Closed d307473 closed 4 years ago
Apparently the modsecurity_rules
inline directive seems to work without issues. Even filtering and blocking with the SecRule below seems to work as expected;
foo@debian ~ # cat /etc/nginx/nginx.conf
..
http {
..
modsecurity on;
modsecurity_rules '
SecRuleEngine On
SecRequestBodyAccess On
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
';
..
}
Logs:
foo@debian /etc/nginx # tail -f /var/log/nginx/error.log
2018/05/28 23:05:17 [notice] 31395#31395: ModSecurity-nginx v1.0.0
foo@debian ~ # tail -f /var/log/nginx/access.log
192.168.100.200 - - [28/May/2018:23:06:34 +0200] "GET /?testparam=test123 HTTP/2.0" 403 162 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
Using the default nginx mainline deb-package via apt from http://nginx.org/packages/mainline/debian/ repo. Attached the output of nginx -V
;
foo@debian ~ # nginx -V
nginx version: nginx/1.13.12
built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1)
built with OpenSSL 1.1.0f 25 May 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.13.12/debian/debuild-base/nginx-1.13.12=. -specs=/usr/share/dpkg/no-pie-compile.specs -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-specs=/usr/share/dpkg/no-pie-link.specs -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'
Hi @schadom,
Tested with today's version of the connector and libModSec and everything seems to be working fine. You are welcomed to re-open the issue in case you still face the problem in the most recent version.
One hypothesis is that the nginx binary was different from the headers used during compilation. Not sure if nginx keep binary compatibility.
Hi @schadom,
Tested with today's version of the connector and libModSec and everything seems to be working fine. You are welcomed to re-open the issue in case you still face the problem in the most recent version.
One hypothesis is that the nginx binary was different from the headers used during compilation. Not sure if nginx keep binary compatibility.
Hi @zimmerle, thank you very much for having a deeper look into the issue. Will try to recompile libModSec and the connector later today and report back if the problem still persists. Regards
I am working on adding this feature to Kubernetes Ingress-NGINX. I encountered an issue with this particular feature.
When applying modsecurity_rules_remote
I get the following:
Error: exit status 1
2018/11/12 02:39:01 [notice] 2973#2973: ModSecurity-nginx v1.0.0
2018/11/12 02:39:01 [emerg] 2973#2973: "modsecurity_rules_remote" directive in /tmp/nginx-cfg593838611:439
nginx: [emerg] "modsecurity_rules_remote" directive in /tmp/nginx-cfg593838611:439
nginx: configuration file /tmp/nginx-cfg593838611 test failed
nginx version: nginx/1.15.5
built by gcc 8.2.0 (Debian 8.2.0-9)
built with OpenSSL 1.1.1 11 Sep 2018
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --modules-path=/etc/nginx/modules --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_sub_module --with-http_v2_module --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-http_secure_link_module --with-http_gunzip_module --with-file-aio --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --with-cc-opt='-g -Og -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wno-deprecated-declarations -fno-strict-aliasing -D_FORTIFY_SOURCE=2 --param=ssp-buffer-size=4 -DTCP_FASTOPEN=23 -fPIC -I/root/.hunter/_Base/2c5c6fc/98b522c/92161a9/Install/include -Wno-cast-function-type -m64 -mtune=native' --with-ld-opt='-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now -L/root/.hunter/_Base/2c5c6fc/98b522c/92161a9/Install/lib' --user=www-data --group=www-data --add-module=/tmp/build/ngx_devel_kit-0.3.1rc1 --add-module=/tmp/build/set-misc-nginx-module-0.32 --add-module=/tmp/build/headers-more-nginx-module-0.33 --add-module=/tmp/build/nginx-http-auth-digest-274490cec649e7300fea97fed13d84e596bbc0ce --add-module=/tmp/build/ngx_http_substitutions_filter_module-bc58cb11844bc42735bbaef7085ea86ace46d05b --add-module=/tmp/build/lua-nginx-module-e94f2e5d64daa45ff396e262d8dab8e56f5f10e0 --add-module=/tmp/build/lua-upstream-nginx-module-0.07 --add-module=/tmp/build/nginx-influxdb-module-0e2cb6cbf850a29c81e44be9e33d9a15d45c50e8 --add-dynamic-module=/tmp/build/nginx-opentracing-0.6.0/opentracing --add-dynamic-module=/tmp/build/ModSecurity-nginx-fc061a57a8b0abda79b17cbe103d78db803fa575 --add-dynamic-module=/tmp/build/ngx_http_geoip2_module-3.2 --add-module=/tmp/build/nginx_ajp_module-bf6cd93f2098b59260de8d494f0f4b1f11a84627 --add-module=/tmp/build/ngx_brotli
@zimmerle ^
The build file used can be found here https://github.com/kubernetes/ingress-nginx/blob/master/images/nginx/rootfs/build.sh
Hi @diazjf,
Make sure your modsecurity is compiled with support to curl. Your configuration summary should show something like this:
+ LibCURL ....found v7.62.0
-lcurl, -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
@zimmerle the image mentioned by @diazjf contains the LibCURL output during the build but the issue still persists. How I can debug what is missing?
@zimmerle I found the issue. If the FQDN or the URL (content) is not valid I just get
nginx: [emerg] "modsecurity_rules_remote" directive in /data/nginx.conf:441
without any context about the real issue.
Reopening this issue for further investigation.
We should consider adding more helpful messages for failed SecRemoteRules download if that's the problem that @aledbf is mentioning in the end.
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days
Bug Description
Nginx 1.13.12 emerges and thus fails to start if using one of the following directives
modsecurity_rules_file
ormodsecurity_rules_remote
in http{}, server{} or location{} context.Versions affected
Steps to reproduce
Building modsecurity and modsecurity-nginx dynamic module for nginx:
After the module has been built without errors, configure modsecurity with
modsecurity_rules_file
ormodsecurity_rules_remote
in nginx.conf. Nginx's config-test will fail with both directives, thus nginx won't start anymore:and
Expected result
Nginx should not emerg on
modsecurity_rules_file
ormodsecurity_rules_remote