search

dev-sec / nginx-baseline

DevSec Nginx Baseline - InSpec Profile
https://dev-sec.io/baselines/nginx/
Apache License 2.0
104 stars 45 forks source link

nginx parsed config as attribute #44

Open micheelengronne opened 3 years ago

micheelengronne commented 3 years ago

It is usefull if you want to test an nginx install where configurations are not in the standard directory.

micheelengronne commented 3 years ago

@rndmh3ro What do you think ? The first travis failed because it deactivated itself (weirdly detecting a non existing more recent build).

rndmh3ro commented 3 years ago

So you want to test nginx-configs that do not get loaded by the running nginx? nginx -T dumps all used configuration, so I'm not sure where this PR helps exactly.

micheelengronne commented 3 years ago

nginx -T dumps all used configurations when nginx is daemonized. It does not find any config outside defaults when nginx is not daemonized (typically in a container). So I would like the possibilty to change the command when in this case.

For instance: nginx -T -c /path/of/the/used/config

rndmh3ro commented 3 years ago

nginx -T dumps all used configurations when nginx is daemonized.

This seems to be not correct.

I just ran docker run nginx:latest (where nginx is not daemonized), exec'd into the container and ran nginx -T. It dumped the configuration from /etc/nginx/. I also ran nginx -T on a server where nginx was not running (but installed) and it also dumped the configuration.

For instance: nginx -T -c /path/of/the/used/config

This seems like a valid case to test. However shouldn't we then do something like this:

nginx_parsed_config = attribute('nginx_parsed_config', value: command('nginx -T -c $PARAMETER_FOR_PATH_TO_NGINX_CONF').stdout, description: 'Default nginx test command')

If we just use the contents of a file to test it, how should we be sure that we test the whole configuration? The above way would also validate the config.

micheelengronne commented 3 years ago

Indeed.

For instance, my personal use case is an nginx path present in /home/www-data/.config/nginx. I respect the XDGBase Directory Specification and I run nginx with a non root user (www-data in that case). The current tests do not pass as they do not detect this particular config path.

I build my container with this command: CMD ["nginx", "-c", "/home/www-data/.config/nginx/nginx.conf", "-g", "daemon off;"]

As nginx.conf loads every other configs used by the nginx process, loding it with nginx -T should be ok ? Don't you think ?

rndmh3ro commented 3 years ago

I'm not exactly sure what you're asking now.

What do you think about my idea?


nginx_parsed_config = attribute('nginx_parsed_config', value: command('nginx -T -c $PARAMETER_FOR_PATH_TO_NGINX_CONF').stdout, description: 'Default nginx test command')```
micheelengronne commented 3 years ago

I think it should work.