search

kubernetes / ingress-nginx

Ingress NGINX Controller for Kubernetes
https://kubernetes.github.io/ingress-nginx/
Apache License 2.0
17.47k stars 8.25k forks source link

"too long parameter" error on modsecurity-snippet #8032

Closed mac-chaffee closed 2 years ago

mac-chaffee commented 2 years ago

The modsecurity-snippet configmap value is a place to put custom modsecurity rules and exceptions, but these modsecurity rules can get pretty long and verbose. Since the entirety of modsecurity-snippet gets templated into nginx.conf inside a modsecurity_rules directive, that means there's a high chance of hitting the 4096 character maximum size for nginx parameters. (should probably be mentioned in the docs for this and other long snippets).

Instead of using modsecurity-snippet, one might consider using a new ConfigMap, which you could mount with extraVolumes/extraVolumeMounts in your helm values. However, this approach means you'd have to manually reload the nginx configuration, or restart all the pods, which leads to more downtime/connection resets.

A better solution would be something like this:

  1. Mount the value of modsecurity-snippet as a separate file inside the nginx container at /etc/nginx/modsecurity/modsecurity-snippet.conf or somewhere similar.

  2. Rather than including the literal value of modsecurity-snippet inside the directive modsecurity_rules: '...', include the following:

    modsecurity_rules: '
    # sha256sum:abcdef123...
    Include /etc/nginx/modsecurity/modsecurity-snippet.conf
'

The above code will avoid the 4096-char limit while still supporting automatic reloads since the sha256sum will change whenever the content inside the configmap changes.

k8s-ci-robot commented 2 years ago

@mac-chaffee: This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
mac-chaffee commented 2 years ago

As a temporary workaround, I was able to accomplish what I wanted with the following helm values:

controller:
  extraVolumeMounts:
  - name: custom-modsecurity-rules
    mountPath: /etc/nginx/owasp-modsecurity-crs/custom/
  extraVolumes:
  - name: custom-modsecurity-rules
    configMap:
      name: ingress-nginx-controller
      items:
      - key: long-modsecurity-snippet
        path: custom-modsecurity-rules.conf
config:
  enable-modsecurity: "true"
  enable-owasp-modsecurity-crs: "true"
  modsecurity-snippet: |
    SecRuleEngine On
    # Increment this to force nginx to reload the rules when you change the configmap: 1.0.1
    Include /etc/nginx/owasp-modsecurity-crs/custom/custom-modsecurity-rules.conf
  # This isn't a supported configmap value because we actually mount it as a file.
  long-modsecurity-snippet: |
    # Put your custom rules here. Max size is ~1MB instead of 4KB
k8s-triage-robot commented 2 years ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot commented 2 years ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot commented 2 years ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

k8s-ci-robot commented 2 years ago

@k8s-triage-robot: Closing this issue.

In response to [this](https://github.com/kubernetes/ingress-nginx/issues/8032#issuecomment-1121689712): >The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. > >This bot triages issues and PRs according to the following rules: >- After 90d of inactivity, `lifecycle/stale` is applied >- After 30d of inactivity since `lifecycle/stale` was applied, `lifecycle/rotten` is applied >- After 30d of inactivity since `lifecycle/rotten` was applied, the issue is closed > >You can: >- Reopen this issue or PR with `/reopen` >- Mark this issue or PR as fresh with `/remove-lifecycle rotten` >- Offer to help out with [Issue Triage][1] > >Please send feedback to sig-contributor-experience at [kubernetes/community](https://github.com/kubernetes/community). > >/close > >[1]: https://www.kubernetes.dev/docs/guide/issue-triage/ Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.