LGA-3531: Add ModSec rules from CLA_Public (#151)

BenMillar-MOJ · web-flow · commit 92ff0ddf6df3 · 2025-02-26T09:58:38.000Z
* Add ModSec config from CLA_Public
* Add comments explaining the purpose of each rule
diff --git a/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml b/helm_deploy/laa-access-civil-legal-aid/templates/ingress.yaml
@@ -22,10 +22,17 @@ metadata:
     {{- with .Values.ingress.annotations }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
+    # Some ModSec rules have been disabled to large numbers of false positives that impact standard user behaviour.
+    # 942230 - SQL Injection - Directory Traversal Sequences
+    # 930120 - Local File Inclusion
+    # 933210 - PHP Injection
     nginx.ingress.kubernetes.io/enable-modsecurity: "true"
     nginx.ingress.kubernetes.io/modsecurity-snippet: |
       SecRuleEngine On
       SecDefaultAction "phase:2,pass,log,tag:github_team=laa-get-access"
+      SecRuleRemoveById 942230
+      SecRuleRemoveById 930120
+      SecRuleRemoveById 933210
 spec:
   ingressClassName: {{ .Values.ingress.className }}
   {{- if .Values.ingress.tls }}
