From 5862fd62cc879a879df99557c6001bc5be565ad8 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 29 Jan 2026 04:39:05 +0200 Subject: [PATCH] Fix ModSecurity CRS includes for nginx --- README.md | 3 ++- VERSION | 2 +- bin/jabali-agent | 49 +++++++++++++++++++++++++++++++++++++++++++ install.sh | 35 ++++++++++++++++--------------- install_from_gitea.sh | 35 ++++++++++++++++--------------- 5 files changed, 88 insertions(+), 36 deletions(-) diff --git a/README.md b/README.md index cd520da..395e22a 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ A modern web hosting control panel for WordPress and general PHP hosting. Built with Laravel 12, Filament v5, Livewire 4, and Tailwind CSS v4. -Version: 0.9-rc29 (release candidate) +Version: 0.9-rc30 (release candidate) This is a release candidate. Expect rapid iteration and breaking changes until 1.0. @@ -156,6 +156,7 @@ php artisan test --compact ## Initial Release +- 0.9-rc30: Avoid IncludeOptional in ModSecurity CRS includes. - 0.9-rc29: Ensure ModSecurity unicode mapping is installed automatically. - 0.9-rc28: ModSecurity unicode mapping setup fixes. - 0.9-rc27: Installers now read VERSION when available. diff --git a/VERSION b/VERSION index 1b57e77..aafe97c 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -VERSION=0.9-rc29 +VERSION=0.9-rc30 diff --git a/bin/jabali-agent b/bin/jabali-agent index 6d2d34e..5f62e8c 100755 --- a/bin/jabali-agent +++ b/bin/jabali-agent @@ -2782,6 +2782,7 @@ function ensureJabaliNginxIncludeFiles(): void } ensureWafUnicodeMapFile(); + ensureWafMainConfig(); $baseConfig = findWafBaseConfig(); $shouldDisableWaf = $baseConfig === null; @@ -2804,6 +2805,50 @@ function ensureJabaliNginxIncludeFiles(): void } } +function ensureWafMainConfig(): void +{ + $path = '/etc/nginx/modsec/main.conf'; + $dir = dirname($path); + + if (!is_dir($dir)) { + @mkdir($dir, 0755, true); + } + + $needsRewrite = !file_exists($path); + if (!$needsRewrite) { + $content = file_get_contents($path); + if ($content === false || stripos($content, 'IncludeOptional') !== false || stripos($content, 'owasp-crs.load') !== false) { + $needsRewrite = true; + } + } + + if (!$needsRewrite) { + return; + } + + $lines = ['Include /etc/modsecurity/modsecurity.conf']; + + if (file_exists('/etc/modsecurity/crs/crs-setup.conf')) { + $lines[] = 'Include /etc/modsecurity/crs/crs-setup.conf'; + } elseif (file_exists('/usr/share/modsecurity-crs/crs-setup.conf')) { + $lines[] = 'Include /usr/share/modsecurity-crs/crs-setup.conf'; + } + + if (file_exists('/etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf')) { + $lines[] = 'Include /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf'; + } + + if (is_dir('/usr/share/modsecurity-crs/rules')) { + $lines[] = 'Include /usr/share/modsecurity-crs/rules/*.conf'; + } + + if (file_exists('/etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf')) { + $lines[] = 'Include /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf'; + } + + file_put_contents($path, implode("\n", $lines) . "\n"); +} + function ensureWafUnicodeMapFile(): void { $target = '/etc/modsecurity/unicode.mapping'; @@ -2910,6 +2955,10 @@ function isWafBaseConfigUsable(string $path): bool return false; } + if (stripos($content, 'IncludeOptional') !== false) { + return false; + } + if (preg_match_all('/^\s*Include\s+("?)([^"\s]+)\1/m', $content, $matches)) { foreach ($matches[2] as $includePath) { if ($includePath === '/etc/modsecurity/modsecurity.conf' && !file_exists($includePath)) { diff --git a/install.sh b/install.sh index ea802a6..5e9b902 100755 --- a/install.sh +++ b/install.sh @@ -2122,25 +2122,26 @@ EOF fi fi - # Create main include file for nginx if missing + # Create main include file for nginx if missing (avoid IncludeOptional) mkdir -p /etc/nginx/modsec if [[ ! -f /etc/nginx/modsec/main.conf ]]; then - if [[ -f /usr/share/modsecurity-crs/owasp-crs.load ]]; then - cat > /etc/nginx/modsec/main.conf <<'EOF' -Include /etc/modsecurity/modsecurity.conf -Include /usr/share/modsecurity-crs/owasp-crs.load -EOF - elif [[ -f /etc/modsecurity/crs/crs-setup.conf ]]; then - cat > /etc/nginx/modsec/main.conf <<'EOF' -Include /etc/modsecurity/modsecurity.conf -Include /etc/modsecurity/crs/crs-setup.conf -Include /usr/share/modsecurity-crs/rules/*.conf -EOF - else - cat > /etc/nginx/modsec/main.conf <<'EOF' -Include /etc/modsecurity/modsecurity.conf -EOF - fi + { + echo "Include /etc/modsecurity/modsecurity.conf" + if [[ -f /etc/modsecurity/crs/crs-setup.conf ]]; then + echo "Include /etc/modsecurity/crs/crs-setup.conf" + elif [[ -f /usr/share/modsecurity-crs/crs-setup.conf ]]; then + echo "Include /usr/share/modsecurity-crs/crs-setup.conf" + fi + if [[ -f /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf ]]; then + echo "Include /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf" + fi + if [[ -d /usr/share/modsecurity-crs/rules ]]; then + echo "Include /usr/share/modsecurity-crs/rules/*.conf" + fi + if [[ -f /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf ]]; then + echo "Include /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf" + fi + } > /etc/nginx/modsec/main.conf fi fi fi diff --git a/install_from_gitea.sh b/install_from_gitea.sh index 098f843..b590474 100755 --- a/install_from_gitea.sh +++ b/install_from_gitea.sh @@ -2122,25 +2122,26 @@ EOF fi fi - # Create main include file for nginx if missing + # Create main include file for nginx if missing (avoid IncludeOptional) mkdir -p /etc/nginx/modsec if [[ ! -f /etc/nginx/modsec/main.conf ]]; then - if [[ -f /usr/share/modsecurity-crs/owasp-crs.load ]]; then - cat > /etc/nginx/modsec/main.conf <<'EOF' -Include /etc/modsecurity/modsecurity.conf -Include /usr/share/modsecurity-crs/owasp-crs.load -EOF - elif [[ -f /etc/modsecurity/crs/crs-setup.conf ]]; then - cat > /etc/nginx/modsec/main.conf <<'EOF' -Include /etc/modsecurity/modsecurity.conf -Include /etc/modsecurity/crs/crs-setup.conf -Include /usr/share/modsecurity-crs/rules/*.conf -EOF - else - cat > /etc/nginx/modsec/main.conf <<'EOF' -Include /etc/modsecurity/modsecurity.conf -EOF - fi + { + echo "Include /etc/modsecurity/modsecurity.conf" + if [[ -f /etc/modsecurity/crs/crs-setup.conf ]]; then + echo "Include /etc/modsecurity/crs/crs-setup.conf" + elif [[ -f /usr/share/modsecurity-crs/crs-setup.conf ]]; then + echo "Include /usr/share/modsecurity-crs/crs-setup.conf" + fi + if [[ -f /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf ]]; then + echo "Include /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf" + fi + if [[ -d /usr/share/modsecurity-crs/rules ]]; then + echo "Include /usr/share/modsecurity-crs/rules/*.conf" + fi + if [[ -f /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf ]]; then + echo "Include /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf" + fi + } > /etc/nginx/modsec/main.conf fi fi fi