Having both libmaxminddb-dev and geoip-dev in Ingress-Nginx makes geo database not work with ModSecurity

[K-izme]

What happened:

I used ModSecurity with GeoLite2-City.mmdb in ingress-nginx to restrict access from some country. In mod security debug log, it show a message: "Database is not open. Use: SecGeoLookupDb directive." And in ingress-nginx log, there is a line: The GeoIP2 feature is enabled but the databases are missing. Disabling I used Maxmind Database. It's all fine when I tested on my local machine but when I bring it on my server to test it again, it won't work any more. There's not much difference between my test on local machine and on my server. Then I tried to use the geoip module with GeoLiteCity.dat but still got this issue. I'm sure that it's exist in the right folder.

What you expected to happen:

The database is open and mod security can read it. I think this problem was mentioned in [https://github.com/owasp-modsecurity/ModSecurity/issues/2041](This issue) and #6450 . I tried to rollout restart deployment but there's no use.

NGINX Ingress controller version :

Helm chart 4.7.5, ingress-nginx-controller version 1.8.5

Kubernetes version:

v1.24.6

Environment:

• Cloud provider or hardware configuration: AWS

• OS (e.g. from /etc/os-release): Ubuntu

• Kernel (e.g. uname -a): Linux

• Basic cluster related info:

  • 3 nodes

• How was the ingress-nginx-controller installed:

  • helm install ingress-nginx ingress-nginx/ingress-nginx --version 4.7.5 --namespace ingress-nginx

• Others:

  • My config map: allow-snippet-annotations: "true" enable-modsecurity: "true" use-geoip: "false" use-geoip2: "true" modsecurity-snippet: |- Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf SecRuleEngine DetectionOnly SecRequestBodyAccess On Include /etc/nginx/modsecurity/modsecurity.conf SecAuditLog /var/log/modsec_audit.log SecDebugLog /var/log/modsec_debug.log SecDebugLogLevel 4 SecGeoLookupDb /etc/nginx/geoipmmdb/GeoLite2-City.mmdb SecRule REQUEST_HEADERS:X-Forwarded-For "@geoLookup" "chain,id:12345,drop,status:422,ctl:ruleEngine=On" SecRule GEO:COUNTRY_CODE "!@pm SG VN"

How to reproduce this issue: Create a pv and pvc and mount that to ingress-nginx-controller /etc/nginx/geoipmmdb, download Maxmind Lite City database. Apply the annotation and then restart the deployment of ingress-nginx.

[k8s-ci-robot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.

[longwuyuan]

/remove-kind bug /kind support

I have tested recently and the download option for the db works. So there is no problem with the controller I know. https://github.com/kubernetes/ingress-nginx/issues/11320

The reason for your config of a mounted volume not working could be one of many factors. Unless you can write a detailed step by step procedure and not a simple overview of the reproduce process, I think it will be difficult to understand the root-cause

[longwuyuan]

/retitle maxmind database mount not working

[longwuyuan]

The automatic download option is keeping the db file here ;

/etc/nginx $ find / -name "GeoLite2*" 2>/dev/null
/etc/ingress-controller/geoip/GeoLite2-ASN.mmdb
/etc/ingress-controller/geoip/GeoLite2-City.mmdb
/etc/nginx $ 

so you may want to check the docs too https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-geoip2

[K-izme]

/remove-kind bug

/kind support

I have tested recently and the download option for the db works. So there is no problem with the controller I know. https://github.com/kubernetes/ingress-nginx/issues/11320

The reason for your config of a mounted volume not working could be one of many factors. Unless you can write a detailed step by step procedure and not a simple overview of the reproduce process, I think it will be difficult to understand the root-cause

I found out that my backend of ingress-nginx reload twice due to some change when i rollout restart deployment. That's why i have this problem. The problem about reload cause the db not work here issue

[K-izme]

When I update to ingress-nginx-controller v1.10.0, it won't have both libmaxminddb-dev and geoip-dev. Then this error doesn't happen anymore. Now I can restrict ip from another country. A comment from @victorhora Here