feat: replace custom ModSecurity configuration with CRS plugin URL for WordPress examples

2026-05-24 09:28:37 +00:00 · 2024-11-20 16:09:47 +01:00 · 2024-11-20 16:09:47 +01:00 · 1d7182a48d
commit 1d7182a48d
parent 97f9da0c87
8 changed files with 12 additions and 84 deletions
--- a/examples/wordpress/autoconf.yml
+++ b/examples/wordpress/autoconf.yml
@ -19,23 +19,8 @@ services:
      - bunkerweb.USE_REVERSE_PROXY=yes
      - bunkerweb.REVERSE_PROXY_URL=/
      - bunkerweb.REVERSE_PROXY_HOST=http://mywp
-      - |
-        bunkerweb.CUSTOM_CONF_MODSEC_CRS_wordpress=
-        SecAction \
-         "id:900130,\
-          phase:1,\
-          nolog,\
-          pass,\
-          t:none,\
-          setvar:tx.crs_exclusions_wordpress=1"
-
-        SecAction \
-         "id:900220,\
-          phase:1,\
-          nolog,\
-          pass,\
-          t:none,\
-          setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/x-git-upload-pack-request| |application/x-git-receive-pack-request|'"
+      # This is a CRS plugin specific to WordPress
+      - bunkerweb.MODSECURITY_CRS_PLUGIN_URLS=https://github.com/coreruleset/wordpress-rule-exclusions-plugin/archive/refs/tags/v1.0.1.tar.gz


  mydb:
--- a/examples/wordpress/bw-data/configs/modsec-crs/wordpress.conf
+++ b/examples/wordpress/bw-data/configs/modsec-crs/wordpress.conf
@ -1,15 +0,0 @@
-SecAction \
-  "id:900130,\
-  phase:1,\
-  nolog,\
-  pass,\
-  t:none,\
-  setvar:tx.crs_exclusions_wordpress=1"
-
-SecAction \
-  "id:900220,\
-  phase:1,\
-  nolog,\
-  pass,\
-  t:none,\
-  setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/x-git-upload-pack-request| |application/x-git-receive-pack-request|'"
--- a/examples/wordpress/docker-compose.yml
+++ b/examples/wordpress/docker-compose.yml
@ -3,8 +3,9 @@ services:
    image: bunkerity/bunkerweb:1.6.0-beta
    container_name: bunkerweb
    ports:
-      - "80:8080"
-      - "443:8443"
+      - "80:8080/tcp"
+      - "443:8443/tcp"
+      - "443:8443/udp" # for QUIC
    environment:
      API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
    restart: "unless-stopped"
@ -31,22 +32,7 @@ services:
      USE_REVERSE_PROXY: "yes"
      REVERSE_PROXY_URL: "/"
      REVERSE_PROXY_HOST: "http://mywp"
-      CUSTOM_CONF_MODSEC_CRS_wordpress: |
-        SecAction \
-         "id:900130,\
-          phase:1,\
-          nolog,\
-          pass,\
-          t:none,\
-          setvar:tx.crs_exclusions_wordpress=1"
-
-        SecAction \
-         "id:900220,\
-          phase:1,\
-          nolog,\
-          pass,\
-          t:none,\
-          setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/x-git-upload-pack-request| |application/x-git-receive-pack-request|'"
+      MODSECURITY_CRS_PLUGIN_URLS: "https://github.com/coreruleset/wordpress-rule-exclusions-plugin/archive/refs/tags/v1.0.1.tar.gz" # This is a CRS plugin specific to WordPress
    restart: "unless-stopped"
    networks:
      - bw-universe
--- a/examples/wordpress/kubernetes.yml
+++ b/examples/wordpress/kubernetes.yml
@ -5,6 +5,8 @@ metadata:
  annotations:
    bunkerweb.io/AUTO_LETS_ENCRYPT: "yes"
    bunkerweb.io/www.example.com_MAX_CLIENT_SIZE: "50m"
+    # This is a CRS plugin specific to WordPress
+    bunkerweb.io/www.example.com_MODSECURITY_CRS_PLUGIN_URLS: "https://github.com/coreruleset/wordpress-rule-exclusions-plugin/archive/refs/tags/v1.0.1.tar.gz"
 spec:
  rules:
    - host: www.example.com
--- a/examples/wordpress/setup-linux.sh
+++ b/examples/wordpress/setup-linux.sh
@ -19,7 +19,3 @@ cp -r /tmp/wordpress/* /var/www/html
 chown -R $user:nginx /var/www/html
 find /var/www/html -type f -exec chmod 0640 {} \;
 find /var/www/html -type d -exec chmod 0750 {} \;
-cp -r ./bw-data/configs/* /etc/bunkerweb/configs
-chown -R nginx:nginx /etc/bunkerweb/configs
-find /etc/bunkerweb/configs -type f -exec chmod 0644 {} \;
-find /etc/bunkerweb/configs -type d -exec chmod 0755 {} \;
--- a/examples/wordpress/setup-swarm.sh
+++ b/examples/wordpress/setup-swarm.sh
@ -1,13 +0,0 @@
-#!/bin/bash
-
-# docker-compose doesn't support assigning labels to configs
-# so we need to create the configs with the CLI
-# bunkerweb.CONFIG_TYPE accepted values are http, stream, server-http, server-stream, default-server-http, modsec and modsec-crs
-# bunkerweb.CONFIG_SITE lets you choose on which web service the config should be applied (MULTISITE mode) and if it's not set, the config will be applied for all services
-# more info at https://docs.bunkerweb.io
-
-# remove configs if existing
-docker config rm cfg_wordpress_modsec_crs
-
-# create configs
-docker config create -l bunkerweb.CONFIG_TYPE=modsec-crs -l bunkerweb.CONFIG_SITE=www.example.com cfg_wordpress_modsec_crs ./bw-data/configs/modsec-crs/wordpress.conf
--- a/examples/wordpress/swarm.yml
+++ b/examples/wordpress/swarm.yml
@ -23,23 +23,8 @@ services:
        - bunkerweb.USE_REVERSE_PROXY=yes
        - bunkerweb.REVERSE_PROXY_URL=/
        - bunkerweb.REVERSE_PROXY_HOST=http://mywp
-        - |
-          bunkerweb.CUSTOM_CONF_MODSEC_CRS_wordpress=
-          SecAction \
-          "id:900130,\
-            phase:1,\
-            nolog,\
-            pass,\
-            t:none,\
-            setvar:tx.crs_exclusions_wordpress=1"
-
-          SecAction \
-          "id:900220,\
-            phase:1,\
-            nolog,\
-            pass,\
-            t:none,\
-            setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/x-amf| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream| |application/csp-report| |application/xss-auditor-report| |text/plain| |application/x-git-upload-pack-request| |application/x-git-receive-pack-request|'"
+        # This is a CRS plugin specific to WordPress
+        - bunkerweb.MODSECURITY_CRS_PLUGIN_URLS=https://github.com/coreruleset/wordpress-rule-exclusions-plugin/archive/refs/tags/v1.0.1.tar.gz

  mydb:
    image: mariadb:11
--- a/examples/wordpress/variables.env
+++ b/examples/wordpress/variables.env
@ -11,3 +11,5 @@ USE_GZIP=yes
 LOCAL_PHP=/run/php/php-fpm.sock
 LOCAL_PHP_PATH=/var/www/html
 MAX_CLIENT_SIZE=50m
+# This is a CRS plugin specific to WordPress
+MODSECURITY_CRS_PLUGIN_URLS=https://github.com/coreruleset/wordpress-rule-exclusions-plugin/archive/refs/tags/v1.0.1.tar.gz