nginx: [emerg] "modsecurity_rules_file" directive

[d307473]

Bug Description

Nginx 1.13.12 emerges and thus fails to start if using one of the following directives modsecurity_rules_file or modsecurity_rules_remote in http{}, server{} or location{} context.

Versions affected

• ModSecurity-nginx (latest)
• ModSecurity v3 (latest)
• Debian 9.4.5
• nginx/1.13.12

Steps to reproduce

Building modsecurity and modsecurity-nginx dynamic module for nginx:

# build modsecurity
cd /opt/
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git submodule init
git submodule update
./build.sh
./configure
make
make install

# build modsecurity-nginx module
cd /opt/
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
wget http://nginx.org/download/nginx-1.13.12.tar.gz
tar zxvf nginx-1.13.12.tar.gz
cd nginx-1.13.12
./configure --with-compat --add-dynamic-module=../ModSecurity-nginx
make modules
cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules

After the module has been built without errors, configure modsecurity with modsecurity_rules_file or modsecurity_rules_remote in nginx.conf. Nginx's config-test will fail with both directives, thus nginx won't start anymore:

foo@debian ~ # cat /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /var/run/nginx.pid;
..
load_module modules/ngx_http_modsecurity_module.so;
..
http {
..
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
..
}

foo@debian /etc/nginx # nginx -t
nginx: [emerg] "modsecurity_rules_file" directive ??K?? in /etc/nginx/nginx.conf:73
nginx: configuration file /etc/nginx/nginx.conf test failed

and

foo@debian ~ # cat /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /var/run/nginx.pid;
..
load_module modules/ngx_http_modsecurity_module.so;
..
http {
..
modsecurity on;
modsecurity_rules_remote abc123 https://example.com/modsecurity.conf;
..
}

foo@debian /etc/nginx # nginx -t
nginx: [emerg] "modsecurity_rules_remote" directive  in /etc/nginx/nginx.conf:73
nginx: configuration file /etc/nginx/nginx.conf test failed

Expected result

Nginx should not emerg on modsecurity_rules_file or modsecurity_rules_remote

[d307473]

Apparently the modsecurity_rules inline directive seems to work without issues. Even filtering and blocking with the SecRule below seems to work as expected;

foo@debian ~ # cat /etc/nginx/nginx.conf
..
http {
..
modsecurity on;
modsecurity_rules '
  SecRuleEngine On
  SecRequestBodyAccess On
  SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
';
..
}

Logs:

foo@debian /etc/nginx # tail -f /var/log/nginx/error.log
2018/05/28 23:05:17 [notice] 31395#31395: ModSecurity-nginx v1.0.0

foo@debian ~ # tail -f /var/log/nginx/access.log
192.168.100.200 - - [28/May/2018:23:06:34 +0200] "GET /?testparam=test123 HTTP/2.0" 403 162 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"

[d307473]

Using the default nginx mainline deb-package via apt from http://nginx.org/packages/mainline/debian/ repo. Attached the output of nginx -V;

foo@debian ~ # nginx -V
nginx version: nginx/1.13.12
built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) 
built with OpenSSL 1.1.0f  25 May 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.13.12/debian/debuild-base/nginx-1.13.12=. -specs=/usr/share/dpkg/no-pie-compile.specs -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-specs=/usr/share/dpkg/no-pie-link.specs -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

[zimmerle]

Hi @schadom,

Tested with today's version of the connector and libModSec and everything seems to be working fine. You are welcomed to re-open the issue in case you still face the problem in the most recent version.

One hypothesis is that the nginx binary was different from the headers used during compilation. Not sure if nginx keep binary compatibility.

[d307473]

Hi @schadom,

Tested with today's version of the connector and libModSec and everything seems to be working fine. You are welcomed to re-open the issue in case you still face the problem in the most recent version.

One hypothesis is that the nginx binary was different from the headers used during compilation. Not sure if nginx keep binary compatibility.

Hi @zimmerle, thank you very much for having a deeper look into the issue. Will try to recompile libModSec and the connector later today and report back if the problem still persists. Regards

[diazjf]

I am working on adding this feature to Kubernetes Ingress-NGINX. I encountered an issue with this particular feature.

When applying modsecurity_rules_remote I get the following:

Error: exit status 1
2018/11/12 02:39:01 [notice] 2973#2973: ModSecurity-nginx v1.0.0
2018/11/12 02:39:01 [emerg] 2973#2973: "modsecurity_rules_remote" directive  in /tmp/nginx-cfg593838611:439
nginx: [emerg] "modsecurity_rules_remote" directive  in /tmp/nginx-cfg593838611:439
nginx: configuration file /tmp/nginx-cfg593838611 test failed

nginx version: nginx/1.15.5
built by gcc 8.2.0 (Debian 8.2.0-9) 
built with OpenSSL 1.1.1  11 Sep 2018
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --modules-path=/etc/nginx/modules --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_sub_module --with-http_v2_module --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-http_secure_link_module --with-http_gunzip_module --with-file-aio --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --with-cc-opt='-g -Og -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wno-deprecated-declarations -fno-strict-aliasing -D_FORTIFY_SOURCE=2 --param=ssp-buffer-size=4 -DTCP_FASTOPEN=23 -fPIC -I/root/.hunter/_Base/2c5c6fc/98b522c/92161a9/Install/include -Wno-cast-function-type -m64 -mtune=native' --with-ld-opt='-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now -L/root/.hunter/_Base/2c5c6fc/98b522c/92161a9/Install/lib' --user=www-data --group=www-data --add-module=/tmp/build/ngx_devel_kit-0.3.1rc1 --add-module=/tmp/build/set-misc-nginx-module-0.32 --add-module=/tmp/build/headers-more-nginx-module-0.33 --add-module=/tmp/build/nginx-http-auth-digest-274490cec649e7300fea97fed13d84e596bbc0ce --add-module=/tmp/build/ngx_http_substitutions_filter_module-bc58cb11844bc42735bbaef7085ea86ace46d05b --add-module=/tmp/build/lua-nginx-module-e94f2e5d64daa45ff396e262d8dab8e56f5f10e0 --add-module=/tmp/build/lua-upstream-nginx-module-0.07 --add-module=/tmp/build/nginx-influxdb-module-0e2cb6cbf850a29c81e44be9e33d9a15d45c50e8 --add-dynamic-module=/tmp/build/nginx-opentracing-0.6.0/opentracing --add-dynamic-module=/tmp/build/ModSecurity-nginx-fc061a57a8b0abda79b17cbe103d78db803fa575 --add-dynamic-module=/tmp/build/ngx_http_geoip2_module-3.2 --add-module=/tmp/build/nginx_ajp_module-bf6cd93f2098b59260de8d494f0f4b1f11a84627 --add-module=/tmp/build/ngx_brotli

[diazjf]

@zimmerle ^

The build file used can be found here https://github.com/kubernetes/ingress-nginx/blob/master/images/nginx/rootfs/build.sh

[diazjf]

• ModSecurity-nginx (latest)
• ModSecurity v3 (latest)

[zimmerle]

Hi @diazjf,

Make sure your modsecurity is compiled with support to curl. Your configuration summary should show something like this:

   + LibCURL                                       ....found v7.62.0 
      -lcurl,  -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL

[aledbf]

@zimmerle the image mentioned by @diazjf contains the LibCURL output during the build but the issue still persists. How I can debug what is missing?

[aledbf]

@zimmerle I found the issue. If the FQDN or the URL (content) is not valid I just get

nginx: [emerg] "modsecurity_rules_remote" directive  in /data/nginx.conf:441

without any context about the real issue.

[victorhora]

Reopening this issue for further investigation.

We should consider adding more helpful messages for failed SecRemoteRules download if that's the problem that @aledbf is mentioning in the end.

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days