mirror of
https://github.com/NginxProxyManager/nginx-proxy-manager.git
synced 2025-08-02 15:33:32 +00:00
make crs before/after rules editable
Signed-off-by: Zoey <zoey@z0ey.de>
This commit is contained in:
@@ -61,9 +61,9 @@ RUN apk add --no-cache ca-certificates tzdata tini \
|
||||
sed -i "s|SecRuleEngine.*|SecRuleEngine On|g" /usr/local/nginx/conf/conf.d/include/modsecurity.conf.example && \
|
||||
sed -i "s|unicode.mapping|/usr/local/nginx/conf/conf.d/include/unicode.mapping|g" /usr/local/nginx/conf/conf.d/include/modsecurity.conf.example && \
|
||||
git clone https://github.com/coreruleset/coreruleset /tmp/coreruleset && \
|
||||
mkdir /usr/local/nginx/conf/conf.d/include/coreruleset && \
|
||||
mkdir -v /usr/local/nginx/conf/conf.d/include/coreruleset && \
|
||||
mv -v /tmp/coreruleset/crs-setup.conf.example /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example && \
|
||||
mv /tmp/coreruleset/rules /usr/local/nginx/conf/conf.d/include/coreruleset/rules && \
|
||||
mv -v /tmp/coreruleset/rules /usr/local/nginx/conf/conf.d/include/coreruleset/rules && \
|
||||
rm -r /tmp/* && \
|
||||
luarocks-5.1 install lua-resty-http && \
|
||||
luarocks-5.1 install lua-cjson && \
|
||||
|
@@ -18,7 +18,7 @@ running at home or otherwise, including free TLS, without having to know too muc
|
||||
**Note: If you don't use network mode host, which I don't recommend, don't forget to expose port 443 on tcp AND udp (http3/quic needs udp).** <br>
|
||||
**Note: If you don't use network mode host, which I don't recommend, don't forget to enable IPv6 in Docker, see [here](https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md), you only need to edit the daemon.json and restart docker, if you use the bridge network, otherwise please enable IPv6 in your custom docker network!** <br>
|
||||
**Note: Don't forget to open Port 80 (tcp) and 443 (tcp AND udp, http3/quic needs udp) in your firewall (because of network mode host, you also need to open this ports in ufw, if you use ufw).** <br>
|
||||
**Note: ModSecurity overblocking (403 Error)? Please see `/data/etc/modsecurity/modsecurity-default.conf` and `/opt/npm/etc/modsecurity/crs-setup.conf`.** <br>
|
||||
**Note: ModSecurity overblocking (403 Error)? Please see `/data/etc/modsecurity`, if you also use CRS please see [here](https://coreruleset.org/docs/concepts/false_positives_tuning).** <br>
|
||||
**Note: Internal Instance? Please disable `must-staple` in `/opt/npm/tls/certbot/config.ini`.** <br>
|
||||
**Note: Other Databases like MariaDB may work, but are unsupported.** <br>
|
||||
|
||||
|
@@ -388,6 +388,16 @@ if [ ! -s /data/etc/modsecurity/crs-setup.conf ]; then
|
||||
fi
|
||||
cp /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example /data/etc/modsecurity/crs-setup.conf.example
|
||||
|
||||
if [ ! -s /data/etc/modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example ]; then
|
||||
cp -vn /usr/local/nginx/conf/conf.d/include/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /data/etc/modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
|
||||
fi
|
||||
cp /usr/local/nginx/conf/conf.d/include/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /data/etc/modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
|
||||
|
||||
if [ ! -s /data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example ]; then
|
||||
cp -vn /usr/local/nginx/conf/conf.d/include/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example /data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
|
||||
fi
|
||||
cp /usr/local/nginx/conf/conf.d/include/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example /data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
|
||||
|
||||
if [ "$NPM_CERT_ID" = "0" ]; then
|
||||
export NPM_CERT=/data/tls/dummycert.pem
|
||||
export NPM_KEY=/data/tls/dummykey.pem
|
||||
|
@@ -1,4 +1,6 @@
|
||||
Include /data/etc/modsecurity/modsecurity-default.conf
|
||||
Include /data/etc/modsecurity/modsecurity-extra.conf
|
||||
Include /data/etc/modsecurity/crs-setup.conf
|
||||
Include /data/etc/modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
|
||||
Include /usr/local/nginx/conf/conf.d/include/coreruleset/rules/*.conf
|
||||
Include /data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
|
||||
|
Reference in New Issue
Block a user