##
##  apache-security.conf -- Apache configuration for mod_security
##

LoadModule                  security2_module  @l_prefix@/libexec/apache/mod_security.so

#
#   core rule sets
#

#   include core rule sets
Include                     @l_prefix@/etc/apache-security/modsecurity_crs_*.conf

#   remove rules of the core rule set which have been proven to trigger
#   false positives, mostly because they are definied in an too generic
#   way
SecRuleRemoveById           950907 \
                            960015

#
#   general configuration parameters
#

SecRuleEngine               On
SecRequestBodyAccess        On
SecResponseBodyAccess       Off

SecDebugLog                 @l_prefix@/var/apache/log/security-debug.log
SecDebugLogLevel            0

SecAuditEngine              RelevantOnly
SecAuditLogRelevantStatus   ^5
SecAuditLogParts            ABIFHZ
SecAuditLogType             Serial
SecAuditLog                 @l_prefix@/var/apache/log/security-audit.log

SecRequestBodyLimit         131072
SecRequestBodyInMemoryLimit 131072
SecResponseBodyLimit        524288

#
#   data storages
#

SecDataDir                  @l_prefix@/var/apache-security/data
SecTmpDir                   @l_prefix@/var/apache-security/tmp
SecUploadDir                @l_prefix@/var/apache-security/upload
SecUploadKeepFiles          Off