Refactor modsec-crs UI routes to conditionally remove rules for specific URLs

src/common/core/ui/confs/modsec-crs/ui.conf

@@ -0,0 +1,5 @@
+{% if USE_UI == "yes" +%}
+SecRule REQUEST_FILENAME "@rx /(global-config|services/.+)$" "id:7771,ctl:ruleRemoveById=932235,nolog"
+SecRule REQUEST_FILENAME "@rx /(services|cache)/.+$" "id:7772,ctl:ruleRemoveById=920440,nolog"
+SecRule REQUEST_FILENAME "@endsWith /logs" "id:7773,ctl:ruleRemoveById=953100,nolog"
+{% endif +%}

src/common/core/ui/confs/modsec/ui.conf

@@ -1,9 +1,3 @@
-{% if USE_UI == "yes" +%}
-SecRule REQUEST_FILENAME "@rx /(global-config|modes)$" "id:7771,ctl:ruleRemoveByTag=language-shell,ctl:ruleRemoveByTag=platform-pgsql,ctl:ruleRemoveByTag=attack-xss,ctl:ruleRemoveByTag=attack-lfi,ctl:ruleRemoveByTag=attack-rfi,ctl:ruleRemoveByTag=attack-ssrf,nolog"
-SecRule REQUEST_FILENAME "@rx /configs$" "id:7772,ctl:ruleRemoveByTag=language-shell,ctl:ruleRemoveByTag=attack-lfi,ctl:ruleRemoveByTag=attack-rfi,ctl:ruleRemoveByTag=attack-ssrf,nolog"
-SecRule REQUEST_FILENAME "@rx /jobs$" "id:7773,ctl:ruleRemoveByTag=language-shell,ctl:ruleRemoveByTag=language-php,nolog"
-SecRule REQUEST_FILENAME "@rx /jobs/download$" "id:7774,ctl:ruleRemoveByTag=attack-lfi,nolog"
-{% if "TLSv1.3" in SSL_PROTOCOLS and HTTP3 == "yes" +%}
+{% if USE_UI == "yes" and "TLSv1.3" in SSL_PROTOCOLS and HTTP3 == "yes" +%}
 SecRuleRemoveById 920280
 {% endif +%}
-{% endif +%}