feat: replace custom ModSecurity configuration with CRS plugin URL for Nextcloud examples

examples/nextcloud/autoconf.yml

@@ -32,27 +32,8 @@ services:
       - bunkerweb.LIMIT_REQ_RATE_2=8r/s
       - bunkerweb.LIMIT_REQ_URL_3=/core/preview
       - bunkerweb.LIMIT_REQ_RATE_3=5r/s
-      - |
-        bunkerweb.CUSTOM_CONF_MODSEC_CRS_nextcloud=
-        SecAction \
-         "id:900130,\
-          phase:1,\
-          nolog,\
-          pass,\
-          t:none,\
-          setvar:tx.crs_exclusions_nextcloud=1"
-
-        # WebDAV
-        SecAction \
-         "id:900200,\
-          phase:1,\
-          nolog,\
-          pass,\
-          t:none,\
-          setvar:'tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS'"
-      - |
-        bunkerweb.CUSTOM_CONF_MODSEC_nextcloud=
-        SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:2000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog"
+      # This is a CRS plugin specific to Nextcloud
+      - bunkerweb.MODSECURITY_CRS_PLUGIN_URLS=https://github.com/coreruleset/nextcloud-rule-exclusions-plugin/archive/refs/tags/v1.2.0.tar.gz
 
   mydb:
     image: mariadb:11

examples/nextcloud/bw-data/configs/modsec-crs/nextcloud.conf

@@ -1,16 +0,0 @@
-SecAction \
- "id:900130,\
-  phase:1,\
-  nolog,\
-  pass,\
-  t:none,\
-  setvar:tx.crs_exclusions_nextcloud=1"
-
-# WebDAV
-SecAction \
- "id:900200,\
-  phase:1,\
-  nolog,\
-  pass,\
-  t:none,\
-  setvar:'tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS'"

examples/nextcloud/bw-data/configs/modsec/nextcloud.conf

@@ -1 +0,0 @@
-SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:2000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog"

examples/nextcloud/docker-compose.yml

@@ -3,8 +3,9 @@ services:
     image: bunkerity/bunkerweb:1.6.0-beta
     container_name: bunkerweb
     ports:
-      - "80:8080"
-      - "443:8443"
+      - "80:8080/tcp"
+      - "443:8443/tcp"
+      - "443:8443/udp" # for QUIC
     environment:
       API_WHITELIST_IP: "127.0.0.1 10.20.30.0/24"
     restart: "unless-stopped"
@@ -41,24 +42,7 @@ services:
       LIMIT_REQ_RATE_2: "8r/s"
       LIMIT_REQ_URL_3: "/core/preview"
       LIMIT_REQ_RATE_3: "5r/s"
-      CUSTOM_CONF_MODSEC_CRS_nextcloud: |
-        SecAction \
-         "id:900130,\
-          phase:1,\
-          nolog,\
-          pass,\
-          t:none,\
-          setvar:tx.crs_exclusions_nextcloud=1"
-        # WebDAV
-        SecAction \
-         "id:900200,\
-          phase:1,\
-          nolog,\
-          pass,\
-          t:none,\
-          setvar:'tx.allowed_methods=GET POST HEAD COPY DELETE LOCK MKCOL MOVE PROPFIND PROPPATCH PUT UNLOCK OPTIONS'"
-      CUSTOM_CONF_MODSEC_nextcloud: |
-        SecRule REQUEST_FILENAME "@rx ^/remote.php/dav/files/" "id:2000,ctl:ruleRemoveByTag=attack-protocol,ctl:ruleRemoveByTag=attack-generic,nolog"
+      MODSECURITY_CRS_PLUGIN_URLS: "https://github.com/coreruleset/nextcloud-rule-exclusions-plugin/archive/refs/tags/v1.2.0.tar.gz" # This is a CRS plugin specific to Nextcloud
     restart: "unless-stopped"
     networks:
       - bw-universe

examples/nextcloud/kubernetes.yml

@@ -14,6 +14,8 @@ metadata:
     bunkerweb.io/www.example.com_LIMIT_REQ_RATE_2: "8r/s"
     bunkerweb.io/www.example.com_LIMIT_REQ_URL_3: "/core/preview"
     bunkerweb.io/www.example.com_LIMIT_REQ_RATE_3: "5r/s"
+    # This is a CRS plugin specific to Nextcloud
+    bunkerweb.io/www.example.com_MODSECURITY_CRS_PLUGIN_URLS: "https://github.com/coreruleset/nextcloud-rule-exclusions-plugin/archive/refs/tags/v1.2.0.tar.gz"
 spec:
   rules:
     - host: www.example.com

examples/nextcloud/setup-linux.sh

@@ -19,4 +19,3 @@ cp -r /tmp/nextcloud/* /var/www/html
 chown -R $user:nginx /var/www/html
 find /var/www/html -type f -exec chmod 0640 {} \;
 find /var/www/html -type d -exec chmod 0750 {} \;
-cp -r bw-data/configs/* /etc/bunkerweb/configs

examples/nextcloud/setup-swarm.sh

@@ -1,15 +0,0 @@
-#!/bin/bash
-
-# docker-compose doesn't support assigning labels to configs
-# so we need to create the configs with the CLI
-# bunkerweb.CONFIG_TYPE accepted values are http, stream, server-http, server-stream, default-server-http, modsec and modsec-crs
-# bunkerweb.CONFIG_SITE lets you choose on which web service the config should be applied (MULTISITE mode) and if it's not set, the config will be applied for all services
-# more info at https://docs.bunkerweb.io
-
-# remove configs if existing
-docker config rm cfg_nextcloud_modsec
-docker config rm cfg_nextcloud_modsec_crs
-
-# create configs
-docker config create -l bunkerweb.CONFIG_TYPE=modsec -l bunkerweb.CONFIG_SITE=www.example.com cfg_nextcloud_modsec ./bw-data/configs/modsec/nextcloud.conf
-docker config create -l bunkerweb.CONFIG_TYPE=modsec-crs -l bunkerweb.CONFIG_SITE=www.example.com cfg_nextcloud_modsec_crs ./bw-data/configs/modsec-crs/nextcloud.conf

examples/nextcloud/swarm.yml

@@ -34,6 +34,8 @@ services:
         - bunkerweb.LIMIT_REQ_RATE_2=8r/s
         - bunkerweb.LIMIT_REQ_URL_3=/core/preview
         - bunkerweb.LIMIT_REQ_RATE_3=5r/s
+        # This is a CRS plugin specific to Nextcloud
+        - bunkerweb.MODSECURITY_CRS_PLUGIN_URLS=https://github.com/coreruleset/nextcloud-rule-exclusions-plugin/archive/refs/tags/v1.2.0.tar.gz
 
   mydb:
     image: mariadb:11

examples/nextcloud/variables.env

@@ -18,3 +18,5 @@ LIMIT_REQ_URL_2=/apps/text/session/sync
 LIMIT_REQ_RATE_2=8r/s
 LIMIT_REQ_URL_3=/core/preview
 LIMIT_REQ_RATE_3=5r/s
+# This is a CRS plugin specific to Nextcloud
+MODSECURITY_CRS_PLUGIN_URLS=https://github.com/coreruleset/nextcloud-rule-exclusions-plugin/archive/refs/tags/v1.2.0.tar.gz