SecRequestBodyLimit in an nginx virtual host?

owasp-modsecurity / ModSecurity-nginx

ModSecurity v3 Nginx Connector

Apache License 2.0

1.56k stars 281 forks source link

SecRequestBodyLimit in an nginx virtual host? #237

Closed vikas027 closed 3 years ago

vikas027 commented 3 years ago

We have a parameter SecRequestBodyLimit in the modsec rules configuration file which can be updated to block payload beyond a certain size. This works well but is a global parameter.

Is there a way to also define this value inside an nginx virtual host file? My use case is to not change the global parameter but only one virtual host.

My environment is

nginx v1.19.4
ModSecurity v3.0.4
ModSecurity-nginx v1.0.1
Coreruleset v3.0.3

Anyone else faced a similar issue or use case?

zimmerle commented 3 years ago

Did you have it tested on a virtual host?

vikas027 commented 3 years ago

Hello @zimmerle ,

Thanks for looking this up.

I apply specific rules like this in an nginx vhost but not sure about how I should define SecRequestBodyLimit.

      modsecurity_rules '
        SecRule REQUEST_URI "@beginsWith /" "id:1,pass,phase:1,skipAfter:END-RESPONSE-980-CORRELATION"
        SecRule REQUEST_URI "@beginsWith /" "id:2,pass,phase:2,skipAfter:END-RESPONSE-980-CORRELATION"
      ';

martinhsv commented 3 years ago

Hi @vikas027 ,

I'm not sure if this helps, but you can include ModSecurity configuration directives in multiple nginx config blocks. You can set up multiple "server {" blocks (aka Virtual Hosts) and have different configuration items apply to each. You can also do this with "location {" blocks.

I just tried the following in my test setup and it seemed to accomplish what (I believe) you are asking about:

    location ~ /path1 {
        ...
        modsecurity_rules 'SecRequestBodyLimit 340';
    }

    location ~ /path2 {
        ...
        modsecurity_rules 'SecRequestBodyLimit 335';
    }

vikas027 commented 3 years ago

Thanks @martinhsv. That helps, I am closing his ticket.

Vikas