Upgrade OWASP_MODSECURITY_CRS_VERSION 3.3.5 to 4.4.0 and update docs (#11548)

Signed-off-by: jessebot <jessebot@linux.com>
Co-authored-by: jessebot <jessebot@linux.com>

docs/user-guide/third-party-addons/modsecurity.md

@@ -14,3 +14,97 @@ The default `Serial` value in SecAuditLogType can impact performance.
 The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.
 The directory `/etc/nginx/owasp-modsecurity-crs` contains the [OWASP ModSecurity Core Rule Set repository](https://github.com/coreruleset/coreruleset).
 Using `enable-owasp-modsecurity-crs: "true"` we enable the use of the rules.
+
+## Supported annotations
+
+For more info on supported annotations, please see [annotations/#modsecurity](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#modsecurity)
+
+## Example of using ModSecurity with plugins via the helm chart
+
+Suppose you have a ConfigMap that contains the contents of the [nextcloud-rule-exclusions plugin](https://github.com/coreruleset/nextcloud-rule-exclusions-plugin/blob/main/plugins/nextcloud-rule-exclusions-before.conf) like this:
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: modsecurity-plugins
+data:
+  empty-after.conf: |
+    # no data
+  empty-before.conf: |
+    # no data
+  empty-config.conf: |
+    # no data
+  nextcloud-rule-exclusions-before.conf:
+    # this is just a snippet
+    # find the full file at https://github.com/coreruleset/nextcloud-rule-exclusions-plugin
+    #
+    # [ File Manager ]
+    # The web interface uploads files, and interacts with the user.
+    SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \
+        "id:9508102,\
+        phase:1,\
+        pass,\
+        t:none,\
+        nolog,\
+        ver:'nextcloud-rule-exclusions-plugin/1.2.0',\
+        ctl:ruleRemoveById=920420,\
+        ctl:ruleRemoveById=920440,\
+        ctl:ruleRemoveById=941000-942999,\
+        ctl:ruleRemoveById=951000-951999,\
+        ctl:ruleRemoveById=953100-953130,\
+        ctl:ruleRemoveByTag=attack-injection-php"
+```
+
+If you're using the helm chart, you can pass in the following parameters in your `values.yaml`:
+
+```yaml
+controller:
+  config:
+    # Enables Modsecurity
+    enable-modsecurity: "true"
+
+    # Update ModSecurity config and rules
+    modsecurity-snippet: |
+      # this enables the mod security nextcloud plugin
+      Include /etc/nginx/owasp-modsecurity-crs/plugins/nextcloud-rule-exclusions-before.conf
+
+      # this enables the default OWASP Core Rule Set
+      Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf
+
+      # Enable prevention mode. Options: DetectionOnly,On,Off (default is DetectionOnly)
+      SecRuleEngine On
+
+      # Enable scanning of the request body
+      SecRequestBodyAccess On
+
+      # Enable XML and JSON parsing
+      SecRule REQUEST_HEADERS:Content-Type "(?:text|application(?:/soap\+|/)|application/xml)/" \
+        "id:200000,phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
+
+      SecRule REQUEST_HEADERS:Content-Type "application/json" \
+        "id:200001,phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
+
+      # Reject if larger (we could also let it pass with ProcessPartial)
+      SecRequestBodyLimitAction Reject
+
+      # Send ModSecurity audit logs to the stdout (only for rejected requests)
+      SecAuditLog /dev/stdout
+
+      # format the logs in JSON
+      SecAuditLogFormat JSON
+
+      # could be On/Off/RelevantOnly
+      SecAuditEngine RelevantOnly
+
+  # Add a volume for the plugins directory
+  extraVolumes:
+    - name: plugins
+      configMap:
+        name: modsecurity-plugins
+
+  # override the /etc/nginx/enable-owasp-modsecurity-crs/plugins with your ConfigMap
+  extraVolumeMounts:
+    - name: plugins
+      mountPath: /etc/nginx/owasp-modsecurity-crs/plugins
+```