correction conflit Merge branch 'Modifications-Mohamed'

SiteWeb/Fichiers de conf/configperso.conf

+<IfModule mod_headers.c>
+
+######### Content Security Policy (CSP)
+
+	Header always set Content-Security-Policy  " default-src 'self' data: 'unsafe-inline' ;  script-src 'self'  https://trueack.ovh/assets/js/vendor/popper.min.js https://trueack.ovh/dist/js/bootstrap.min.js   https://code.jquery.com/jquery-3.3.1.slim.min.js https://ajax.googleapis.com www.google-analytics.com 'unsafe-inline' ;  object-src 'self' ; form-action 'self' ; frame-ancestors 'self' ; base-uri 'self' ; "
+
+<FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
+	Header unset Content-Security-Policy
+</FilesMatch>
+
+######## Reducing MIME type security risks 
+
+	Header set X-Content-Type-Options "nosniff"
+
+######## Clickjacking   
+
+	Header set X-Frame-Options "SAMEORIGIN"
+
+<FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
+	Header unset X-Frame-Options
+</FilesMatch>
+
+
+####### Reflected Cross-Site Scripting (XSS) attacks  
+
+	Header set X-XSS-Protection "1; mode=block"
+
+<FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
+	Header unset X-XSS-Protection 
+</FilesMatch>
+
+
+####### Server software information Limitez donc au maximum les informations fournies par Apache  
+
+ServerTokens Prod
+ServerSignature Off
+
+
+Header unset X-Powered-By
+
+</IfModule>

SiteWeb/Fichiers de conf/httpd.conf

-#
+
 # This is the main Apache HTTP server configuration file.  It contains the
 # configuration directives that give the server its instructions.
 # See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
@@ -56,7 +56,11 @@ Group apache
 
 <VirtualHost *:80>
 	ServerName trueack.ovh
-	Redirect / https://trueack.ovh
+	DocumentRoot "/var/www/html"
+	Redirect  / https://trueack.ovh/
+	
+	ErrorLog /var/log/httpd/modsec_audit.log
+	CustomLog /var/log/httpd/modsec_audit.log combined
 
 </VirtualHost>
 
@@ -67,43 +71,34 @@ ServerName www.trueack.ovh:80
 DocumentRoot "/var/www/html"
 
 
+<Directory "/"> 
 
+##### Empecher -FollowSymLinks  à suivre les liens symboliques et Server Side Includes avec -Indexes 	 
 
-#<Directory />
-#    Options All -Indexes
-#    AllowOverride none
-#    Require all denied
-#</Directory>
+	Options -Indexes -FollowSymLinks 
+	AllowOverride None
+	Require all denied
 
+</Directory>
 
-#<Directory "/var/www">
-#    Options Indexes FollowSymLinks MultiViews
-#    AllowOverride all
-#    Allow open access:
-#    Order allow,deny
-#    allow from all	
-#    Require all granted
-#</Directory>
 
 <Directory "/var/www/html">
-    Options Indexes FollowSymLinks 
+    Options -Indexes -FollowSymLinks 
     AllowOverride All
+
+######### Avec cette règle on accepte que les dérectives suivantes GET POST HEAD
+
+	<LimitExcept GET POST HEAD>
+		deny from all
+	</LimitExcept>
     Require all granted
 </Directory>
 
 
-
 <IfModule dir_module>
-    DirectoryIndex index.html index.php login.php formulaire.php connection.php 
+    DirectoryIndex index.html index.php  
 </IfModule>
 
-
-#<FilesMatch "/var/www/html/Upload">
-#    Order allow,deny
-#    Deny from all
-#</FilesMatch>
-
-
 <Files ".ht*">
     Require all denied
 </Files>
@@ -124,6 +119,7 @@ LogLevel warn
 
     #CustomLog "logs/access_log" common
     CustomLog "logs/access_log" combined
+
 </IfModule>
 
 <IfModule alias_module>
@@ -131,6 +127,7 @@ LogLevel warn
     ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
 </IfModule>
 
+
 <Directory "/var/www/cgi-bin">
     AllowOverride None
     Options None
@@ -161,16 +158,49 @@ AddDefaultCharset UTF-8
 </IfModule>
 
 
-#ErrorDocument 500 "The server made a boo boo."
-#ErrorDocument 404 /missing.html
-#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
-#ErrorDocument 402 http://www.example.com/subscription_info.html
-#
+ErrorDocument 500 "The server made a boo boo."
+ErrorDocument 404 /erreur.html
+ErrorDocument 404 "/cgi-bin/missing_handler.pl"
+ErrorDocument 402 http://www.example.com/subscription_info.html
+
 
 
 #EnableMMAP off
 EnableSendfile on
 
+# Chargement des Modules security2 & evasive20
+
+LoadModule security2_module modules/mod_security2.so
+LoadModule evasive20_module modules/mod_evasive24.so
+
+# Include des fichiers modsecurity et les regles 
+
+<IfModule security2_module>
+	Include /etc/httpd/conf/modsecurity.d/crs-setup.conf
+ 	Include /etc/httpd/conf/modsecurity.d/rules/*.conf
+</IfModule>
+
+
+<IfModule mod_security2.c>
+	SecRuleRemoveById 200000
+</IfModule>
+
+
+# Chargement des session_module pour les cookie  
+
+LoadModule session_module modules/mod_session.so
+LoadModule session_cookie_module modules/mod_session_cookie.so
+
+# Derective Header HTTP 
+
+LoadModule headers_module /usr/lib/httpd/modules/mod_headers.so
+Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Lax
+
 
 # Load config files in the "/etc/httpd/conf.d" directory, if any.
 IncludeOptional conf.d/*.conf
+
+
+
+
+

SiteWeb/Fichiers de conf/mod_evasive.conf

+LoadModule evasive20_module modules/mod_evasive24.so
+<IfModule mod_evasive24.c>
+    DOSHashTableSize    3097
+    DOSPageCount        2
+    DOSSiteCount        50
+    DOSPageInterval     1
+    DOSSiteInterval     1
+    DOSBlockingPeriod   10
+</IfModule>

SiteWeb/Fichiers de conf/mod_security.conf

+<IfModule mod_security2.c>
+
+	SecRuleEngine On
+	SecRequestBodyAccess On
+	SecResponseBodyAccess On
+	SecDebugLog /var/log/httpd/modsec_debug.log
+	SecDebugLogLevel 1
+ 	SecResponseBodyMimeType text/plain text/html text/xml application/octet-stream 
+	SecDataDir /tmp
+
+</IfModule>

SiteWeb/Fichiers de conf/modsecurity.d/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example

+# ------------------------------------------------------------------------
+# OWASP ModSecurity Core Rule Set ver.3.0.0
+# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENSE file for full details.
+# ------------------------------------------------------------------------
+
+#
+# The purpose of this file is to hold LOCAL exceptions for your site.  The
+# types of rules that would go into this file are one where you want to
+# short-circuit inspection and allow certain transactions to pass through
+# inspection or if you want to alter rules that are applied.
+#
+# This file is named REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example for a
+# very specific reason. Files affixed with the .example extension are designed
+# to contain user created/modified data. The '.example'. extension should be
+# renamed to end in .conf. The advantage of this is that when OWASP CRS is
+# updated, the updates will not overwrite a user generated configuration file.
+#
+# As a result of this design paradigm users are encouraged NOT to directly
+# modify rules. Instead they should use this
+# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and the
+# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS file to modify OWASP rules using
+# methods similar to the examples specified below.
+#
+# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS and
+# RESPONSE-999-EXCLUSION-RULES-AFTER-CRS serve different purposes. ModSecurity
+# effectively maintains two different context: startup, and per transaction.
+# As a rule, directives are processed within the startup context. While they
+# can affect the per transaction context they generally remain fixed during the
+# execution of ModSecurity.
+#
+# As a result if one wanted to disable a rule at bootup the SecRuleRemoveById
+# directive or one of its siblings would have to be placed AFTER the rule is
+# listed, otherwise it will not have knowledge of the rules existence (since
+# these rules are read in at the same time). This means that when using
+# directives that effect SecRules, these exceptions should be placed AFTER all
+# the existing rules. This is why RESPONSE-999-EXCLUSION-RULES-AFTER-CRS is
+# designed such that it loads LAST.
+#
+# Conversely, ModSecurity supports several actions that can change the state of
+# the underlying configuration during the per transaction context, this is when
+# rules are being processed. Generally, these are accomplished by using the
+# 'ctl' action. As these are part of a rule, they will be evaluated in the
+# order rules are applied (by physical location, considering phases). As a
+# result of this ordering a 'ctl' action should be placed with consideration to
+# when it will be executed. This is particularly relevant for the 'ctl' options
+# that involve modifying ID's (such as ruleRemoveById). In these cases it is
+# important that such rules are placed BEFORE the rule ID they will affect.
+# Unlike the setup context, by the time we process rules in the per-transaction
+# context, we are already aware of all the rule ID's. It is by this logic that
+# we include rules such as this BEFORE all the remaining rules.  As a result
+# REQUEST-900-EXCLUSION-RULES-BEFORE-CRS is designed to load FIRST.
+#
+# As a general rule:
+# ctl:ruleEngine            -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
+# ctl:ruleRemoveById        -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
+# ctl:ruleRemoveByMsg       -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
+# ctl:ruleRemoveByTag       -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
+# ctl:ruleRemoveTargetById  -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
+# ctl:ruleRemoveTargetByMsg -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
+# ctl:ruleRemoveTargetByTag -> place in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
+#
+# SecRuleRemoveById         -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
+# SecRuleRemoveByMsg        -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
+# SecRuleRemoveByTag        -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
+# SecRuleUpdateActionById   -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
+# SecRuleUpdateTargetById   -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
+# SecRuleUpdateTargetByMsg  -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
+# SecRuleUpdateTargetByTag  -> place in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
+#
+#
+# What follows are a group of examples that show you how to perform rule
+# exclusions.
+#
+#
+# Example Exclusion Rule: Disable inspection for an authorized client
+#
+# This ruleset allows you to control how ModSecurity will handle traffic
+# originating from Authorized Vulnerability Scanning (AVS) sources.  See
+# related blog post -
+# http://blog.spiderlabs.com/2010/12/advanced-topic-of-the-week-handling-authorized-scanning-traffic.html
+#
+# White-list ASV network block (no blocking or logging of AVS traffic) Update
+# IP network block as appropriate for your AVS traffic
+#
+# ModSec Rule Exclusion: Disable Rule Engine for known ASV IP
+# SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \
+#     "phase:1,id:1000,pass,nolog,ctl:ruleEngine=Off"
+#
+#
+# Example Exclusion Rule: Removing a specific ARGS parameter from inspection
+#                         for an individual rule
+#
+# This rule shows how to conditionally exclude the "password"
+# parameter for rule 942100 when the REQUEST_URI is /index.php
+# ModSecurity Rule Exclusion: 942100 SQL Injection Detected via libinjection
+#
+# SecRule REQUEST_URI "@beginsWith /index.php" \
+#    "id:1001,phase:1,pass,nolog, \
+#     ctl:ruleRemoveTargetById=942100;ARGS:password"
+#
+#
+# Example Exclusion Rule: Removing a specific ARGS parameter from inspection
+#                         for only certain attacks
+#
+# Attack rules within the CRS are tagged, with tags such as 'attack-lfi',
+# 'attack-sqli', 'attack-xss', 'attack-injection-php', et cetera.
+#
+# ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd
+#                             for all rules tagged attack-sqli
+# SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
+#     "id:1002,phase:request,pass,nolog,\
+#     ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:pwd"
+#
+
+# Example Exclusion Rule: Removing a specific ARGS parameter from inspection
+#                         for all CRS rules
+#
+# This rule illustrates that we can use tagging very effectively to whitelist a
+# common false positive across an entire ModSecurity instance. This can be done
+# because every rule in OWASP_CRS is tagged with OWASP_CRS. This will NOT
+# affect custom rules.
+#
+# ModSecurity Rule Exclusion: Disable inspection of ARGS:pwd
+#                             for all CRS rules
+# SecRule REQUEST_FILENAME "@endsWith /wp-login.php" \
+#     "id:1003,phase:request,pass,nolog,\
+#     ctl:ruleRemoveTargetByTag=CRS;ARGS:pwd"
+
+#
+# Example Exclusion Rule: Removing a range of rules
+#
+# This rule illustrates that we can remove a rule range via a ctl action.
+# This uses the fact, that rules are grouped by topic in rule files covering
+# a certain id range.
+#
+# ModSecurity Rule Exclusion: Disable all SQLi and XSS rules
+# SecRule REQUEST_FILENAME "@beginsWith /admin" \
+#     "id:1004,phase:request,pass,nolog,\
+#     ctl:ruleRemoveById=941000-942999"
+#
+#
+# The application specific rule exclusion files
+# REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
+# REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
+# bring additional examples which can be useful then tuning a service.

SiteWeb/Fichiers de conf/modsecurity.d/rules/REQUEST-901-INITIALIZATION.conf

+# ------------------------------------------------------------------------
+# OWASP ModSecurity Core Rule Set ver.3.0.0
+# Copyright (c) 2006-2016 Trustwave and contributors. All rights reserved.
+#
+# The OWASP ModSecurity Core Rule Set is distributed under
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENSE file for full details.
+# ------------------------------------------------------------------------
+
+#
+# This file REQUEST-901-INITIALIZATION.conf initializes the Core Rules
+# and performs preparatory actions. It also fixes errors and omissions
+# of variable definitions in the file crs-setup.conf.
+# The setup.conf can and should be edited by the user, this file
+# is part of the CRS installation and should not be altered.
+#
+
+
+#
+# -=[ Rules Version ]=-
+#
+# Rule version data is added to the "Producer" line of Section H of the Audit log:
+#
+# - Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
+#
+# Ref: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecComponentSignature
+#
+SecComponentSignature "OWASP_CRS/3.0.0"
+
+
+#
+# -=[ Default setup values ]=-
+#
+# The CRS checks the tx.crs_setup_version variable to ensure that the setup
+# file is included at the correct time. This detects situations where
+# necessary settings are not defined, for instance if the file
+# inclusion order is incorrect, or if the user has forgotten to
+# include the crs-setup.conf file.
+#
+# If you are upgrading from an earlier version of the CRS and you are
+# getting this error, please make a new copy of the setup template
+# crs-setup.conf.example to crs-setup.conf, and re-apply your policy
+# changes. There have been many changes in settings syntax from CRS2
+# to CRS3, so an old setup file may cause unwanted behavior.
+#
+# If you are not planning to use the crs-setup.conf template, you must
+# manually set the tx.crs_setup_version variable before including
+# the CRS rules/* files.
+#
+# The variable is a numerical representation of the CRS version number.
+# E.g., v3.0.0 is represented as 300.
+#
+
+SecRule &TX:crs_setup_version "@eq 0" \
+    "id:901001,\
+    phase:1,\
+    auditlog,\
+    log,\
+    deny,\
+    status:500,\
+    severity:CRITICAL,\
+    msg:'ModSecurity Core Rule Set is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before including the CRS rules. See the INSTALL file in the CRS directory for detailed instructions.'"
+
+
+#
+# -=[ Default setup values ]=-
+#
+# Some constructs or individual rules will fail if certain parameters
+# are not set in the setup.conf file. The following rules will catch
+# these cases and assign sane default values.
+#
+
+# Default Inbound Anomaly Threshold Level (rule 900110 in setup.conf)
+SecRule &TX:inbound_anomaly_score_threshold "@eq 0" \
+    "id:901100,\
+    phase:1,\
+    pass,\
+    nolog,\
+    setvar:tx.inbound_anomaly_score_threshold=5"
+
+# Default Outbound Anomaly Threshold Level (rule 900110 in setup.conf)
+SecRule &TX:outbound_anomaly_score_threshold "@eq 0" \
+    "id:901110,\
+    phase:1,\
+    pass,\
+    nolog,\
+    setvar:tx.outbound_anomaly_score_threshold=4"
+
+# Default Paranoia Level (rule 900000 in setup.conf)
+SecRule &TX:paranoia_level "@eq 0" \
+    "id:901120,\
+    phase:1,\
+    pass,\
+    nolog,\
+    setvar:tx.paranoia_level=1"
+
+# Default Sampling Percentage (rule 900400 in setup.conf)
+SecRule &TX:sampling_percentage "@eq 0" \
+    "id:901130,\
+    phase:1,\
+    pass,\
+    nolog,\
+    setvar:tx.sampling_percentage=100"
+
+# Default Anomaly Scores (rule 900100 in setup.conf)
+SecRule &TX:critical_anomaly_score "@eq 0" \
+    "id:901140,\
+    phase:1,\
+    pass,\
+    nolog,\
+    setvar:tx.critical_anomaly_score=5"
+
+SecRule &TX:error_anomaly_score "@eq 0" \
+    "id:901141,\
+    phase:1,\
+    pass,\
+    nolog,\
+    setvar:tx.error_anomaly_score=4"
+
+SecRule &TX:warning_anomaly_score "@eq 0" \
+    "id:901142,\
+    phase:1,\
+    pass,\
+    nolog,\
+    setvar:tx.warning_anomaly_score=3"
+
+SecRule &TX:notice_anomaly_score "@eq 0" \
+    "id:901143,\
+    phase:1,\
+    pass,\
+    nolog,\
+    setvar:tx.notice_anomaly_score=2"
+
+# Default do_reput_block
+SecRule &TX:do_reput_block "@eq 0" \
+    "id:901150,\
+    phase:1,\
+    pass,\
+    nolog,\
+    setvar:tx.do_reput_block=0"
+
+# Default block duration
+SecRule &TX:reput_block_duration "@eq 0" \
+    "id:901152,\
+    phase:1,\
+    pass,\
+    nolog,\
+    setvar:tx.reput_block_duration=300"
+
+# Default HTTP policy: allowed_methods (rule 900200)
+SecRule &TX:allowed_methods "@eq 0" \
+    "id:901160,\
+    phase:1,\
+    pass,\
+    nolog,\
+    setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
+
+# Default HTTP policy: allowed_request_content_type (rule 900220)
+SecRule &TX:allowed_request_content_type "@eq 0" \
+    "id:901162,\
+    phase:1,\
+    pass,\
+    nolog,\
+    setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|text/plain'"
+
+# Default HTTP policy: allowed_http_versions (rule 900230)
+SecRule &TX:allowed_http_versions "@eq 0" \
+    "id:901163,\
+    phase:1,\
+    pass,\
+    nolog,\
+    setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'"
+
+# Default HTTP policy: restricted_extensions (rule 900240)
+SecRule &TX:restricted_extensions "@eq 0" \
+    "id:901164,\
+    phase:1,\
+    pass,\
+    nolog,\
+    setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"
+
+# Default HTTP policy: restricted_headers (rule 900250)
+SecRule &TX:restricted_headers "@eq 0" \
+    "id:901165,\
+    phase:1,\
+    pass,\
+    nolog,\
+    setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /translate/ /if/'"
+
+# Default HTTP policy: static_extensions (rule 900260)
+SecRule &TX:static_extensions "@eq 0" \
+    "id:901166,\
+    phase:1,\
+    pass,\
+    nolog,\
+    setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'"
+
+
+#
+# -=[ Initialize internal variables ]=-
+#
+
+# Initialize anomaly scoring variables.
+# All _score variables start at 0, and are incremented by the various rules
+# upon detection of a possible attack.
+# sql_error_match is used for shortcutting rules for performance reasons.
+
+SecAction \
+ "id:901200,\
+  phase:1,\
+  nolog,\
+  pass,\
+  t:none,\
+  setvar:tx.anomaly_score=0,\
+  setvar:tx.sql_injection_score=0,\
+  setvar:tx.xss_score=0,\
+  setvar:tx.rfi_score=0,\
+  setvar:tx.lfi_score=0,\
+  setvar:tx.rce_score=0,\
+  setvar:tx.php_injection_score=0,\
+  setvar:tx.http_violation_score=0,\
+  setvar:tx.session_fixation_score=0,\
+  setvar:tx.inbound_anomaly_score=0,\
+  setvar:tx.outbound_anomaly_score=0,\
+  setvar:tx.sql_error_match=0"
+
+
+#
+# -=[ Initialize collections ]=-
+#
+# Create both Global and IP collections for rules to use.
+# There are some CRS rules that assume that these two collections
+# have already been initiated.
+#
+
+SecRule REQUEST_HEADERS:User-Agent "^(.*)$" \
+  "id:901318, \
+  phase:1, \
+  t:none,t:sha1,t:hexEncode, \
+  setvar:tx.ua_hash=%{matched_var}, \