Add ModSecurity rule to remove false positives for LFI attacks in Authelia configuration

examples/authelia/autoconf.yml

@@ -58,6 +58,9 @@ services:
       - bunkerweb.REVERSE_PROXY_URL=/
       - bunkerweb.REVERSE_PROXY_HOST=http://authelia:9091
       - bunkerweb.REVERSE_PROXY_INTERCEPT_ERRORS=no
+      - |
+        bunkerweb.CUSTOM_CONF_MODSEC_remove-false-positives=
+        SecRule REQUEST_FILENAME "/" "id:1000000,ctl:ruleRemoveByTag=attack-lfi,nolog"
 
   redis:
     image: redis:7-alpine

examples/authelia/bw-data/configs/modsec/remove-false-positives.conf

@@ -0,0 +1 @@
+SecRule REQUEST_FILENAME "/" "id:1000000,ctl:ruleRemoveByTag=attack-lfi,nolog"

examples/authelia/docker-compose.yml

@@ -27,7 +27,8 @@ services:
       API_WHITELIST_IP: "127.0.0.0/8 10.20.30.0/24"
       SERVE_FILES: "no"
       DISABLE_DEFAULT_SERVER: "yes"
-      AUTO_LETS_ENCRYPT: "yes"
+      # AUTO_LETS_ENCRYPT: "yes"
+      GENERATE_SELF_SIGNED_SSL: "yes"
       USE_CLIENT_CACHE: "yes"
       USE_GZIP: "yes"
       USE_REVERSE_PROXY: "yes"
@@ -39,6 +40,8 @@ services:
       auth.example.com_REVERSE_PROXY_URL: "/"
       auth.example.com_REVERSE_PROXY_HOST: "http://authelia:9091"
       auth.example.com_REVERSE_PROXY_INTERCEPT_ERRORS: "no"
+      auth.example.com_CUSTOM_CONF_MODSEC_remove-false-positives: |
+        SecRule REQUEST_FILENAME "/" "id:1000000,ctl:ruleRemoveByTag=attack-lfi,nolog"
       # Applications
       app1.example.com_REVERSE_PROXY_URL: "/"
       app1.example.com_REVERSE_PROXY_HOST: "http://app1:8080"

examples/authelia/kubernetes.yml

@@ -4,20 +4,17 @@ metadata:
   name: ingress
   annotations:
     bunkerweb.io/AUTO_LETS_ENCRYPT: "yes"
+    bunkerweb.io/REVERSE_PROXY_URL_999: "/authelia"
+    bunkerweb.io/REVERSE_PROXY_HOST_999: "http://svc-authelia.default.svc.cluster.local:9091/api/verify"
+    bunkerweb.io/REVERSE_PROXY_HEADERS_999: "X-Original-URL $scheme://$http_host$request_uri;Content-Length ''"
     bunkerweb.io/app1.example.com_REVERSE_PROXY_AUTH_REQUEST: "/authelia"
     bunkerweb.io/app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL: "https://auth.example.com/?rd=$scheme%3A%2F%2F$host$request_uri"
     bunkerweb.io/app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SET: "$user $upstream_http_remote_user;$groups $upstream_http_remote_groups;$name $upstream_http_remote_name;$email $upstream_http_remote_email"
     bunkerweb.io/app1.example.com_REVERSE_PROXY_HEADERS: "Remote-User $user;Remote-Groups $groups;Remote-Name $name;Remote-Email $email"
-    bunkerweb.io/app1.example.com_REVERSE_PROXY_URL_999: "/authelia"
-    bunkerweb.io/app1.example.com_REVERSE_PROXY_HOST_999: "http://authelia:9091/api/verify"
-    bunkerweb.io/app1.example.com_REVERSE_PROXY_HEADERS_999: "X-Original-URL $scheme://$http_host$request_uri;Content-Length ''"
     bunkerweb.io/app2.example.com_REVERSE_PROXY_AUTH_REQUEST: "/authelia"
     bunkerweb.io/app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL: "https://auth.example.com/?rd=$scheme%3A%2F%2F$host$request_uri"
     bunkerweb.io/app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SET: "$user $upstream_http_remote_user;$groups $upstream_http_remote_groups;$name $upstream_http_remote_name;$email $upstream_http_remote_email"
     bunkerweb.io/app2.example.com_REVERSE_PROXY_HEADERS: "Remote-User $user;Remote-Groups $groups;Remote-Name $name;Remote-Email $email"
-    bunkerweb.io/app2.example.com_REVERSE_PROXY_URL_999: "/authelia"
-    bunkerweb.io/app2.example.com_REVERSE_PROXY_HOST_999: "http://authelia:9091/api/verify"
-    bunkerweb.io/app2.example.com_REVERSE_PROXY_HEADERS_999: "X-Original-URL $scheme://$http_host$request_uri;Content-Length ''"
     bunkerweb.io/auth.example.com_REVERSE_PROXY_INTERCEPT_ERRORS: "no"
 spec:
   rules:
@@ -239,7 +236,7 @@ spec:
     spec:
       containers:
         - name: authelia
-          image: authelia/authelia
+          image: authelia/authelia:4
           env:
             - name: TZ
               value: "Europe/Paris"
@@ -285,7 +282,7 @@ spec:
     spec:
       containers:
         - name: redis
-          image: redis:alpine
+          image: redis:7-alpine
           env:
             - name: TZ
               value: "Europe/Paris"
@@ -301,3 +298,14 @@ spec:
     - protocol: TCP
       port: 6379
       targetPort: 6379
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cfg-bunkerweb-auth-modsec
+  annotations:
+    bunkerweb.io/CONFIG_TYPE: "modsec"
+    bunkerweb.io/CONFIG_SITE: "auth.example.com"
+data:
+  remove-false-positives: |
+    SecRule REQUEST_FILENAME "/" "id:1000000,ctl:ruleRemoveByTag=attack-lfi,nolog"

examples/authelia/setup-linux.sh

@@ -5,6 +5,8 @@ if [ "$(id -u)" -ne 0 ] ; then
 	exit 1
 fi
 
+cp -r bw-data/configs/* /etc/bunkerweb/configs
+
 curl https://github.com/authelia/authelia/releases/download/v4.36.2/authelia-v4.36.2-linux-amd64.tar.gz -Lo /tmp/authelia.tar.gz
 tar -xzf /tmp/authelia.tar.gz -C /tmp
 mv /tmp/authelia-linux-amd64 /usr/bin/authelia

examples/authelia/swarm.yml

@@ -72,6 +72,9 @@ services:
         - bunkerweb.REVERSE_PROXY_URL=/
         - bunkerweb.REVERSE_PROXY_HOST=http://authelia:9091
         - bunkerweb.REVERSE_PROXY_INTERCEPT_ERRORS=no
+        - |
+          bunkerweb.CUSTOM_CONF_MODSEC_remove-false-positives=
+          SecRule REQUEST_FILENAME "/" "id:1000000,ctl:ruleRemoveByTag=attack-lfi,nolog"
 
   redis:
     image: redis:7-alpine