Passbolt Modsecurity

Im in the process of testing. I have put modsecurity on my server today and on default settings with no configuration it broke passbolt.

First test, I added:

SecRuleEngine DetectionOnly

To /etc/apache2/sites-enabled/passbolt.conf

To turn modsecurity off entirely for the passbolt virtual host, and then passbolt worked normally. So on default settings modsecurity certainly breaks things.

Second test, using the instructions from here, ModSecurity Configuration for Passbolt | Michael A. Mead. I added,

<Location "/auth/verify.json">
        SecRuleRemoveById 200004 942100
</Location>

<Location "/import/resources.json">
        SecRuleRemoveById 942100
</Location>

<Location "/resources.json">
        SecRuleRemoveById 942100
</Location>

<LocationMatch "^/resources/.*">
        SecRuleRemoveById 911100 980130 942100
</LocationMatch>

<LocationMatch "^/users/.*">
        SecRuleRemoveById 911100
</LocationMatch>

<LocationMatch "^/setup/completeRecovery/.*\.json">
        SecRuleRemoveById 980130 911100 949110
</LocationMatch>

To /etc/apache2/sites-enabled/passbolt.conf

then restarting apache2

sudo systemctl restart apache2

and at the moment passbolt is still working as expected…

And if i try to be nasty, its 403’ing as it should

image]

need a 403 page for passbolt though