From dff5f2b49ac2ef510805326636811c03e1cc7d04 Mon Sep 17 00:00:00 2001
From: Robert Gingras <rgingras@mieweb.com>
Date: Wed, 4 Mar 2026 11:00:51 -0500
Subject: [PATCH 1/2] fix: allow all conforming Content-Type values instead of
 explicit whitelist

---
 images/agent/Dockerfile                       |  1 +
 ...ESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf | 86 +++++++++++++++++++
 images/agent/crs-setup.conf                   | 17 ++--
 3 files changed, 94 insertions(+), 10 deletions(-)
 create mode 100644 images/agent/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

diff --git a/images/agent/Dockerfile b/images/agent/Dockerfile
index 52ae510..4774ca2 100644
--- a/images/agent/Dockerfile
+++ b/images/agent/Dockerfile
@@ -26,6 +26,7 @@ COPY ./images/agent/nginx.logrotate /etc/logrotate.d/nginx
 # Apply custom ModSecurity configurations. See the blame on that file for
 # details on what's been changed from stock.
 COPY ./images/agent/crs-setup.conf /etc/modsecurity/crs/crs-setup.conf
+COPY ./images/agent/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
 
 # Install DNSMasq and configure it to only get it's config from our pull-config
 RUN sed -i \
diff --git a/images/agent/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf b/images/agent/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
new file mode 100644
index 0000000..4863991
--- /dev/null
+++ b/images/agent/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
@@ -0,0 +1,86 @@
+# ------------------------------------------------------------------------
+# OWASP ModSecurity Core Rule Set ver.3.3.7
+# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
+# Copyright (c) 2021-2024 Core Rule Set project. All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENSE file for full details.
+# ------------------------------------------------------------------------
+
+#
+# The purpose of this file is to hold LOCAL exceptions for your site.
+# The types of rules that would go into this file are one where you want
+# to unconditionally disable rules or modify their actions during startup.
+#
+# Please see the file REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
+# for a description of the rule exclusions mechanism and the correct
+# use of this file.
+#
+
+#
+# Example Exclusion Rule: To unconditionally disable a rule ID
+#
+# ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection
+# SecRuleRemoveById 942100
+
+# Example Exclusion Rule: Remove a group of rules
+#
+# ModSecurity Rule Exclusion: Disable PHP injection rules
+# SecRuleRemoveByTag "attack-injection-php"
+
+#
+# Example Exclusion Rule: To unconditionally remove parameter "foo" from
+#                         inspection for SQLi rules
+#
+# ModSecurity Rule Exclusion: disable sqli rules for parameter foo.
+# SecRuleUpdateTargetByTag "attack-sqli" "!ARGS:foo"
+
+# I have opted to disabling the rule 920420 altogether, which is the rule
+# responsible for blocking requests based on the value of the Content-Type
+# header. While the rationale is sound, the cluster supports applications of too
+# varied configurations to feasibly whitelist every nessecary value. While this
+# does increase the likelihood of smuggled attacks via unparsed bodies, the
+# trade off has been deemed nessecary for usability in the cluster. Rule 920470
+# remains active which ensures the Content-Type header itself is conforming to
+# web standards which still reduces the overall attack surface.
+SecRuleRemoveById 920420
+
+
+# -- [[ Changing the Disruptive Action for Anomaly Mode ]] --
+#
+# In Anomaly Mode (default in CRS3), the rules in REQUEST-949-BLOCKING-EVALUATION.conf
+# and RESPONSE-959-BLOCKING-EVALUATION.conf check the accumulated attack scores
+# against your policy. To apply a disruptive action, they overwrite the default
+# actions specified in SecDefaultAction (setup.conf) with a 'deny' action.
+# This 'deny' is by default paired with a 'status:403' action.
+#
+# In order to change the disruptive action from 'deny' to something else,
+# you must use SecRuleUpdateActionByID directives AFTER the CRS rules
+# are configured, for instance in the RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf file.
+#
+# These actions only apply when using Anomaly Mode.
+#
+# Default action: block with error 403
+# (No configuration needed in this file if you want the default behavior.)
+#
+
+# Example: redirect back to the homepage on blocking
+#
+# SecRuleUpdateActionById 949110 "t:none,redirect:'http://%{request_headers.host}/'"
+# SecRuleUpdateActionById 959100 "t:none,redirect:'http://%{request_headers.host}/'"
+
+# Example: redirect to another URL on blocking
+#
+# SecRuleUpdateActionById 949110 "t:none,redirect:'http://example.com/report_problem'"
+# SecRuleUpdateActionById 959100 "t:none,redirect:'http://example.com/report_problem'"
+
+# Example: send an error 404
+#
+# SecRuleUpdateActionById 949110 "t:none,deny,status:404"
+# SecRuleUpdateActionById 959100 "t:none,deny,status:404"
+
+# Example: drop the connection (best for DoS attacks)
+#
+# SecRuleUpdateActionById 949110 "t:none,drop"
+# SecRuleUpdateActionById 959100 "t:none,drop"
diff --git a/images/agent/crs-setup.conf b/images/agent/crs-setup.conf
index 76a78d8..d975da5 100644
--- a/images/agent/crs-setup.conf
+++ b/images/agent/crs-setup.conf
@@ -429,16 +429,13 @@ SecAction \
 #  SecRule REQUEST_URI "@rx ^/foo/bar" "t:none"
 #
 # Uncomment this rule to change the default.
-#
-# We add `application/x-protobuf` used by the VictoriaMetrics API for write requests.
-# See https://github.com/mieweb/opensource-server/issues/214
-SecAction \
- "id:900220,\
-  phase:1,\
-  nolog,\
-  pass,\
-  t:none,\
-  setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/x-protobuf| |application/octet-stream| |application/offset+octet-stream|'"
+#SecAction \
+# "id:900220,\
+#  phase:1,\
+#  nolog,\
+#  pass,\
+#  t:none,\
+#  setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |text/xml| |application/xml| |application/soap+xml| |application/json|'"
 
 # Allowed HTTP versions.
 # Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0

From ab62587c2858c50cc81033932f9fb46212a6c9d7 Mon Sep 17 00:00:00 2001
From: Robert Gingras <rgingras@mieweb.com>
Date: Thu, 5 Mar 2026 11:30:31 -0500
Subject: [PATCH 2/2] refactor: we're doing detectiononly, too many false
 positives

---
 images/agent/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/images/agent/Dockerfile b/images/agent/Dockerfile
index 4774ca2..768f9d1 100644
--- a/images/agent/Dockerfile
+++ b/images/agent/Dockerfile
@@ -17,7 +17,7 @@ RUN sed -i \
         -e 's!^#\(include /usr/share/modsecurity-crs/owasp-crs.load\)$!\1!' \
         /etc/nginx/modsecurity_includes.conf \
     && sed -i -e 's/IncludeOptional/Include/' /usr/share/modsecurity-crs/owasp-crs.load \
-    && sed -i -e 's/^SecRuleEngine .*$/SecRuleEngine On/' /etc/nginx/modsecurity.conf
+    && sed -i -e 's/^SecRuleEngine .*$/SecRuleEngine DetectionOnly/' /etc/nginx/modsecurity.conf
 
 # Logrotate overrides for NGINX and ModSecurity to work around a logrotate
 # repoen bug at https://github.com/owasp-modsecurity/ModSecurity-nginx/issues/351