of this variable overrides the setting here.
+# That means the "enabled" variable is only set by this rule if it has not
+# been set before.
+#
+# Feel free to set the variable unconditionally here by replacing the
+# SecRule line with an unconditional SecAction statement.
+#
+# SecRule &TX:gitea-proxy-rule-exclusions-plugin_enabled "@eq 0" \
+#     "id:92000,\
+#     phase:1,\
+#     pass,\
+#     nolog,\
+#     ver:'gitea-proxy-rule-exclusions-plugin/1.0.0',\
+#     setvar:'tx.gitea-proxy-rule-exclusions-plugin_enabled=0'"
+