From 629fd2345eb7b1cabf521663cc553ae22029ead8 Mon Sep 17 00:00:00 2001 From: Daniel Demus Date: Wed, 10 Jul 2024 23:54:17 +0200 Subject: [PATCH] OpenHab proxy rule exclusions plugin --- CONTRIBUTORS.md | 3 + INSTALL | 1 + README.md | 28 +++++++- .../openhab-proxy-rule-exclusions-before.conf | 64 +++++++++++++++++++ .../openhab-proxy-rule-exclusions-config.conf | 43 +++++++++++++ 5 files changed, 137 insertions(+), 2 deletions(-) create mode 100644 CONTRIBUTORS.md create mode 100644 INSTALL create mode 100644 plugins/openhab-proxy-rule-exclusions-before.conf create mode 100644 plugins/openhab-proxy-rule-exclusions-config.conf diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md new file mode 100644 index 0000000..643a1e9 --- /dev/null +++ b/CONTRIBUTORS.md @@ -0,0 +1,3 @@ +# Contributors to Openhab Proxy Rule Exclusions Plugin + +- [Daniel Demus](https://git.demus.dk/demus) diff --git a/INSTALL b/INSTALL new file mode 100644 index 0000000..4afc243 --- /dev/null +++ b/INSTALL @@ -0,0 +1 @@ +See [README](README.md). diff --git a/README.md b/README.md index e7db26d..68a6b28 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,27 @@ -# openhab-proxy-rule-exclusions-plugin +# OWASP CRS - OpenHAB Proxy Rule Exclusions Plugin -CRS exclusions when running an openhab proxy on a virtual host \ No newline at end of file +## Description + +This plugin contains rule exclusions for proxying an external address to [OpenHAB](https://www.openhab.org/), +a vendor and technology agnostic open source automation software for your home, so it can be run together with +OWASP CRS (CRS). + +## Installation + +For full and up to date instructions for the different available plugin +installation methods, refer to [How to Install a Plugin](https://coreruleset.org/docs/concepts/plugins/#how-to-install-a-plugin) +in the official CRS documentation. + +## Testing + +After the plugin is enabled, your OpenHAB instance should be accessible without +any problems possibly caused by CRS (for example, false positives while blocking +requests). If you are still having any problems, please file a new issue on +[gitea](https://git.demus.dk/demus/openhab-proxy-rule-exclusions-plugin/). + +## License + +Copyright (c) 2024 Daniel Demus. All rights reserved. + +This plugin is distributed under Apache Software License (ASL) version 2. +Please see the enclosed LICENSE file for full details. diff --git a/plugins/openhab-proxy-rule-exclusions-before.conf b/plugins/openhab-proxy-rule-exclusions-before.conf new file mode 100644 index 0000000..f573517 --- /dev/null +++ b/plugins/openhab-proxy-rule-exclusions-before.conf @@ -0,0 +1,64 @@ +# ------------------------------------------------------------------------ +# OpenHAB proxy rule exclusions plugin +# Copyright (c) 2024 Daniel Demus +# +# This plugin is distributed under Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# Plugin name: openhab-proxy-rule-exclusions +# Plugin description: OWASP CRS 3rd party plugin for OpenHAB via proxy +# Rule ID block base: 93,000 - 93,999 +# Plugin version: 1.0.0 + +# Documentation can be found here: +# https://git.demus.dk/demus/openhab-proxy-rule-exclusions-plugin.git + +# Generic rule to disable plugin +SecRule TX:openhab-proxy-rule-exclusions-plugin_enabled "@eq 0" "id:93001,phase:1,pass,nolog,ctl:ruleRemoveById=93002-93999" + +# [ Local CRS initialization ] +# +# We need to initialize some of the CRS variables also here because plugin setup runs before +# CRS initialization (this is a known limitation of the current plugin architecture). Must be +# kept in sync with CRS default setting. + +# Copy of CRS rule 901160. +SecRule &TX:allowed_methods "@eq 0" \ + "id:93902,\ + phase:1,\ + pass,\ + nolog,\ + ver:'openhab-proxy-rule-exclusions-plugin/1.0.0',\ + setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'" + + +# Copy of CRS rule 901162. +SecRule &TX:allowed_request_content_type "@eq 0" \ + "id:93903,\ + phase:1,\ + pass,\ + nolog,\ + ver:'openhab-proxy-rule-exclusions-plugin/1.0.0',\ + setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'" + +# Allow topics +SecRule REQUEST_URI "@beginsWith /rest/events" \ + "id:93010,\ + phase:1,\ + pass,\ + nolog,\ + ver:'openhab-proxy-rule-exclusions-plugin/1.0.0',\ + ctl:ruleRemoveTargetById=942100;ARGS:topics" + +# Allow rest API methods and content types +SecRule REQUEST_FILENAME "@beginsWith /rest" \ + "id:93011,\ + phase:1,\ + pass,\ + t:none,\ + nolog,\ + ver:'openhab-proxy-rule-exclusions-plugin/1.0.0',\ + setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT DELETE',\ + setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/plain|'" + diff --git a/plugins/openhab-proxy-rule-exclusions-config.conf b/plugins/openhab-proxy-rule-exclusions-config.conf new file mode 100644 index 0000000..23ad5ba --- /dev/null +++ b/plugins/openhab-proxy-rule-exclusions-config.conf @@ -0,0 +1,43 @@ +# ------------------------------------------------------------------------ +# OpenHAB proxy rule exclusions plugin +# Copyright (c) 2024 Daniel Demus +# +# This plugin is distributed under Apache Software License (ASL) version 2 +# Please see the enclosed LICENSE file for full details. +# ------------------------------------------------------------------------ + +# Plugin name: openhab-proxy-rule-exclusions +# Plugin description: OWASP CRS 3rd party plugin for OpenHAB via proxy +# Rule ID block base: 93,000 - 93,999 +# Plugin version: 1.0.0 + +# Documentation can be found here: +# https://git.demus.dk/demus/openhab-proxy-rule-exclusions-plugin.git + +# Generic rule to disable the plugin +# +# Plugins are enabled by default. +# +# They become active by placing them in the plugin folder. It is possible to +# control plugin activation via setting a variable. This can be done in the +# plugin config file here. +# +# The predefined variable name is meant to be "-plugin_enabled". +# For the openhab-proxy-rule-exclusions-plugin, this means it can be disabled +# by setting tx.openhab-proxy-rule-exclusions-plugin_enabled=0. +# +# Note that a global setting of this variable overrides the setting here. +# That means the "enabled" variable is only set by this rule if it has not +# been set before. +# +# Feel free to set the variable unconditionally here by replacing the +# SecRule line with an unconditional SecAction statement. +# +# SecRule &TX:openhab-proxy-rule-exclusions-plugin_enabled "@eq 0" \ +# "id:93000,\ +# phase:1,\ +# pass,\ +# nolog,\ +# ver:'openhab-rule-exclusions-plugin/1.0.0',\ +# setvar:'tx.openhab-proxy-rule-exclusions-plugin_enabled=0'" +