search

coreruleset / modsecurity-crs-docker

Official ModSecurity Docker + Core Rule Set (CRS) images
https://coreruleset.org
Apache License 2.0
281 stars 74 forks source link

SecGeoLookupDb Not Working with Owasp CRS 4.5 Nginx Image #286

Closed Dr-Lazarus-V2 closed 1 month ago

Dr-Lazarus-V2 commented 1 month ago

Issue: Lack of GeoLocation Support in OWASP CRS 4.5 Nginx Image

Description:

The OWASP CRS 4.5 Nginx Docker image, which is built on top of ModSecurity v3, is currently compiled with the following configuration flags:

./configure --with-yajl --with-ssdeep --with-geoip --with-pcre2 --enable-silent-rules

However, it appears that support for GeoLocation lookups is missing from this configuration, as the SecGeoLookupDb directive fails to load the GeoIP database. Specifically, the --with-maxmind flag seems to be missing, which is necessary for enabling MaxMind GeoIP database support.

Problem:

When trying to use the following configuration in ModSecurity:

SecGeoLookupDb /path/to/GeoLite2-Country.mmdb

ModSecurity fails to load the database, resulting in the inability to block traffic based on GeoLocation. This issue affects users who need GeoIP-based rules for their Web Application Firewall (WAF) using the CRS 4.5 Nginx image.

Steps to Reproduce:

  1. Use the OWASP CRS 4.5 Nginx image.
  2. Configure SecGeoLookupDb to point to a valid GeoIP database (e.g., /path/to/GeoLite2-Country.mmdb).
  3. Attempt to block traffic based on GeoLocation rules.
  4. Observe that the GeoIP database fails to load, and GeoLocation-based blocking is unavailable.
Dr-Lazarus-V2 commented 1 month ago

I have a proposed solution to update the following file: modsecurity-crs-docker/nginx/Dockerfile

  1. Added libmaxminddb-dev to the list of installed packages:

    libmaxminddb-dev

  2. Modified the ModSecurity configuration to include --with-maxmind:

    ./configure --with-yajl --with-ssdeep --with-geoip --with-pcre2 --with-maxmind --enable-silent-rules;

  3. Added libmaxminddb-dev to the additional packages:

    libmaxminddb-dev

These are the main changes reflecting the use of maxmind for GeoIP lookups instead of the previous geoip module.

theseion commented 1 month ago

Thanks @Dr-Lazarus-V2.

fzipi commented 1 month ago

Thanks @Dr-Lazarus-V2 . Can you provide a patch for nginx/Dockerfile, nginx/Dockerfile-alpine and openresty/Dockerfile-alpine? Thanks! 🚀

Dr-Lazarus-V2 commented 1 month ago

@fzipi, How do I provide a patch?

fzipi commented 1 month ago

Yes, can you? Just editing the files in the web interface will guide you in the process...

Dr-Lazarus-V2 commented 1 month ago

Okiee, I will try and raise a patch today.

fzipi commented 1 month ago

Fixed by #288.