shukivaknin/jabali-panel
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix ModSecurity CRS includes for nginx

Browse Source
This commit is contained in:
root
2026-01-29 04:39:05 +02:00
parent f92dd9eb22
commit 5862fd62cc
5 changed files with 88 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@@ -5,7 +5,7 @@
A modern web hosting control panel for WordPress and general PHP hosting. Built with Laravel 12, Filament v5, Livewire 4, and Tailwind CSS v4. A modern web hosting control panel for WordPress and general PHP hosting. Built with Laravel 12, Filament v5, Livewire 4, and Tailwind CSS v4.
Version: 0.9-rc29 (release candidate) Version: 0.9-rc30 (release candidate)
This is a release candidate. Expect rapid iteration and breaking changes until 1.0. This is a release candidate. Expect rapid iteration and breaking changes until 1.0.
@@ -156,6 +156,7 @@ php artisan test --compact
## Initial Release ## Initial Release
- 0.9-rc30: Avoid IncludeOptional in ModSecurity CRS includes.
- 0.9-rc29: Ensure ModSecurity unicode mapping is installed automatically. - 0.9-rc29: Ensure ModSecurity unicode mapping is installed automatically.
- 0.9-rc28: ModSecurity unicode mapping setup fixes. - 0.9-rc28: ModSecurity unicode mapping setup fixes.
- 0.9-rc27: Installers now read VERSION when available. - 0.9-rc27: Installers now read VERSION when available.

2
VERSION
View File

@@ -1 +1 @@
VERSION=0.9-rc29 VERSION=0.9-rc30

49
bin/jabali-agent
View File

@@ -2782,6 +2782,7 @@ function ensureJabaliNginxIncludeFiles(): void
} }
ensureWafUnicodeMapFile(); ensureWafUnicodeMapFile();
ensureWafMainConfig();
$baseConfig = findWafBaseConfig(); $baseConfig = findWafBaseConfig();
$shouldDisableWaf = $baseConfig === null; $shouldDisableWaf = $baseConfig === null;
@@ -2804,6 +2805,50 @@ function ensureJabaliNginxIncludeFiles(): void
} }
} }
function ensureWafMainConfig(): void
{
$path = '/etc/nginx/modsec/main.conf';
$dir = dirname($path);
if (!is_dir($dir)) {
@mkdir($dir, 0755, true);
}
$needsRewrite = !file_exists($path);
if (!$needsRewrite) {
$content = file_get_contents($path);
if ($content === false || stripos($content, 'IncludeOptional') !== false || stripos($content, 'owasp-crs.load') !== false) {
$needsRewrite = true;
}
}
if (!$needsRewrite) {
return;
}
$lines = ['Include /etc/modsecurity/modsecurity.conf'];
if (file_exists('/etc/modsecurity/crs/crs-setup.conf')) {
$lines[] = 'Include /etc/modsecurity/crs/crs-setup.conf';
} elseif (file_exists('/usr/share/modsecurity-crs/crs-setup.conf')) {
$lines[] = 'Include /usr/share/modsecurity-crs/crs-setup.conf';
}
if (file_exists('/etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf')) {
$lines[] = 'Include /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf';
}
if (is_dir('/usr/share/modsecurity-crs/rules')) {
$lines[] = 'Include /usr/share/modsecurity-crs/rules/*.conf';
}
if (file_exists('/etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf')) {
$lines[] = 'Include /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf';
}
file_put_contents($path, implode("\n", $lines) . "\n");
}
function ensureWafUnicodeMapFile(): void function ensureWafUnicodeMapFile(): void
{ {
$target = '/etc/modsecurity/unicode.mapping'; $target = '/etc/modsecurity/unicode.mapping';
@@ -2910,6 +2955,10 @@ function isWafBaseConfigUsable(string $path): bool
return false; return false;
} }
if (stripos($content, 'IncludeOptional') !== false) {
return false;
}
if (preg_match_all('/^\s*Include\s+("?)([^"\s]+)\1/m', $content, $matches)) { if (preg_match_all('/^\s*Include\s+("?)([^"\s]+)\1/m', $content, $matches)) {
foreach ($matches[2] as $includePath) { foreach ($matches[2] as $includePath) {
if ($includePath === '/etc/modsecurity/modsecurity.conf' && !file_exists($includePath)) { if ($includePath === '/etc/modsecurity/modsecurity.conf' && !file_exists($includePath)) {

33
install.sh
View File

@@ -2122,25 +2122,26 @@ EOF
fi fi
fi fi
# Create main include file for nginx if missing # Create main include file for nginx if missing (avoid IncludeOptional)
mkdir -p /etc/nginx/modsec mkdir -p /etc/nginx/modsec
if [[ ! -f /etc/nginx/modsec/main.conf ]]; then if [[ ! -f /etc/nginx/modsec/main.conf ]]; then
if [[ -f /usr/share/modsecurity-crs/owasp-crs.load ]]; then {
cat > /etc/nginx/modsec/main.conf <<'EOF' echo "Include /etc/modsecurity/modsecurity.conf"
Include /etc/modsecurity/modsecurity.conf if [[ -f /etc/modsecurity/crs/crs-setup.conf ]]; then
Include /usr/share/modsecurity-crs/owasp-crs.load echo "Include /etc/modsecurity/crs/crs-setup.conf"
EOF elif [[ -f /usr/share/modsecurity-crs/crs-setup.conf ]]; then
elif [[ -f /etc/modsecurity/crs/crs-setup.conf ]]; then echo "Include /usr/share/modsecurity-crs/crs-setup.conf"
cat > /etc/nginx/modsec/main.conf <<'EOF'
Include /etc/modsecurity/modsecurity.conf
Include /etc/modsecurity/crs/crs-setup.conf
Include /usr/share/modsecurity-crs/rules/*.conf
EOF
else
cat > /etc/nginx/modsec/main.conf <<'EOF'
Include /etc/modsecurity/modsecurity.conf
EOF
fi fi
if [[ -f /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf ]]; then
echo "Include /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"
fi
if [[ -d /usr/share/modsecurity-crs/rules ]]; then
echo "Include /usr/share/modsecurity-crs/rules/*.conf"
fi
if [[ -f /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf ]]; then
echo "Include /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf"
fi
} > /etc/nginx/modsec/main.conf
fi fi
fi fi
fi fi

33
install_from_gitea.sh
View File

@@ -2122,25 +2122,26 @@ EOF
fi fi
fi fi
# Create main include file for nginx if missing # Create main include file for nginx if missing (avoid IncludeOptional)
mkdir -p /etc/nginx/modsec mkdir -p /etc/nginx/modsec
if [[ ! -f /etc/nginx/modsec/main.conf ]]; then if [[ ! -f /etc/nginx/modsec/main.conf ]]; then
if [[ -f /usr/share/modsecurity-crs/owasp-crs.load ]]; then {
cat > /etc/nginx/modsec/main.conf <<'EOF' echo "Include /etc/modsecurity/modsecurity.conf"
Include /etc/modsecurity/modsecurity.conf if [[ -f /etc/modsecurity/crs/crs-setup.conf ]]; then
Include /usr/share/modsecurity-crs/owasp-crs.load echo "Include /etc/modsecurity/crs/crs-setup.conf"
EOF elif [[ -f /usr/share/modsecurity-crs/crs-setup.conf ]]; then
elif [[ -f /etc/modsecurity/crs/crs-setup.conf ]]; then echo "Include /usr/share/modsecurity-crs/crs-setup.conf"
cat > /etc/nginx/modsec/main.conf <<'EOF'
Include /etc/modsecurity/modsecurity.conf
Include /etc/modsecurity/crs/crs-setup.conf
Include /usr/share/modsecurity-crs/rules/*.conf
EOF
else
cat > /etc/nginx/modsec/main.conf <<'EOF'
Include /etc/modsecurity/modsecurity.conf
EOF
fi fi
if [[ -f /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf ]]; then
echo "Include /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"
fi
if [[ -d /usr/share/modsecurity-crs/rules ]]; then
echo "Include /usr/share/modsecurity-crs/rules/*.conf"
fi
if [[ -f /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf ]]; then
echo "Include /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf"
fi
} > /etc/nginx/modsec/main.conf
fi fi
fi fi
fi fi