Merge pull request #2274 from Vincevrp/vhost-allowed-methods

david22swan · web-flow · commit c467cf4d6c87 · 2022-08-05T09:43:20.000+01:00
Allow overriding CRS allowed HTTP methods per vhost
diff --git a/manifests/vhost.pp b/manifests/vhost.pp
@@ -562,6 +562,9 @@
 #   for the Collaborative Detection Mode in the OWASP ModSecurity Core Rule
 #   Set.
 #
+# @param modsec_allowed_methods
+#   Override global allowed methods. A space-separated list of allowed HTTP methods.
+#
 # @param no_proxy_uris
 #   Specifies URLs you do not want to proxy. This parameter is meant to be used in combination 
 #   with [`proxy_dest`](#proxy_dest).
@@ -1913,6 +1916,7 @@
   Optional[String] $modsec_body_limit                                                 = undef,
   Optional[Integer[1, default]] $modsec_inbound_anomaly_threshold                     = undef,
   Optional[Integer[1, default]] $modsec_outbound_anomaly_threshold                    = undef,
+  Optional[String] $modsec_allowed_methods                                            = undef,
   Array[Hash] $jk_mounts                                                              = [],
   Boolean $auth_kerb                                                                  = false,
   Enum['on', 'off'] $krb_method_negotiate                                             = 'on',
@@ -2800,7 +2804,8 @@
   # - $modsec_audit_log_destination
   # - $modsec_inbound_anomaly_threshold
   # - $modsec_outbound_anomaly_threshold
-  if $modsec_disable_vhost or $modsec_disable_ids or !empty($modsec_disable_ips) or $modsec_disable_msgs or $modsec_disable_tags or $modsec_audit_log_destination or ($modsec_inbound_anomaly_threshold and $modsec_outbound_anomaly_threshold) {
+  # - $modsec_allowed_methods
+  if $modsec_disable_vhost or $modsec_disable_ids or !empty($modsec_disable_ips) or $modsec_disable_msgs or $modsec_disable_tags or $modsec_audit_log_destination or ($modsec_inbound_anomaly_threshold and $modsec_outbound_anomaly_threshold) or $modsec_allowed_methods {
     concat::fragment { "${name}-security":
       target  => "${priority_real}${filename}.conf",
       order   => 320,
diff --git a/spec/defines/vhost_spec.rb b/spec/defines/vhost_spec.rb
@@ -1229,6 +1229,29 @@
           }
         end
 
+        context 'modsec_allowed_methods' do
+          let :params do
+            {
+              'docroot'                => '/rspec/docroot',
+              'modsec_allowed_methods' => 'GET HEAD POST OPTIONS',
+            }
+          end
+
+          it { is_expected.to compile }
+          it {
+            is_expected.to contain_concat__fragment('rspec.example.com-security').with(
+              content: %r{
+              ^\s+SecAction\ \\\n
+              \s+\"id:900200,\\\n
+              \s+phase:1,\\\n
+              \s+nolog,\\\n\s+pass,\\\n
+              \s+t:none,\\\n
+              \s+setvar:'tx.allowed_methods=GET\ HEAD\ POST\ OPTIONS'"$
+              }x,
+            )
+          }
+        end
+
         context 'set only aliases' do
           let :params do
             {
diff --git a/templates/vhost/_security.erb b/templates/vhost/_security.erb
@@ -49,4 +49,13 @@
     setvar:tx.inbound_anomaly_score_threshold=<%= @modsec_inbound_anomaly_threshold -%>, \
     setvar:tx.outbound_anomaly_score_threshold=<%= @modsec_outbound_anomaly_threshold -%>"
 <% end -%>
+<% if @modsec_allowed_methods -%>
+  SecAction \
+   "id:900200,\
+    phase:1,\
+    nolog,\
+    pass,\
+    t:none,\
+    setvar:'tx.allowed_methods=<%= @modsec_allowed_methods -%>'"
+<% end -%>
 </IfModule>
