User controlled per-domain ModSecurity flags (TEMPLATES)(SKINS)

Version 1.61.4

Feature
Finished

CMD_MODSECURITY Feature that enables Users to skip some mod_security rules, or fully disable them when needed. <ID> below are rule skip IDs, called SecRuleRemoveById in ModSecurity must be a positive integer, but ranges are allowed, as long as they're "quoted", eg: 1234 "1234-1239" ====================== VIEW RULES: CMD_MODSECURITY?domain=domain.com When called by an Admin, absence of the domain will return the global modsecurity_rules file. ====================== DISABLE Should you want to disable the User's ability to use this feature, the commands.deny could be used, or use the never commands, eg: /usr/local/directadmin/direcadmin set never_commands CMD_MODSECURITY service directadmin restart ====================== VIEW LOGS JSON output only of the modsec_audit.log REQUIRES modsec_audit.log to use the new one-json-per-line format. Users/Admins: CMD_MODSECURITY?action=log&domain=domain.com Only show entries matching this domain. For Users, the domain must be in the domains.list. For Admins, can be any host value they want. Sub-domains will be included in the output. Blank hosts are not included. Admins: CMD_MODSECURITY?action=log Shows entries with any Host value (or no Host) To reduce the log output, you should include: &lines=1000 to any value. DA starts from the end of the log, parsing lines backwards. It stops after this number of ENTRIES has been added to the log (was a tail, but it's now entries) There is also an internal max_time=15 (which is dynamic, timeout / 4, assuming timeout=60) You can pass &max_time=5 or any other number of seconds, to have the parser stop after this number of seconds if you wish to speed up the display, at the cost of losing some older entries. For very large logs, there is no point in parsing the entire thing if a timeout will happen. The logs will be output in a "logs" array, filled with a list of transaction arrays. The top-level json also includes a "summary" array, giving info on how the parser actually went eg: "summary": { "max_time": "15", "requested_lines": "500", "returned_lines": "375", "time_abort": "yes" } where if you see "time_abort" ; "yes", it would mean that time ran out before actually finding that number of lines/entries. ====================== SAVE FLAGS action: CMD_MODSECURITY method: POST domain=domain.com action=save SecFilterScanPOST=On|Off SecRuleEngine=On|Off optional, can also include to save a call if saving and skipping in 1 request: SecRuleRemoveById=<ID> When called by an Admin, absence of the domain will save to the global modsecurity_rules file. Same for the rule skips below. ====================== ADD RULE SKIP action: CMD_MODSECURITY method: POST domain=domain.com action=add SecRuleRemoveById=<ID> ====================== REMOVE RULE SKIP action: CMD_MODSECURITY method: POST domain=domain.com action=select SecRuleRemoveById=<ID> AND/OR select0=<ID> (select1)=<ID> ====================== JSON VIEW: CMD_MODSECURITY?domain=domain.com&json=yes returns 2 arrays, one for On/Off flags, and the other for skip IDs, eg: { "SecRuleRemoveById" : [ "1234" ], "flags": { "SecFilterScanPOST": "On", "SecRuleEngine": "On" } } You can learn if modsecurity=yes is set in the options.conf via: CMD_ADDITIONAL_DOMAINS?action=view&domain=domain.com.com&json=yes with the added value: modsecurity=yes|no When called by an Admin, absence of the domain will return the global modsecurity_rules file. You'll also get a "subdomain_select" array, which is a standard select-box for the available subdomains. ====================== SUBDOMAINS Any page can override just one subdomain, instead of the top domain with all sub-values by including "subdomain=sub" in the GET/POST values. The config will be at: /usr/local/directadmin/data/users/USER/domains/DOMAIN.COM.subdomains_modsecurity_rules/SUB.modsecurity_rules ====================== CONFIG FILES When saved to disk, the path will be: /usr/local/directadmin/data/users/USER/domains/DOMAIN.COM.modsecurity_rules based on the template, below. If an Admin is making a call to CMD_MODSECURITY, they are allowed to either pass the domain of some other User, or no domain at all. The global config for mod security will be stored at: /usr/local/directadmin/data/admin/modsecurity_rules to be included by the webserver configs. ====================== TEMPLATES /usr/local/directadmin/data/templates/mod_security_rules.conf Where flags are stored into |FLAGS| and the multi-line SecRuleRemoveById values are saved into |DISABLEDRULES| There template starts with |CUSTOM1| and ends with |CUSTOM2| but these tokens are currently blank for possible future expansion. virtual_host2*.conf: added new token: |MOD_SECURITY_RULES| within the <Directory> context. nginx_server*.conf openlitespeed_vhost.conf ====================== SKINS New file: /usr/local/directadmin/data/skins/enhanced/user/mod_security.html Modified: /usr/local/directadmin/data/skins/enhanced/user/modify_domain.html to include a button when: |*if HAS_MOD_SECURITY="yes"| pointing to: /CMD_MODSECURITY?domain=|domain| Unrelated: also changed all class=list tables in modify_domain.html to use the cleaner <table class=list_alt> which does not require extra tags for td entries, and uses th for table titles/footers. ========================= EVO1936

Interested to try DirectAdmin? Get a 30-day Free Trial!