From 395eb8b0e5850df6f21a92040b4d52e9c6eb2ae7 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Fri, 4 Mar 2022 23:24:23 +0100
Subject: [PATCH] fix(matrix): Disable rule mod security for anomaly detection

This patch disabled the CRS modsecurity role for anomaly detection,
since apparently ~80% of all requests are anomalies. This patch adds an
explicit exclude for this rule to the modsecurity config snippet which
should help to keep synapse working, while utilising modsecurity.
---
 apps/k8s01/matrix/matrix-synapse-values.yaml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/apps/k8s01/matrix/matrix-synapse-values.yaml b/apps/k8s01/matrix/matrix-synapse-values.yaml
index f9ed32be0..36ad23703 100644
--- a/apps/k8s01/matrix/matrix-synapse-values.yaml
+++ b/apps/k8s01/matrix/matrix-synapse-values.yaml
@@ -66,6 +66,7 @@ spec:
                 nginx.ingress.kubernetes.io/modsecurity-snippet: |
                     SecRuleEngine On
                     Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf
+                    SecRuleRemoveById 949110
             hosts:
                 - ENC[AES256_GCM,data:xBwjUfo+b3uBTCqPlx3XZ/IKkTxFXvbgy0w=,iv:ZN/5A/YHSPW7c3Fcx1Fi75uMYBijX0styxTuthv3p2E=,tag:sZ9tihrcgy4pHobebszDTg==,type:str]
             includeServerName: ENC[AES256_GCM,data:U6KM0h8=,iv:+MkU2Bq56rlvL0NXVpJI3du8uA+pQ7/7opsQbNCoO5E=,tag:mJhCmEtymqAJtAfSBWdg5g==,type:bool]
@@ -80,8 +81,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2022-03-04T21:02:14Z"
-    mac: ENC[AES256_GCM,data:1AOCp+ry6MOvx956LV5ZB7m/XFtv+84KK8xYapE2+WxHeWKVoSOGE+Zoppd9ID8BJDqnVvQJK1zF1zieZ+GlU64qvwaAHmH+lvoivQseDU1B4DUrhqeip6fDyskbJOjS3CytEsV3qWaPQQBZGrfonfqLoa0njgyO86g7ivMam0g=,iv:yXvCGrg3BwCocjY9dWDt2kAEJd4c1NST4Qpumn430Vw=,tag:li90QQ55km+zE2z2vxaZPg==,type:str]
+    lastmodified: "2022-03-04T22:23:29Z"
+    mac: ENC[AES256_GCM,data:HSUoauj/2F2UTZT3U8KjuTYjmWG+xbT6xEQZrbOE3+cCrI0AqL6WBFx+XmC2z0X51fICdA/9Yx13WV+KIfSep8ya1rDKpAVQpTk7fh0SOIuQmTwEH2YCWOLhGCWuyECUd5P+urrK9cWFMfwMBifwuiR8c5hOXBtPYYQO1dUeRdk=,iv:w+F7GugZLsLE0B/DMdWBM+zfRkweamaI6Nvo42Czr+c=,tag:7+gPk0KnQ3355wTxoNmdmw==,type:str]
     pgp:
         - created_at: "2022-02-18T22:15:21Z"
           enc: |-
-- 
GitLab