It’s been an uphill battle trying to get ModSecurity to play well with Mastodon. It’s not the software itself, but the OWASP CoreRuleSet, which I find difficult to understand and customise.
I think I’m nearly there with the few custom rules I’ve posted below (though I’m not sure if the 2nd rule is a wise move)
SecRule REQUEST_FILENAME "@Rx ^/admin/instances/[0-9a-z.-]+.com$" \
"id:20,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveById=920440"
SecRule REQUEST_HEADERS "@streq application/activity+json, application/ld+json" \
"id:30,\
phase:1,\
pass,\
t:none,\
ctl:ruleRemoveById=920600,\
log"
SecRule REQUEST_URI "@beginsWith /users" \
"id:40,\
phase:1,\
pass,\
t:none,\
log"
SecRule REQUEST_URI "@beginsWith /actor" \
"id:50,\
phase:1,\
pass,\
t:none,\
log"I’m continuing to try to fine-tune this (there’s still a few glitches to sort out) but I think I’ll get there eventually.
Be First to Comment