add configuration options to mod_security

Author: jlambert121

README.md

@@ -907,6 +907,10 @@ vhosts.
   include '::apache::mod::security'
 ```
 
+#####`crs_package`
+
+Name of package to install containing crs rules
+
 #####`modsec_dir`
 
 Directory to install the modsec configuration and activated rules links into
@@ -916,6 +920,23 @@ Directory to install the modsec configuration and activated rules links into
 Array of rules from the modsec_crs_path to activate by symlinking to
 ${modsec_dir}/activated_rules.
 
+#####`allowed_methods`
+
+HTTP methods allowed by mod_security
+
+#####`content_types`
+
+Content-types allowed by mod_security
+
+#####`restricted_extensions`
+
+Extensions prohibited by mod_security
+
+#####`restricted_headers`
+
+Headers restricted by mod_security
+
+
 ####Defined Type: `apache::vhost`
 
 The Apache module allows a lot of flexibility in the setup and configuration of virtual hosts. This flexibility is due, in part, to `vhost` being a defined resource type, which allows it to be evaluated multiple times with different parameters.
@@ -1824,7 +1845,7 @@ Sets the value for the [PassengerEnabled](http://www.modrails.com/documentation/
 ```
 
 *Note:* Be aware that there is an [issue](http://www.conandalton.net/2010/06/passengerenabled-off-not-working.html) using the PassengerEnabled directive with the PassengerHighPerformance directive.
- 
+
 ######`php_value` and `php_flag`
 
 `php_value` sets the value of the directory, and `php_flag` uses a boolean to configure the directory. Further information can be found [here](http://php.net/manual/en/configuration.changes.php).

manifests/mod/security.pp

@@ -1,7 +1,11 @@
 class apache::mod::security (
-  $crs_package     = $::apache::params::modsec_crs_package,
-  $activated_rules = $::apache::params::modsec_default_rules,
-  $modsec_dir      = $::apache::params::modsec_dir,
+  $crs_package           = $::apache::params::modsec_crs_package,
+  $activated_rules       = $::apache::params::modsec_default_rules,
+  $modsec_dir            = $::apache::params::modsec_dir,
+  $allowed_methods       = 'GET HEAD POST OPTIONS',
+  $content_types         = 'application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf',
+  $restricted_extensions = '.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/',
+  $restricted_headers    = '/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/',
 ){
 
   if $::osfamily == 'FreeBSD' {
@@ -31,6 +35,8 @@
     ensure  => file,
     content => template('apache/mod/security.conf.erb'),
     path    => "${::apache::mod_dir}/security.conf",
+    owner   => $::apache::params::user,
+    group   => $::apache::params::group,
     require => Exec["mkdir ${::apache::mod_dir}"],
     before  => File[$::apache::mod_dir],
     notify  => Class['apache::service'],
@@ -42,14 +48,19 @@
     group   => $::apache::params::group,
     mode    => '0555',
     purge   => true,
+    force   => true,
     recurse => true,
   }
 
   file { "${modsec_dir}/activated_rules":
-    ensure => directory,
-    owner  => $::apache::params::user,
-    group  => $::apache::params::group,
-    mode   => '0555',
+    ensure  => directory,
+    owner   => $::apache::params::user,
+    group   => $::apache::params::group,
+    mode    => '0555',
+    purge   => true,
+    force   => true,
+    recurse => true,
+    notify  => Class['apache::service'],
   }
 
   file { "${modsec_dir}/security_crs.conf":

manifests/security/rule_link.pp

@@ -8,5 +8,6 @@
     path    => "${::apache::mod::security::modsec_dir}/activated_rules/${filename}",
     target  => "${::apache::params::modsec_crs_path}/${title}",
     require => File["${::apache::mod::security::modsec_dir}/activated_rules"],
+    notify  => Class['apache::service'],
   }
 }

templates/mod/security_crs.conf.erb

@@ -269,11 +269,11 @@ SecAction \
   "id:'900012', \
   phase:1, \
   t:none, \
-  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
-  setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf', \
+  setvar:'tx.allowed_methods=<%= @allowed_methods -%>', \
+  setvar:'tx.allowed_request_content_type=<%= @content_types -%>', \
   setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
-  setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
-  setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', \
+  setvar:'tx.restricted_extensions=<%= @restricted_extensions -%>', \
+  setvar:'tx.restricted_headers=<%= @restricted_headers -%>', \
   nolog, \
   pass"