Closed Clement-Ruiz closed 5 years ago
Clement-Ruiz
commented
6 years ago Well, actually, the configuration contained in a virtual host seems to be parsed, but ignored. And this, regardless of which of modsecurity_rules or modsecurity_rules_file directive you're using.
I can confirm that modsecurity is working because default configuration is applied. But I can't override it for specific vhosts. Or am I missing something ?
victorhora
commented
6 years ago Hi @Clement-Ruiz, thanks for your report.
So the issue you reported only happens when trying to load ModSecurity-apache from a VirtualHost configuration? It works fine outside VirtualHost?
I don't think this should cause the syntax issues you're mentioning but wondering if your configuration might be missing the: modsecurity on, directive prior to loading the rules with modsecurity_rules_file directive?
PS: This reminds me, the README file from this project is missing some Usage advice :)
Clement-Ruiz
commented
6 years ago Hello. Thank you for your reply.
The actual default modsecurity configuration is loaded as I can trigger a rule, logging it to /var/log/apache2/audit_security.log (the default path in the modsec recommended config file that atm).
I didn't try to use the modsecurity directive itself because I though this was Nginx-only keyword, and this line in the Dockerfile I followed to install Modsec is not using it, as instead it uses a modsecurity_rules SecRuleEngine On directive instead.
Edit : That being said, the above line is successfully overridden by the SecRuleEngine Detection-Only written in the recommanded config file.
My server is configured in Detection Only mode, and I want to make it blocking for one vhost, and log in a dedicated file.
PS : Please Sir :)
victorhora
commented
6 years ago Hey @Clement-Ruiz, modsecurity on is supported here and evaluated here ;)
But yes, SecRuleEngine might overwrite that directive as well.
Please confirm if the tabulation errors doesn't happen if you rebuild ModSecurity-apache without the Dockerfile.
Clement-Ruiz
commented
6 years ago @victorhora About modsecurity on, sorry about that, I'm not ~really~ a C developper, I didn't take a close look at the code.
I confirm the tabulations error. I did not use the Docker image built with this dockerfile, I used the steps described in it to install Modsec on a Ubuntu 18.04 Virtual Machine, so it's actually easy to reproduce. I also tested the docker image, and the same bug is appearing.
Remember that \n errors appears in vhost config while modsecurity* are invoked and followed by an empty line.
Also, \t errors appears in the imported files into the vhost config. (Hope I'm clear enough, don't hesitate to ask me if I'm not :) )
zimmerle
commented
5 years ago Hi,
I was investigating that issue and notice the exactly same behavior as a consequence of the strict security policy on Linux (SELinux, APPArmor, etc...) whenever you don't have permission to either read or write (audit log case) the Apache fails to load.
The \n is in fact added by libModSecurity to pretty print the error message.
I am closing that issue because I am assuming that it is related to permissions. Please double check your permissions and feel free to re-open in case you found something weird.
porjo
commented
5 years ago I've also run into the issue reported by @Clement-Ruiz regarding tabs in the input:
AH00526: Syntax error on line 7 of /usr/local/apache24/conf/modsecurity.conf:
Rules error. File: /usr/local/apache24/conf/modsecurity_rules.conf. Line: 33. Column: 58. Invalid input: SecAuditLog \t\t\t/usr/local/apache24/logs/modsec_audit.logI think tabs should be supported, so I would consider this a bug. Would the fix be with the connector or libModSecurity ?
victorhora
commented
5 years ago @porjo this is weird indeed.
You can check if the issue with "\t" happens with the Nginx-connector or with the test tools of libModSecurity to have a clue of where the issue lies (connector or library).
Also, does Apache supports "\t" on the configuration directives? If not, the Apache-connector might have a hard time supporting it as well.
porjo
commented
5 years ago I've tested with Nginx connector and have the same problem. I've opened SpiderLabs/ModSecurity#2006 now.
victorhora
commented
5 years ago For historical purposes, the limitation with "\t" was addressed here: https://github.com/SpiderLabs/ModSecurity/commit/dc78c0e180d09aa1b2f0ffad1a8d6967e69f984f
Hello.
I managed to successfully install libModsecurity and make it work with apache2 :
I followed the steps described in this Dockerfile.
However I encountered some dysfunctions while configuring my virtual hosts, that I think should be reported. My virtualHost use the "modsecurity_rules_file" directive pointing to a
security.conf, as following :I figured out that if this line is followed by a empty line, this error is shown in the journalctl :
Removing the empty line make the path correct, so my configuration was successfully imported. However , the file was still not parsed correctly, as show the following
journalctlerror messageI managed to make it work removing the tabulations in my file and replacing them by white spaces.
My VHost File :
Imported security.conf :
PS : Thank you for this great library :)