From ca0281592005908bfba8a8b28455549e42098ba0 Mon Sep 17 00:00:00 2001
From: Zoey <zoey@z0ey.de>
Date: Sun, 26 Nov 2023 14:57:28 +0100
Subject: [PATCH] make crs before/after rules editable

Signed-off-by: Zoey <zoey@z0ey.de>
---
 Dockerfile                                             |  4 ++--
 README.md                                              |  2 +-
 rootfs/bin/start.sh                                    | 10 ++++++++++
 .../nginx/conf/conf.d/include/modsecurity-crs.conf     |  2 ++
 4 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index ecee77442..adef5118a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -61,9 +61,9 @@ RUN apk add --no-cache ca-certificates tzdata tini \
     sed -i "s|SecRuleEngine.*|SecRuleEngine On|g" /usr/local/nginx/conf/conf.d/include/modsecurity.conf.example && \
     sed -i "s|unicode.mapping|/usr/local/nginx/conf/conf.d/include/unicode.mapping|g" /usr/local/nginx/conf/conf.d/include/modsecurity.conf.example && \
     git clone https://github.com/coreruleset/coreruleset /tmp/coreruleset && \
-    mkdir /usr/local/nginx/conf/conf.d/include/coreruleset && \
+    mkdir -v /usr/local/nginx/conf/conf.d/include/coreruleset && \
     mv -v /tmp/coreruleset/crs-setup.conf.example /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example && \
-    mv /tmp/coreruleset/rules /usr/local/nginx/conf/conf.d/include/coreruleset/rules && \
+    mv -v /tmp/coreruleset/rules /usr/local/nginx/conf/conf.d/include/coreruleset/rules && \
     rm -r /tmp/* && \
     luarocks-5.1 install lua-resty-http && \
     luarocks-5.1 install lua-cjson && \
diff --git a/README.md b/README.md
index 5cfeec4f7..1d0b0d27c 100644
--- a/README.md
+++ b/README.md
@@ -18,7 +18,7 @@ running at home or otherwise, including free TLS, without having to know too muc
 **Note: If you don't use network mode host, which I don't recommend, don't forget to expose port 443 on tcp AND udp (http3/quic needs udp).** <br>
 **Note: If you don't use network mode host, which I don't recommend, don't forget to enable IPv6 in Docker, see [here](https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md), you only need to edit the daemon.json and restart docker, if you use the bridge network, otherwise please enable IPv6 in your custom docker network!** <br>
 **Note: Don't forget to open Port 80 (tcp) and 443 (tcp AND udp, http3/quic needs udp) in your firewall (because of network mode host, you also need to open this ports in ufw, if you use ufw).** <br>
-**Note: ModSecurity overblocking (403 Error)? Please see `/data/etc/modsecurity/modsecurity-default.conf` and `/opt/npm/etc/modsecurity/crs-setup.conf`.** <br>
+**Note: ModSecurity overblocking (403 Error)? Please see `/data/etc/modsecurity`, if you also use CRS please see [here](https://coreruleset.org/docs/concepts/false_positives_tuning).** <br>
 **Note: Internal Instance? Please disable `must-staple` in `/opt/npm/tls/certbot/config.ini`.** <br>
 **Note: Other Databases like MariaDB may work, but are unsupported.** <br>
 
diff --git a/rootfs/bin/start.sh b/rootfs/bin/start.sh
index 9fccd0fe6..a4d1fc4b0 100755
--- a/rootfs/bin/start.sh
+++ b/rootfs/bin/start.sh
@@ -388,6 +388,16 @@ if [ ! -s /data/etc/modsecurity/crs-setup.conf ]; then
 fi
 cp /usr/local/nginx/conf/conf.d/include/coreruleset/crs-setup.conf.example /data/etc/modsecurity/crs-setup.conf.example
 
+if [ ! -s /data/etc/modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example ]; then
+      cp -vn /usr/local/nginx/conf/conf.d/include/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /data/etc/modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
+fi
+cp /usr/local/nginx/conf/conf.d/include/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /data/etc/modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
+
+if [ ! -s /data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example ]; then
+      cp -vn /usr/local/nginx/conf/conf.d/include/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example /data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
+fi
+cp /usr/local/nginx/conf/conf.d/include/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example /data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example
+
 if [ "$NPM_CERT_ID" = "0" ]; then
     export NPM_CERT=/data/tls/dummycert.pem
     export NPM_KEY=/data/tls/dummykey.pem
diff --git a/rootfs/usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf b/rootfs/usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf
index 257c7b40a..9fb39bf27 100644
--- a/rootfs/usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf
+++ b/rootfs/usr/local/nginx/conf/conf.d/include/modsecurity-crs.conf
@@ -1,4 +1,6 @@
 Include /data/etc/modsecurity/modsecurity-default.conf
 Include /data/etc/modsecurity/modsecurity-extra.conf
 Include /data/etc/modsecurity/crs-setup.conf
+Include /data/etc/modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
 Include /usr/local/nginx/conf/conf.d/include/coreruleset/rules/*.conf
+Include /data/etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf