67 lines
2.4 KiB
Plaintext
67 lines
2.4 KiB
Plaintext
# ------------------------------------------------------------------------
|
|
# OpenHAB proxy rule exclusions plugin
|
|
# Copyright (c) 2024 Daniel Demus
|
|
#
|
|
# This plugin is distributed under Apache Software License (ASL) version 2
|
|
# Please see the enclosed LICENSE file for full details.
|
|
# ------------------------------------------------------------------------
|
|
|
|
# Plugin name: openhab-proxy-rule-exclusions
|
|
# Plugin description: OWASP CRS 3rd party plugin for OpenHAB via proxy
|
|
# Rule ID block base: 93,000 - 93,999
|
|
# Plugin version: 1.0.0
|
|
|
|
# Documentation can be found here:
|
|
# https://git.demus.dk/demus/openhab-proxy-rule-exclusions-plugin.git
|
|
|
|
# Generic rule to disable plugin
|
|
SecRule TX:openhab-proxy-rule-exclusions-plugin_enabled "@eq 0" "id:93001,phase:1,pass,nolog,ctl:ruleRemoveById=93002-93999"
|
|
|
|
# [ Local CRS initialization ]
|
|
#
|
|
# We need to initialize some of the CRS variables also here because plugin setup runs before
|
|
# CRS initialization (this is a known limitation of the current plugin architecture). Must be
|
|
# kept in sync with CRS default setting.
|
|
|
|
# Copy of CRS rule 901160.
|
|
SecRule &TX:allowed_methods "@eq 0" \
|
|
"id:93902,\
|
|
phase:1,\
|
|
pass,\
|
|
nolog,\
|
|
ver:'openhab-proxy-rule-exclusions-plugin/1.0.0',\
|
|
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
|
|
|
|
|
|
# Copy of CRS rule 901162.
|
|
SecRule &TX:allowed_request_content_type "@eq 0" \
|
|
"id:93903,\
|
|
phase:1,\
|
|
pass,\
|
|
nolog,\
|
|
ver:'openhab-proxy-rule-exclusions-plugin/1.0.0',\
|
|
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json|'"
|
|
|
|
# Allow topics
|
|
SecRule REQUEST_URI "@beginsWith /rest/events" \
|
|
"id:93010,\
|
|
phase:1,\
|
|
pass,\
|
|
nolog,\
|
|
ver:'openhab-proxy-rule-exclusions-plugin/1.0.0',\
|
|
ctl:ruleRemoveTargetById=942100;ARGS:topics"
|
|
|
|
# Allow rest API methods and content types
|
|
SecRule REQUEST_FILENAME "@beginsWith /rest" \
|
|
"id:93011,\
|
|
phase:1,\
|
|
pass,\
|
|
t:none,\
|
|
nolog,\
|
|
ver:'openhab-proxy-rule-exclusions-plugin/1.0.0',\
|
|
setvar:'tx.allowed_methods=%{tx.allowed_methods} PUT DELETE',\
|
|
setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type} |text/plain|'"
|
|
|
|
# Disable CRS rule 920220, as % is often included in value formats
|
|
SecRule WEBAPPID "@unconditionalMatch" "id:93020,phase:1,pass,nolog,ctl:ruleRemoveById=920220"
|