From 007afae6e63fab816fc1fdf04b97213ee78c0bdc Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sat, 26 Mar 2022 18:50:25 +0100
Subject: [PATCH] feat(nextcloud): Enable modsecurity

This patch enables mod security for nextcloud and sets up the default
exceptions maintained by the CRS maintainers.

References:
https://github.com/coreruleset/coreruleset/blob/554fb063c2613ca9cb470524c721476c2eedf62f/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
---
 apps/base/nextcloud/release.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/apps/base/nextcloud/release.yaml b/apps/base/nextcloud/release.yaml
index d196200d8..9a78fedba 100644
--- a/apps/base/nextcloud/release.yaml
+++ b/apps/base/nextcloud/release.yaml
@@ -108,6 +108,11 @@ data:
           location ~ ^/(?:autotest|occ|issue|indie|db_|console) {
             deny all;
           }
+        nginx.ingress.kubernetes.io/enable-modsecurity: "true"
+        nginx.ingress.kubernetes.io/enable-owasp-core-rules: "true"
+        nginx.ingress.kubernetes.io/modsecurity-snippet: |
+            SecRuleEngine On
+            Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
     persistence:
       enabled: true
     resources:
-- 
GitLab