Skip to content

Mastodon + ModSecurity

It’s been an uphill battle trying to get ModSecurity to play well with Mastodon. It’s not the software itself, but the OWASP CoreRuleSet, which I find difficult to understand and customise.

I think I’m nearly there with the few custom rules I’ve posted below (though I’m not sure if the 2nd rule is a wise move)

SecRule REQUEST_FILENAME "@Rx ^/admin/instances/[0-9a-z.-]+.com$" \
"id:20,\
phase:1,\
pass,\
t:none,\
nolog,\
ctl:ruleRemoveById=920440"

SecRule REQUEST_HEADERS "@streq application/activity+json, application/ld+json" \
"id:30,\
phase:1,\
pass,\
t:none,\
ctl:ruleRemoveById=920600,\
log"

SecRule REQUEST_URI "@beginsWith /users" \
"id:40,\
phase:1,\
pass,\
t:none,\
log"

SecRule REQUEST_URI "@beginsWith /actor" \
"id:50,\
phase:1,\
pass,\
t:none,\
log"

I’m continuing to try to fine-tune this (there’s still a few glitches to sort out) but I think I’ll get there eventually.

Published inFediverseSecurity

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *