Allow all conforming Content-Type values

images/agent/Dockerfile

@@ -17,7 +17,7 @@ RUN sed -i \
         -e 's!^#\(include /usr/share/modsecurity-crs/owasp-crs.load\)$!\1!' \
         /etc/nginx/modsecurity_includes.conf \
     && sed -i -e 's/IncludeOptional/Include/' /usr/share/modsecurity-crs/owasp-crs.load \
-    && sed -i -e 's/^SecRuleEngine .*$/SecRuleEngine On/' /etc/nginx/modsecurity.conf
+    && sed -i -e 's/^SecRuleEngine .*$/SecRuleEngine DetectionOnly/' /etc/nginx/modsecurity.conf
 
 # Logrotate overrides for NGINX and ModSecurity to work around a logrotate
 # repoen bug at https://github.com/owasp-modsecurity/ModSecurity-nginx/issues/351
@@ -26,6 +26,7 @@ COPY ./images/agent/nginx.logrotate /etc/logrotate.d/nginx
 # Apply custom ModSecurity configurations. See the blame on that file for
 # details on what's been changed from stock.
 COPY ./images/agent/crs-setup.conf /etc/modsecurity/crs/crs-setup.conf
+COPY ./images/agent/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf /etc/modsecurity/crs/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
 
 # Install DNSMasq and configure it to only get it's config from our pull-config
 RUN sed -i \

images/agent/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf

@@ -0,0 +1,86 @@
+# ------------------------------------------------------------------------
+# OWASP ModSecurity Core Rule Set ver.3.3.7
+# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
+# Copyright (c) 2021-2024 Core Rule Set project. All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENSE file for full details.
+# ------------------------------------------------------------------------
+
+#
+# The purpose of this file is to hold LOCAL exceptions for your site.
+# The types of rules that would go into this file are one where you want
+# to unconditionally disable rules or modify their actions during startup.
+#
+# Please see the file REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example
+# for a description of the rule exclusions mechanism and the correct
+# use of this file.
+#
+
+#
+# Example Exclusion Rule: To unconditionally disable a rule ID
+#
+# ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection
+# SecRuleRemoveById 942100
+
+# Example Exclusion Rule: Remove a group of rules
+#
+# ModSecurity Rule Exclusion: Disable PHP injection rules
+# SecRuleRemoveByTag "attack-injection-php"
+
+#
+# Example Exclusion Rule: To unconditionally remove parameter "foo" from
+#                         inspection for SQLi rules
+#
+# ModSecurity Rule Exclusion: disable sqli rules for parameter foo.
+# SecRuleUpdateTargetByTag "attack-sqli" "!ARGS:foo"
+
+# I have opted to disabling the rule 920420 altogether, which is the rule
+# responsible for blocking requests based on the value of the Content-Type
+# header. While the rationale is sound, the cluster supports applications of too
+# varied configurations to feasibly whitelist every nessecary value. While this
+# does increase the likelihood of smuggled attacks via unparsed bodies, the
+# trade off has been deemed nessecary for usability in the cluster. Rule 920470
+# remains active which ensures the Content-Type header itself is conforming to
+# web standards which still reduces the overall attack surface.
+SecRuleRemoveById 920420
+
+
+# -- [[ Changing the Disruptive Action for Anomaly Mode ]] --
+#
+# In Anomaly Mode (default in CRS3), the rules in REQUEST-949-BLOCKING-EVALUATION.conf
+# and RESPONSE-959-BLOCKING-EVALUATION.conf check the accumulated attack scores
+# against your policy. To apply a disruptive action, they overwrite the default
+# actions specified in SecDefaultAction (setup.conf) with a 'deny' action.
+# This 'deny' is by default paired with a 'status:403' action.
+#
+# In order to change the disruptive action from 'deny' to something else,
+# you must use SecRuleUpdateActionByID directives AFTER the CRS rules
+# are configured, for instance in the RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf file.
+#
+# These actions only apply when using Anomaly Mode.
+#
+# Default action: block with error 403
+# (No configuration needed in this file if you want the default behavior.)
+#
+
+# Example: redirect back to the homepage on blocking
+#
+# SecRuleUpdateActionById 949110 "t:none,redirect:'http://%{request_headers.host}/'"
+# SecRuleUpdateActionById 959100 "t:none,redirect:'http://%{request_headers.host}/'"
+
+# Example: redirect to another URL on blocking
+#
+# SecRuleUpdateActionById 949110 "t:none,redirect:'http://example.com/report_problem'"
+# SecRuleUpdateActionById 959100 "t:none,redirect:'http://example.com/report_problem'"
+
+# Example: send an error 404
+#
+# SecRuleUpdateActionById 949110 "t:none,deny,status:404"
+# SecRuleUpdateActionById 959100 "t:none,deny,status:404"
+
+# Example: drop the connection (best for DoS attacks)
+#
+# SecRuleUpdateActionById 949110 "t:none,drop"
+# SecRuleUpdateActionById 959100 "t:none,drop"

images/agent/crs-setup.conf

@@ -429,16 +429,13 @@ SecAction \
 #  SecRule REQUEST_URI "@rx ^/foo/bar" "t:none"
 #
 # Uncomment this rule to change the default.
-#
-# We add `application/x-protobuf` used by the VictoriaMetrics API for write requests.
-# See https://github.com/mieweb/opensource-server/issues/214
-SecAction \
- "id:900220,\
-  phase:1,\
-  nolog,\
-  pass,\
-  t:none,\
-  setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/x-protobuf| |application/octet-stream| |application/offset+octet-stream|'"
+#SecAction \
+# "id:900220,\
+#  phase:1,\
+#  nolog,\
+#  pass,\
+#  t:none,\
+#  setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |multipart/form-data| |text/xml| |application/xml| |application/soap+xml| |application/json|'"
 
 # Allowed HTTP versions.
 # Default: HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0