From 36018862aa653d3b559206e425f2ea5853b16561 Mon Sep 17 00:00:00 2001
From: Julien Godin <julien.godin@camptocamp.com>
Date: Tue, 27 Feb 2024 15:48:39 +0100
Subject: [PATCH] bugfix: fix the vhost security configuration

The modified variable was never passed to the template, resulting in a
bad configuration of the vhost security if secrule were removed.

Signed-off-by: Julien Godin <julien.godin@camptocamp.com>
---
 manifests/vhost.pp            | 8 ++++----
 templates/vhost/_security.epp | 2 ++
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/manifests/vhost.pp b/manifests/vhost.pp
index 60f835673d..4bac8c75dd 100644
--- a/manifests/vhost.pp
+++ b/manifests/vhost.pp
@@ -2828,14 +2828,14 @@
     }
   }
 
-  if $modsec_disable_vhost or $modsec_disable_ids or !empty($modsec_disable_ips) or $modsec_disable_msgs or $modsec_disable_tags or $modsec_audit_log_destination or ($modsec_inbound_anomaly_threshold and $modsec_outbound_anomaly_threshold) or $modsec_allowed_methods {
+  if $modsec_disable_vhost or $_modsec_disable_ids or !empty($_modsec_disable_ips) or $_modsec_disable_msgs or $_modsec_disable_tags or $modsec_audit_log_destination or ($modsec_inbound_anomaly_threshold and $modsec_outbound_anomaly_threshold) or $modsec_allowed_methods {
     $security_params = {
       'modsec_disable_vhost'              => $modsec_disable_vhost,
       'modsec_audit_log_destination'      => $modsec_audit_log_destination,
-      '_modsec_disable_ids'               => $modsec_disable_ids,
+      '_modsec_disable_ids'               => $_modsec_disable_ids,
       'modsec_disable_ips'                => $modsec_disable_ips,
-      '_modsec_disable_msgs'              => $modsec_disable_msgs,
-      '_modsec_disable_tags'              => $modsec_disable_tags,
+      '_modsec_disable_msgs'              => $_modsec_disable_msgs,
+      '_modsec_disable_tags'              => $_modsec_disable_tags,
       'modsec_body_limit'                 => $modsec_body_limit,
       'modsec_inbound_anomaly_threshold'  => $modsec_inbound_anomaly_threshold,
       'modsec_outbound_anomaly_threshold' => $modsec_outbound_anomaly_threshold,
diff --git a/templates/vhost/_security.epp b/templates/vhost/_security.epp
index 24d3b4a39c..00dfeabfa5 100644
--- a/templates/vhost/_security.epp
+++ b/templates/vhost/_security.epp
@@ -1,6 +1,8 @@
 <IfModule mod_security2.c>
 <% if $modsec_disable_vhost {-%>
   SecRuleEngine Off
+<% } else { -%>
+  SecRuleEngine On
 <% } -%>
 <% if $modsec_audit_log_destination {-%>
   SecAuditLog "<%= $modsec_audit_log_destination %>"