add modsecurity-snippet key

docs/user-guide/nginx-configuration/configmap.md

@@ -35,6 +35,7 @@ The following table shows a configuration option's name, type, and the default v
 |[enable-access-log-for-default-backend](#enable-access-log-for-default-backend)|bool|"false"|
 |[error-log-path](#error-log-path)|string|"/var/log/nginx/error.log"|
 |[enable-modsecurity](#enable-modsecurity)|bool|"false"|
+|[modsecurity-snippet](#modsecurity-snippet)|string|""|
 |[enable-owasp-modsecurity-crs](#enable-owasp-modsecurity-crs)|bool|"false"|
 |[client-header-buffer-size](#client-header-buffer-size)|string|"1k"|
 |[client-header-timeout](#client-header-timeout)|int|60|
@@ -221,6 +222,10 @@ Enables the modsecurity module for NGINX. _**default:**_ is disabled
 
 Enables the OWASP ModSecurity Core Rule Set (CRS). _**default:**_ is disabled
 
+## modsecurity-snippet
+
+Adds custom rules to modsecurity section of nginx configration
+
 ## client-header-buffer-size
 
 Allows to configure a custom buffer size for reading client request header.

internal/ingress/controller/config/config.go

@@ -133,6 +133,9 @@ type Configuration struct {
 	// By default this is disabled
 	EnableOWASPCoreRules bool `json:"enable-owasp-modsecurity-crs"`
 
+	// ModSecuritySnippet adds custom rules to modsecurity section of nginx configuration
+	ModsecuritySnippet string `json:"modsecurity-snippet"`
+
 	// ClientHeaderBufferSize allows to configure a custom buffer
 	// size for reading client request header
 	// http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size

rootfs/etc/nginx/template/nginx.tmpl

@@ -143,6 +143,10 @@ http {
 
     {{ if $all.Cfg.EnableOWASPCoreRules }}
     modsecurity_rules_file /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf;
+    {{ else if (not (empty $all.Cfg.ModsecuritySnippet)) }}
+    modsecurity_rules '
+      {{ $all.Cfg.ModsecuritySnippet }}
+    ';
     {{ end }}
 
     {{ end }}