[resolved] ModSecurity 2.5 default rules conflict

[steogede]

Just a note to say that anyone using the default ruleset which comes with ModSecurity 2.5 may have a few small issues with RoundCube. Inparticular I had trouble when composing messages and changing the format from HTML to plain text, it seemed to freeze on 'Removing formatting from message' - I tracked the problem down to ModSecurity blocking the request with a 501 response. The default rules of mod_security only allow requests of content-type 'application/x-www-form-ulrencoded', 'multipart/form-data' and 'text/xml' - while rcmail_html2plain() in 'program/js/editor.js' requests a content-type of 'application/octet-stream'.

If anyone else has this problem, it is easily fixed by editing line 71 /etc/apache2/modsecurity/modsecurity_crs_30_http_policy.conf so that:
SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml)"
becomes:
SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml|application/octet-stream)"

Just thought I would post it incase anyone else hit the same issue.

[dano]

I was under the impression that one does not want to modify the default core ruleset. Instead you want to add a new ruleset such as a new file named "modsecurity_crs_60_custom.conf". In that file I have the following to allow various aspects of Roundcube

Code Select Expand

#Rule to allow Roundcube html2text
SecRule REQUEST_FILENAME "/rcmail/bin/html2text.php" \
"allow,phase:1,nolog,ctl:ruleEngine=Off"

#Rule to allow Roundcube to forward imbedded images and exclude from compression scanning
<LocationMatch '^/rcmail/'>
SecRuleRemoveById 950004,950019,960903
</LocationMatch>
Of course your path (/rcmail) may very well be different than mine.