OpenHab proxy rule exclusions plugin

CONTRIBUTORS.md

@@ -0,0 +1,3 @@
+# Contributors to Openhab Proxy Rule Exclusions Plugin
+
+- [Daniel Demus](https://git.demus.dk/demus)

INSTALL

@@ -0,0 +1 @@
+See [README](README.md).

README.md

@@ -1,3 +1,27 @@
-# openhab-proxy-rule-exclusions-plugin
+# OWASP CRS - OpenHAB Proxy Rule Exclusions Plugin
 
-CRS exclusions when running an openhab proxy on a virtual host
+## Description
+
+This plugin contains rule exclusions for proxying an external address to [OpenHAB](https://www.openhab.org/),
+a vendor and technology agnostic open source automation software for your home, so it can be run together with
+OWASP CRS (CRS).
+
+## Installation
+
+For full and up to date instructions for the different available plugin
+installation methods, refer to [How to Install a Plugin](https://coreruleset.org/docs/concepts/plugins/#how-to-install-a-plugin)
+in the official CRS documentation.
+
+## Testing
+
+After the plugin is enabled, your OpenHAB instance should be accessible without
+any problems possibly caused by CRS (for example, false positives while blocking
+requests). If you are still having any problems, please file a new issue on
+[gitea](https://git.demus.dk/demus/openhab-proxy-rule-exclusions-plugin/).
+
+## License
+
+Copyright (c) 2024 Daniel Demus. All rights reserved.
+
+This plugin is distributed under Apache Software License (ASL) version 2.
+Please see the enclosed LICENSE file for full details.

plugins/openhab-proxy-rule-exclusions-before.conf

@@ -0,0 +1,64 @@
+# ------------------------------------------------------------------------
+# OpenHAB proxy rule exclusions plugin
+# Copyright (c) 2024 Daniel Demus
+#
+# This plugin is distributed under Apache Software License (ASL) version 2
+# Please see the enclosed LICENSE file for full details.
+# ------------------------------------------------------------------------
+
+# Plugin name: openhab-proxy-rule-exclusions
+# Plugin description: OWASP CRS 3rd party plugin for OpenHAB via proxy
+# Rule ID block base: 93,000 - 93,999
+# Plugin version: 1.0.0
+
+# Documentation can be found here:
+# https://git.demus.dk/demus/openhab-proxy-rule-exclusions-plugin.git
+
+# Generic rule to disable plugin
+SecRule TX:openhab-proxy-rule-exclusions-plugin_enabled "@eq 0" "id:93001,phase:1,pass,nolog,ctl:ruleRemoveById=93002-93999"
+
+# [ Local CRS initialization ]
+#
+# We need to initialize some of the CRS variables also here because plugin setup runs before
+# CRS initialization (this is a known limitation of the current plugin architecture). Must be
+# kept in sync with CRS default setting.
+
+# Copy of CRS rule 901160.
+SecRule &TX:allowed_methods "@eq 0" \
+    "id:93902,\
+    phase:1,\
+    pass,\
+    nolog,\
+    ver:'openhab-proxy-rule-exclusions-plugin/1.0.0',\
+    setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
+
+
+# Copy of CRS rule 901162.
+SecRule &TX:allowed_request_content_type "@eq 0" \
+    "id:93903,\
+    phase:1,\
+    pass,\
+    nolog,\
+    ver:'openhab-proxy-rule-exclusions-plugin/1.0.0',\
+    setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
+
+# Allow topics
+SecRule REQUEST_URI "@beginsWith /rest/events" \
+    "id:93010,\
+    phase:1,\
+    pass,\
+    nolog,\
+    ver:'openhab-proxy-rule-exclusions-plugin/1.0.0',\
+    ctl:ruleRemoveTargetById=942100;ARGS:topics"
+
+# Allow rest API methods and content types
+SecRule REQUEST_FILENAME "@beginsWith /rest" \
+    "id:93011,\
+    phase:1,\
+    pass,\
+    t:none,\
+    nolog,\
+    ver:'openhab-proxy-rule-exclusions-plugin/1.0.0',\
+    setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT DELETE',\
+    setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/plain|'"
+

plugins/openhab-proxy-rule-exclusions-config.conf

@@ -0,0 +1,43 @@
+# ------------------------------------------------------------------------
+# OpenHAB proxy rule exclusions plugin
+# Copyright (c) 2024 Daniel Demus
+#
+# This plugin is distributed under Apache Software License (ASL) version 2
+# Please see the enclosed LICENSE file for full details.
+# ------------------------------------------------------------------------
+
+# Plugin name: openhab-proxy-rule-exclusions
+# Plugin description: OWASP CRS 3rd party plugin for OpenHAB via proxy
+# Rule ID block base: 93,000 - 93,999
+# Plugin version: 1.0.0
+
+# Documentation can be found here:
+# https://git.demus.dk/demus/openhab-proxy-rule-exclusions-plugin.git
+
+# Generic rule to disable the plugin
+#
+# Plugins are enabled by default.
+#
+# They become active by placing them in the plugin folder. It is possible to
+# control plugin activation via setting a variable. This can be done in the
+# plugin config file here.
+#
+# The predefined variable name is meant to be "<plugin name>-plugin_enabled".
+# For the openhab-proxy-rule-exclusions-plugin, this means it can be disabled
+# by setting tx.openhab-proxy-rule-exclusions-plugin_enabled=0.
+#
+# Note that a global setting of this variable overrides the setting here.
+# That means the "enabled" variable is only set by this rule if it has not
+# been set before.
+#
+# Feel free to set the variable unconditionally here by replacing the
+# SecRule line with an unconditional SecAction statement.
+#
+# SecRule &TX:openhab-proxy-rule-exclusions-plugin_enabled "@eq 0" \
+#     "id:93000,\
+#     phase:1,\
+#     pass,\
+#     nolog,\
+#     ver:'openhab-rule-exclusions-plugin/1.0.0',\
+#     setvar:'tx.openhab-proxy-rule-exclusions-plugin_enabled=0'"
+