diff --git a/config/_default/config.toml b/config/_default/config.toml
index ce1efc47..bd133fda 100644
--- a/config/_default/config.toml
+++ b/config/_default/config.toml
@@ -41,8 +41,9 @@ home = [ "HTML", "RSS", "JSON"]
#custom_css = ["css/foo.css", "css/bar.css"]
# CRS related parameters
- crs_latest_release = "3.3.4"
- crs_dev_branch = "v4.0/dev"
+ crs_latest_release = "4.0.0"
+ crs_dev_branch = "main"
+ crs_install_dir = "/etc/crs4"
[[menu.shortcuts]]
name = " Core Rule Set Home"
diff --git a/content/deployment/install.md b/content/deployment/install.md
index 83ae81e9..f92c5041 100644
--- a/content/deployment/install.md
+++ b/content/deployment/install.md
@@ -160,7 +160,7 @@ gpg> quit
The result when verifying a release will then look like so:
```bash
-gpg --verify coreruleset-3.3.2.tar.gz.asc v3.3.2.tar.gz
+gpg --verify coreruleset-{{< param crs_latest_release >}}.tar.gz.asc v{{< param crs_latest_release >}}.tar.gz
gpg: Signature made Wed Jun 30 15:05:48 2021 CEST
gpg: using RSA key 36006F0E0BA167832158821138EEACA1AB8A6E72
gpg: Good signature from "OWASP Core Rule Set " [ultimate]
@@ -210,17 +210,28 @@ It is recommended to create a folder specifically to contain the CRS rules. In t
```apache
- Include modsecurity.d/modsecurity.conf
- Include modsecurity.d/coreruleset-{{< param crs_latest_release >}}/crs-setup.conf
- Include modsecurity.d/coreruleset-{{< param crs_latest_release >}}/rules/*.conf
+ Include modsecurity.d/modsecurity.conf
+ Include {{< param crs_install_dir >}}/crs-setup.conf
+ Include {{< param crs_install_dir >}}/plugins/*-config.conf
+ Include {{< param crs_install_dir >}}/plugins/*-before.conf
+ Include {{< param crs_install_dir >}}/rules/*.conf
+ Include {{< param crs_install_dir >}}/plugins/*-after.conf
```
### Includes for Nginx
-Nginx will include files from the Nginx configuration directory (`/etc/nginx` or `/usr/local/nginx/conf/`, depending on the environment). Because only one `ModSecurityConfig` directive can be specified within `nginx.conf`, it is recommended to name that file `modsec_includes.conf` and include additional files from there. In the example below, the cloned `owasp-modsecurity-crs` folder was copied into the Nginx configuration directory. From there, the appropriate include directives are specified which will include OWASP CRS when the server is restarted. In the example below, the `modsecurity.conf` file has also been included, which includes recommended configurations for ModSecurity.
+Nginx will include files from the Nginx configuration directory (`/etc/nginx` or `/usr/local/nginx/conf/`, depending on the environment). Because only one `ModSecurityConfig` directive can be specified within `nginx.conf`, it is recommended to name that file `modsec_includes.conf` and include additional files from there. In the example below, the cloned `coreruleset` folder was copied into the Nginx configuration directory. From there, the appropriate include directives are specified which will include OWASP CRS when the server is restarted. In the example below, the `modsecurity.conf` file has also been included, which includes recommended configurations for ModSecurity.
```nginx
-include modsecurity.conf
-{{% crsfiles prefix="include coreruleset-" version="3.3.2" %}}
-```
+ Include modsecurity.d/modsecurity.conf
+ Include {{< param crs_install_dir >}}/crs-setup.conf
+ Include {{< param crs_install_dir >}}/plugins/*-config.conf
+ Include {{< param crs_install_dir >}}/plugins/*-before.conf
+ Include {{< param crs_install_dir >}}/rules/*.conf
+ Include {{< param crs_install_dir >}}/plugins/*-after.conf
+```
+
+{{% notice note %}}
+You will also need to include the plugins you want along with your CRS installation.
+{{% /notice %}}
\ No newline at end of file
diff --git a/content/deployment/quick_start.md b/content/deployment/quick_start.md
index ae32017e..f722df11 100644
--- a/content/deployment/quick_start.md
+++ b/content/deployment/quick_start.md
@@ -78,10 +78,12 @@ The examples presented below demonstrate using Apache. For information on config
Note that while it's common practice to make a new `modsecurity.d` folder, as outlined below, this isn't strictly necessary. The path scheme outlined is common on RHEL-based operating systems; the Apache path used may need to be adjusted to match the server's installation.
```bash
-mkdir /etc/httpd/modsecurity.d
-tar -zxvf v{{< param crs_latest_release >}}.tar.gz -C /etc/httpd/modsecurity.d/owasp-modsecurity-crs
+mkdir {{< param crs_install_dir >}}
+tar -xzvf v{{< param crs_latest_release >}}.tar.gz --strip-components 1 -C {{< param crs_install_dir >}}
```
+Now all the CRS files will be located below the `{{< param crs_install_dir >}}` directory.
+
### Setting Up the Main Configuration File
After extracting the rule set files, the next step is to set up the main OWASP Core Rule Set configuration file. An example configuration file is provided as part of the release package, located in the main directory: `crs-setup.conf.example`.
@@ -95,7 +97,7 @@ In many scenarios, the default example CRS configuration will be a good enough s
Once any settings have been changed within the example configuration file, as needed, it should be renamed to remove the .example portion, like so:
```bash
-cd /etc/httpd/modsecurity.d/owasp-modsecurity-crs/
+cd {{< param crs_install_dir >}}
mv crs-setup.conf.example crs-setup.conf
```
@@ -104,11 +106,14 @@ mv crs-setup.conf.example crs-setup.conf
The last step is to tell the web server where the rules are. This is achieved by `include`-ing the rule configuration files in the `httpd.conf` file. Again, this example demonstrates using Apache, but the process is similar on other systems (see the [extended install]({{< ref "install.md" >}}) page for details).
```bash
-echo 'IncludeOptional /etc/httpd/owasp-modsecurity-crs/crs-setup.conf' >> /etc/httpd/conf/httpd.conf
-echo 'IncludeOptional /etc/httpd/owasp-modsecurity-crs/rules/*.conf' >> /etc/httpd/conf/httpd.conf
+echo 'IncludeOptional {{< param crs_install_dir >}}/crs-setup.conf' >> /etc/httpd/conf/httpd.conf
+echo 'IncludeOptional {{< param crs_install_dir >}}/plugins/*-config.conf' >> /etc/httpd/conf/httpd.conf
+echo 'IncludeOptional {{< param crs_install_dir >}}/plugins/*-before.conf' >> /etc/httpd/conf/httpd.conf
+echo 'IncludeOptional {{< param crs_install_dir >}}/rules/*.conf' >> /etc/httpd/conf/httpd.conf
+echo 'IncludeOptional {{< param crs_install_dir >}}/plugins/*-after.conf' >> /etc/httpd/conf/httpd.conf
```
-Now that everything has been configured, it should be possible to restart and being using the OWASP Core Rule Set. The CRS rules typically require a bit of tuning with rule exclusions, depending on the site and web applications in question. For more information on tuning, see [false positives and tuning]({{< ref "false_positives_tuning.md" >}}).
+Now that everything has been configured, it should be possible to restart and being using the OWASP CRS. The CRS rules typically require a bit of tuning with rule exclusions, depending on the site and web applications in question. For more information on tuning, see [false positives and tuning]({{< ref "false_positives_tuning.md" >}}).
```bash
systemctl restart httpd.service
diff --git a/layouts/shortcodes/crsfiles.html b/layouts/shortcodes/crsfiles.html
index 452fc2eb..3f9c1674 100644
--- a/layouts/shortcodes/crsfiles.html
+++ b/layouts/shortcodes/crsfiles.html
@@ -1,16 +1,17 @@
{{- $urlPre := "https://api.github.com" -}}
-{{- $crsversion := .Get "version" -}}
-{{- $prefix := .Get "prefix" | default "" -}}
+{{- $crsversion := .Site.Param "crs_latest_release" -}}
+{{- $prefix := .Site.Param "crs_install_dir" -}}
+{{- $prepend := .Get "prepend" | default "" -}}
{{- $filesJ := getJSON $urlPre (printf "/repos/coreruleset/coreruleset/git/trees/v%s" $crsversion) "?recursive=1" -}}
{{- $text := slice -}}
{{- range $idx, $file := $filesJ.tree -}}
{{- if eq $file.type "blob" -}}
{{- if strings.HasSuffix $file.path "example" -}}
- {{- $text = $text | append (printf "%s%s/%s" $prefix $crsversion (strings.TrimSuffix ".example" $file.path) ) -}}
+ {{- $text = $text | append (printf "%s%s/%s" $prepend $prefix (strings.TrimSuffix ".example" $file.path) ) -}}
{{- end -}}
{{- if and (eq (path.Dir $file.path) "rules") (strings.HasSuffix $file.path "conf") -}}
- {{- $text = $text | append (printf "%s%s/%s" $prefix $crsversion $file.path) -}}
+ {{- $text = $text | append (printf "%s%s/%s" $prepend $prefix $file.path) -}}
{{- end -}}
{{- end -}}
{{- end -}}
-{{ htmlEscape (delimit $text "\n") }}
\ No newline at end of file
+{{ htmlEscape (delimit $text "\n") }}