coraza/coraza.conf-recommended at main · corazawaf/coraza · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
# -- Rule engine initialization ----------------------------------------------

# Enable Coraza, attaching it to every transaction.
# Possible values: On, Off, DetectionOnly.
# DetectionOnly minimises the chances of post-installation disruption by
# only logging matched rules without performing disruptive actions.
#
SecRuleEngine DetectionOnly


# -- Default actions ---------------------------------------------------------

# Configures all rules to log by default in both the error and audit logs.
# Rule-specific actions will override these defaults.
# This allows CRS correlation rules (e.g. 980170 in phase 5) to emit error logs,
# and matches the default ModSecurity actionset.
# These defaults can be adjusted to disable logging (e.g. to avoid logging sensitive
# response data in phases 3–5) via the nolog and noauditlog actions, commenting out
# or removing the lines below.
# Note:
# - phase 1 and phase 2 defaults are commented out because they are typically already provided in a CRS setup via the crs-setup.conf file.
#  - phase 2 default actions are hardcoded. This phase requires an explicit override to tweak it.
#
#SecDefaultAction "phase:1,log,auditlog,pass"
#SecDefaultAction "phase:2,log,auditlog,pass"
SecDefaultAction "phase:3,log,auditlog,pass"
SecDefaultAction "phase:4,log,auditlog,pass"
SecDefaultAction "phase:5,log,auditlog,pass"


# -- Performance optimizations -----------------------------------------------

# Toggles literal pre-filtering for the @rx operator.
# When enabled, Coraza analyses each regex pattern at rule-load time and
# builds pre-checks that will be executed before the full regex evaluation,
# allowing to skip unnecessary regex evaluations.
# Warning: Experimental feature.
#
SecRxPreFilter Off

# -- Request body handling ---------------------------------------------------

# Allows Coraza to access request bodies. Without this, Coraza
# can not see POST parameters, which opens a large security
# hole for attackers to exploit.
#
SecRequestBodyAccess On

# Enable XML request body parser.
# Initiate XML Processor in case of xml content-type
#
SecRule REQUEST_HEADERS:Content-Type "^(?:application(?:/soap\+|/)|text/)xml" \
     "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

# Enable JSON request body parser.
# Initiate JSON Processor in case of JSON content-type; change accordingly
# if the application does not use 'application/json'
#
SecRule REQUEST_HEADERS:Content-Type "^application/json" \
     "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"

# Enable JSON request body parser for more subtypes.
# Adapt this rule to engage the JSON Processor for "+json" subtypes
#
SecRule REQUEST_HEADERS:Content-Type "^application/[a-z0-9.-]+[+]json" \
     "id:'200006',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"

# Configures the maximum JSON recursion depth limit Coraza will accept.
SecRequestBodyJsonDepthLimit 1024

# Maximum request body size (bytes) Coraza will accept for buffering. When
# supporting file uploads, this value has to be as large as the largest
# file that should be accepted.
SecRequestBodyLimit 13107200

# Maximum request body size (bytes) that Coraza will store in memory. If the body
# size exceeds this value, it will be saved to a temporary file on disk.
SecRequestBodyInMemoryLimit 131072

# Maximum request body size (bytes) Coraza will accept for buffering, with files excluded.
# This value should be kept as low as practical.
# Note: SecRequestBodyNoFilesLimit is currently NOT supported by Coraza
# SecRequestBodyNoFilesLimit 131072

# Configures the action to take if the request body size is above the configured limit.
# Possible values: Reject, ProcessPartial.
# When SecRuleEngine is set to DetectionOnly, this directive is set to ProcessPartial
# to minimize disruptions when initially deploying Coraza.
# Warning: Setting this directive to ProcessPartial introduces a potential bypass
# risk, as attackers could prepend junk data equal to or greater than the inspected body size.
#
SecRequestBodyLimitAction Reject

# Verifies that the request body was correctly processed.
# As a rule of thumb, when failing to process a request body
# the request should be rejected (when deployed in blocking mode)
# or a high-severity alert logged (when deployed in detection-only mode).
#
SecRule REQBODY_ERROR "!@eq 0" \
    "id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"

# Enforces strict validation by default for what is accepted in the
# multipart/form-data request body. If the rule below proves to be
# too strict consider changing it to detection-only.
# Do NOT remove it, as it will catch many evasion attempts.
#
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
    "id:'200003',phase:2,t:none,log,deny,status:400, \
    msg:'Multipart request body failed strict validation.'"


# -- Response body handling --------------------------------------------------

# Allows Coraza to access response bodies. Without this, Coraza
# can not see response content looking for errors and data leakage issues.
#
# Note that enabling this directive increases both
# memory consumption and response latency.
#
SecResponseBodyAccess On

# Configures response MIME types that Coraza will buffer and inspect. The
# configuration below should be adjusted to catch documents but avoid static
# files (e.g., images and archives).
#
SecResponseBodyMimeType text/plain text/html text/xml

# Maximum response body size (bytes) that Coraza will store in memory.
# This default equals to 512 KB.
#
SecResponseBodyLimit 524288

# Configures the action to take if the response body size is above the configured limit.
# Possible values: Reject, ProcessPartial.
# When SecRuleEngine is set to DetectionOnly, this directive is set to ProcessPartial
# to minimize disruptions when initially deploying Coraza.
# ProcessPartial allows Coraza to inspect the portion of the response body that is within
# the configured limit, while letting the rest through. This approach may be less secure,
# but helps prevent legitimate pages from being blocked.
#
SecResponseBodyLimitAction ProcessPartial


# -- Filesystem configuration ------------------------------------------------

# The location where Coraza will keep its persistent data. This default setting
# is chosen due to all systems have /tmp available however, it
# too should be updated to a place that other users can't access.
#
SecDataDir /tmp/


# -- File uploads handling configuration -------------------------------------

# The location where Coraza stores intercepted uploaded files. This
# location must be private to Coraza. Other users on the server
# should not be able to access the files.
#
#SecUploadDir /opt/coraza/var/upload/

# Controls whether intercepted uploaded files will be kept after
# transaction is processed. Possible values: On, Off, RelevantOnly.
# RelevantOnly will keep files only when a matching rule is logged (rules with 'nolog' do not qualify).
#
#SecUploadKeepFiles RelevantOnly

# Uploaded files are by default created with permissions that do not allow
# any other user to access them. This may need to be relaxed to
# interface Coraza with an external program (e.g., an anti-virus).
# Note: SecUploadFileMode is currently NOT supported by Coraza
#
#SecUploadFileMode 0600


# -- Debug log configuration -------------------------------------------------

# Default debug log path
# Debug levels:
# 0:   No logging (least verbose)
# 1:   Error
# 2:   Warn
# 3:   Info
# 4-8: Debug
# 9:   Trace (most verbose)
#
#SecDebugLog /opt/coraza/var/log/debug.log
#SecDebugLogLevel 3


# -- Audit log configuration -------------------------------------------------

# Configure the audit logging engine, which logs transaction details.
# Possible values: On, Off, RelevantOnly
# RelevantOnly logs the transactions marked by a matched rule with auditlog,
# or relevant transaction based on response status (see SecAuditLogRelevantStatus).
#
SecAuditEngine RelevantOnly

# When SecAuditEngine is set to RelevantOnly, define which response
# status codes are considered relevant.
# The following regex matches status codes 400-419 and 500-519.
#
SecAuditLogRelevantStatus "^(?:(5|4)(0|1)[0-9])$"

# Define which parts of the transaction are recorded in the audit log.
#
SecAuditLogParts ABIJDEFHZ

# Configure the audit logging mechanism. Possible values:
# Serial (single file), Concurrent (one file per transaction),
# HTTPS (send to a URL), Syslog (send to a syslog server).
#
SecAuditLogType Serial

# Path to the audit log file (serial format) or the index file
# (concurrent format). If not specified, no audit logs will be emitted.
#
#SecAuditLog /opt/coraza/var/log/audit.log

# The format used to write the audit log.
# Possible values: JSON, JsonLegacy, Native, OCSF.
#
SecAuditLogFormat Native

# Directory for concurrent audit logging, where individual transaction logs are stored.
#
#SecAuditLogStorageDir /opt/coraza/var/audit/

# The following settings are not supported by Coraza
# SecCookieFormat 0
# SecArgumentSeparator &
# SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \
#    "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
# SecRule TX:/^COR_/ "!@streq 0" \
#       "id:'200005',phase:2,t:none,deny,msg:'Coraza internal error flagged: %{MATCHED_VAR_NAME}'"