From fe05ea5364f13ff1e62d152b0915a5a52340aa72 Mon Sep 17 00:00:00 2001
From: Simon Cornet <simon@simoncor.net>
Date: Tue, 14 Apr 2026 17:38:33 +0200
Subject: [PATCH] fix: ruleset for v0.3.0

---
 templates/traefik/config.yml.j2 | 47 ++++++++++++++++++++-------------
 1 file changed, 29 insertions(+), 18 deletions(-)

diff --git a/templates/traefik/config.yml.j2 b/templates/traefik/config.yml.j2
index e9047cc..e641aac 100644
--- a/templates/traefik/config.yml.j2
+++ b/templates/traefik/config.yml.j2
@@ -61,29 +61,40 @@ http:
       plugin:
         coraza:
           directives:
+
+            # enable coraza
             - "SecRuleEngine On"
             - "SecRequestBodyAccess Off"
             - "SecResponseBodyAccess Off"
             - "SecDefaultAction \"phase:1,log,auditlog,deny,status:403\""
             - "SecDefaultAction \"phase:2,log,auditlog,deny,status:403\""
-            - "SecAction \"id:900000,phase:1,pass,nolog,setvar:tx.paranoia_level=1\""
-            - "SecAction \"id:900110,phase:1,pass,nolog,setvar:tx.inbound_anomaly_score_threshold=5\""
-            - "SecAction \"id:900200,phase:1,pass,nolog,setvar:tx.allowed_methods=GET POST PUT PATCH DELETE HEAD OPTIONS\""
-            - "Include @owasp_crs/REQUEST-901-INITIALIZATION.conf"
-            - "Include @owasp_crs/REQUEST-905-COMMON-EXCEPTIONS.conf"
-            - "Include @owasp_crs/REQUEST-911-METHOD-ENFORCEMENT.conf"
-            - "Include @owasp_crs/REQUEST-913-SCANNER-DETECTION.conf"
-            - "Include @owasp_crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"
-            - "Include @owasp_crs/REQUEST-921-PROTOCOL-ATTACK.conf"
-            - "Include @owasp_crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf"
-            - "Include @owasp_crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf"
-            - "Include @owasp_crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf"
-            - "Include @owasp_crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf"
-            - "Include @owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf"
-            - "Include @owasp_crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"
-            - "Include @owasp_crs/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf"
-            - "Include @owasp_crs/REQUEST-944-APPLICATION-ATTACK-JAVA.conf"
-            - "Include @owasp_crs/REQUEST-949-BLOCKING-EVALUATION.conf"
+
+            # method enforcement
+            - "SecRule REQUEST_METHOD \"!@within GET POST PUT PATCH DELETE HEAD OPTIONS\" \"id:1001,phase:1,block,msg:'Method not allowed'\""
+
+            # scanner detection
+            - "SecRule REQUEST_HEADERS:User-Agent \"@pmFromFile /dev/null\" \"id:1002,phase:1,pass,nolog\""
+            - "SecRule REQUEST_HEADERS:User-Agent \"@rx (?i)(nikto|nmap|sqlmap|nessus|burpsuite|masscan|zgrab|nuclei|dirbuster|gobuster|wfuzz|hydra|metasploit)\" \"id:1003,phase:1,block,msg:'Scanner detected'\""
+
+            # path traversal / LFI
+            - "SecRule REQUEST_URI \"@rx (?i)(\\.\\./|\\.\\.\\\\|%2e%2e%2f|%2e%2e/)\" \"id:1010,phase:1,block,msg:'Path traversal'\""
+
+            # RFI
+            - "SecRule ARGS \"@rx (?i)(https?|ftp|php|data)://\" \"id:1020,phase:2,block,msg:'Remote file inclusion'\""
+
+            # RCE
+            - "SecRule ARGS \"@rx (?i)(;|\\||`|\\$\\(|&&|\\|\\|)\\s*(ls|cat|wget|curl|bash|sh|python|perl|ruby|nc|ncat)\" \"id:1030,phase:2,block,msg:'Command injection'\""
+            # XSS
+            - "SecRule ARGS|REQUEST_URI \"@rx (?i)(<script[^>]*>|</script>|javascript:|on\\w+\\s*=|<iframe|<object|<embed)\" \"id:1040,phase:2,block,msg:'XSS attack'\""
+            # SQLi
+            - "SecRule ARGS \"@detectSQLi\" \"id:1050,phase:2,block,msg:'SQL injection'\""
+
+            # session fixation
+            - "SecRule ARGS \"@rx (?i)(document\\.cookie|set-cookie|jsessionid=|phpsessid=)\" \"id:1060,phase:2,block,msg:'Session fixation'\""
+
+            # protocol enforcement
+            - "SecRule REQUEST_PROTOCOL \"!@rx ^HTTP/[12]\" \"id:1070,phase:1,block,msg:'Invalid HTTP protocol'\""
+            - "SecRule REQUEST_HEADERS:Content-Length \"@rx [^0-9]\" \"id:1071,phase:1,block,msg:'Non-numeric Content-Length'\""
 
 {% endif %}
   services: