Fix ModSecurity CRS includes for nginx

2026-01-29 04:39:05 +02:00
parent f92dd9eb22
commit 5862fd62cc
5 changed files with 88 additions and 36 deletions
--- a/README.md
+++ b/README.md
@@ -5,7 +5,7 @@

 A modern web hosting control panel for WordPress and general PHP hosting. Built with Laravel 12, Filament v5, Livewire 4, and Tailwind CSS v4.

-Version: 0.9-rc29 (release candidate)
+Version: 0.9-rc30 (release candidate)

 This is a release candidate. Expect rapid iteration and breaking changes until 1.0.

@@ -156,6 +156,7 @@ php artisan test --compact

 ## Initial Release

+- 0.9-rc30: Avoid IncludeOptional in ModSecurity CRS includes.
 - 0.9-rc29: Ensure ModSecurity unicode mapping is installed automatically.
 - 0.9-rc28: ModSecurity unicode mapping setup fixes.
 - 0.9-rc27: Installers now read VERSION when available.
--- a/2
+++ b/2
@@ -1 +1 @@
-VERSION=0.9-rc29
+VERSION=0.9-rc30
--- a/bin/jabali-agent
+++ b/bin/jabali-agent
@@ -2782,6 +2782,7 @@ function ensureJabaliNginxIncludeFiles(): void
    }

    ensureWafUnicodeMapFile();
+    ensureWafMainConfig();

    $baseConfig = findWafBaseConfig();
    $shouldDisableWaf = $baseConfig === null;
@@ -2804,6 +2805,50 @@ function ensureJabaliNginxIncludeFiles(): void
    }
 }

+function ensureWafMainConfig(): void
+{
+    $path = '/etc/nginx/modsec/main.conf';
+    $dir = dirname($path);
+
+    if (!is_dir($dir)) {
+        @mkdir($dir, 0755, true);
+    }
+
+    $needsRewrite = !file_exists($path);
+    if (!$needsRewrite) {
+        $content = file_get_contents($path);
+        if ($content === false || stripos($content, 'IncludeOptional') !== false || stripos($content, 'owasp-crs.load') !== false) {
+            $needsRewrite = true;
+        }
+    }
+
+    if (!$needsRewrite) {
+        return;
+    }
+
+    $lines = ['Include /etc/modsecurity/modsecurity.conf'];
+
+    if (file_exists('/etc/modsecurity/crs/crs-setup.conf')) {
+        $lines[] = 'Include /etc/modsecurity/crs/crs-setup.conf';
+    } elseif (file_exists('/usr/share/modsecurity-crs/crs-setup.conf')) {
+        $lines[] = 'Include /usr/share/modsecurity-crs/crs-setup.conf';
+    }
+
+    if (file_exists('/etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf')) {
+        $lines[] = 'Include /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf';
+    }
+
+    if (is_dir('/usr/share/modsecurity-crs/rules')) {
+        $lines[] = 'Include /usr/share/modsecurity-crs/rules/*.conf';
+    }
+
+    if (file_exists('/etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf')) {
+        $lines[] = 'Include /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf';
+    }
+
+    file_put_contents($path, implode("\n", $lines) . "\n");
+}
+
 function ensureWafUnicodeMapFile(): void
 {
    $target = '/etc/modsecurity/unicode.mapping';
@@ -2910,6 +2955,10 @@ function isWafBaseConfigUsable(string $path): bool
        return false;
    }

+    if (stripos($content, 'IncludeOptional') !== false) {
+        return false;
+    }
+
    if (preg_match_all('/^\s*Include\s+("?)([^"\s]+)\1/m', $content, $matches)) {
        foreach ($matches[2] as $includePath) {
            if ($includePath === '/etc/modsecurity/modsecurity.conf' && !file_exists($includePath)) {
--- a/install.sh
+++ b/install.sh
@@ -2122,25 +2122,26 @@ EOF
                fi
            fi

-            # Create main include file for nginx if missing
+            # Create main include file for nginx if missing (avoid IncludeOptional)
            mkdir -p /etc/nginx/modsec
            if [[ ! -f /etc/nginx/modsec/main.conf ]]; then
-                if [[ -f /usr/share/modsecurity-crs/owasp-crs.load ]]; then
-                    cat > /etc/nginx/modsec/main.conf <<'EOF'
-Include /etc/modsecurity/modsecurity.conf
-Include /usr/share/modsecurity-crs/owasp-crs.load
-EOF
-                elif [[ -f /etc/modsecurity/crs/crs-setup.conf ]]; then
-                    cat > /etc/nginx/modsec/main.conf <<'EOF'
-Include /etc/modsecurity/modsecurity.conf
-Include /etc/modsecurity/crs/crs-setup.conf
-Include /usr/share/modsecurity-crs/rules/*.conf
-EOF
-                else
-                    cat > /etc/nginx/modsec/main.conf <<'EOF'
-Include /etc/modsecurity/modsecurity.conf
-EOF
+                {
+                    echo "Include /etc/modsecurity/modsecurity.conf"
+                    if [[ -f /etc/modsecurity/crs/crs-setup.conf ]]; then
+                        echo "Include /etc/modsecurity/crs/crs-setup.conf"
+                    elif [[ -f /usr/share/modsecurity-crs/crs-setup.conf ]]; then
+                        echo "Include /usr/share/modsecurity-crs/crs-setup.conf"
                    fi
+                    if [[ -f /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf ]]; then
+                        echo "Include /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"
+                    fi
+                    if [[ -d /usr/share/modsecurity-crs/rules ]]; then
+                        echo "Include /usr/share/modsecurity-crs/rules/*.conf"
+                    fi
+                    if [[ -f /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf ]]; then
+                        echo "Include /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf"
+                    fi
+                } > /etc/nginx/modsec/main.conf
            fi
        fi
    fi
--- a/install_from_gitea.sh
+++ b/install_from_gitea.sh
@@ -2122,25 +2122,26 @@ EOF
                fi
            fi

-            # Create main include file for nginx if missing
+            # Create main include file for nginx if missing (avoid IncludeOptional)
            mkdir -p /etc/nginx/modsec
            if [[ ! -f /etc/nginx/modsec/main.conf ]]; then
-                if [[ -f /usr/share/modsecurity-crs/owasp-crs.load ]]; then
-                    cat > /etc/nginx/modsec/main.conf <<'EOF'
-Include /etc/modsecurity/modsecurity.conf
-Include /usr/share/modsecurity-crs/owasp-crs.load
-EOF
-                elif [[ -f /etc/modsecurity/crs/crs-setup.conf ]]; then
-                    cat > /etc/nginx/modsec/main.conf <<'EOF'
-Include /etc/modsecurity/modsecurity.conf
-Include /etc/modsecurity/crs/crs-setup.conf
-Include /usr/share/modsecurity-crs/rules/*.conf
-EOF
-                else
-                    cat > /etc/nginx/modsec/main.conf <<'EOF'
-Include /etc/modsecurity/modsecurity.conf
-EOF
+                {
+                    echo "Include /etc/modsecurity/modsecurity.conf"
+                    if [[ -f /etc/modsecurity/crs/crs-setup.conf ]]; then
+                        echo "Include /etc/modsecurity/crs/crs-setup.conf"
+                    elif [[ -f /usr/share/modsecurity-crs/crs-setup.conf ]]; then
+                        echo "Include /usr/share/modsecurity-crs/crs-setup.conf"
                    fi
+                    if [[ -f /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf ]]; then
+                        echo "Include /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"
+                    fi
+                    if [[ -d /usr/share/modsecurity-crs/rules ]]; then
+                        echo "Include /usr/share/modsecurity-crs/rules/*.conf"
+                    fi
+                    if [[ -f /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf ]]; then
+                        echo "Include /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf"
+                    fi
+                } > /etc/nginx/modsec/main.conf
            fi
        fi
    fi