search

kubernetes / ingress-nginx

Ingress NGINX Controller for Kubernetes
https://kubernetes.github.io/ingress-nginx/
Apache License 2.0
17.6k stars 8.27k forks source link

Unable to override SecRequestBodyAccess in ingress annotation #5612

Closed dcherniv closed 4 years ago

dcherniv commented 4 years ago

NGINX Ingress controller version: 0.31.1

Kubernetes version (use kubectl version): 1.15.x EKS

Environment: AWS

What happened: modsecurity denies request that are larger than default body size which is 13MB

2020/05/28 14:29:17 [error] 4449#4449: *3867114 Request body limit is marked to reject the request, client: 100.35.16.34,

Even with the following annotation in place on the ingress resource:

 14     nginx.ingress.kubernetes.io/modsecurity-snippet: |$
 15       SecRuleEngine On$
 16       SecAuditEngine RelevantOnly$
 17       SecAuditLogFormat JSON$
 18       SecAuditLogType Serial$
 19       SecAuditLog /dev/stdout$
 20       SecRuleRemoveById 949110$
 21       SecRuleRemoveById 200003$
 22       SecRequestBodyAccess Off$
 23       SecRule REQUEST_HEADERS:User-Agent \"fern-scanner\" \"log,deny,id:107,status:403,msg:\'Fern Scanner Identified\'\"$

What you expected to happen: Request body processing to be disabled on the ingress resource.

How to reproduce it: Enable modsecurity with the following annotation and try to post a large file. /kind bug

aledbf commented 4 years ago

@dcherniv I am awaiting feedback from the modsecurity project https://github.com/SpiderLabs/ModSecurity-nginx/issues/183 Not there issue but the same conditions.

dcherniv commented 4 years ago

@aledbf ah that makes sense. This issue is strange in that i can in fact override some variables but not the others. For example the following annotations does bump the body limit:

    nginx.ingress.kubernetes.io/modsecurity-snippet: |
      SecRequestBodyLimit 20000000
      [...]

SecRequestBodyAccess Off in annotations has no effect however. Just thought i'd add my findings here, in case someone else bumps into the same issue.

aledbf commented 4 years ago

@dcherniv at this point, because all the issues I am considering to extract the mod-security feature to a sidecar. This is the start of the POC https://github.com/aledbf/blockade

dcherniv commented 4 years ago

@aledbf bummer. we just finished switching from lua-resty WAF to modsecurity :) But happy to see there's work being done on WAF at ingress controller level still. Let me know if you need help testing the new project.

aledbf commented 4 years ago

@dcherniv just to be clear, this is just a POC, and if we do something, no change to what you have now for ModSecurity would be required. That is a deal-breaker for me. The only change should be an additional container in the deployment/daemonset definition

fejta-bot commented 4 years ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

fejta-bot commented 4 years ago

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle rotten

fejta-bot commented 4 years ago

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen. Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /close

k8s-ci-robot commented 4 years ago

@fejta-bot: Closing this issue.

In response to [this](https://github.com/kubernetes/ingress-nginx/issues/5612#issuecomment-716209974): >Rotten issues close after 30d of inactivity. >Reopen the issue with `/reopen`. >Mark the issue as fresh with `/remove-lifecycle rotten`. > >Send feedback to sig-testing, kubernetes/test-infra and/or [fejta](https://github.com/fejta). >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.