search

owasp-modsecurity / ModSecurity-nginx

ModSecurity v3 Nginx Connector
Apache License 2.0
1.56k stars 281 forks source link

is it possible to statically link the libmodsecurity to the connector? #249

Closed hehailong5 closed 2 years ago

hehailong5 commented 3 years ago

to avoid porting the libmodsecurity.so everytime

martinhsv commented 2 years ago

What do mean by 'porting'? And what do you mean by every time?

liudongmiao commented 2 years ago

It's possible, however, you need to compile all the dependency with extra -fPIC.

Two import things:

  1. add -fPIC to every static library
  2. if pcre is built from source, add ms_ prefix in pcre.h.in, otherwise, pcre loaded in nginx has the same symbol name in modsecurity, then modsecurity won't load pcre in static library. 
    grep _EXP_ pcre.h.in | grep -o 'pcre[^ ()]*('  | tr -d '(' | sort -u | while read line; do echo "#define $line ms_$line"; done
# then modify pcre.h.in, which means redefine pcre_xxx

Prepare the static library:

mkdir /usr/local/modsecurity-static/lib
cd /usr/local/modsecurity-static/lib
# store the static libraries in /usr/local/modsecurity/lib/
ln -s /usr/local/modsecurity/lib/libmodsecurity.a 
ln -s /usr/local/modsecurity/lib/libxml2.a 
ln -s /usr/local/modsecurity/lib/liblmdb.a 
ln -s /usr/local/modsecurity/lib/libpcre.a 
ln -s /usr/local/modsecurity/lib/libmaxminddb.a 
ln -s /usr/local/modsecurity/lib/libfuzzy.a 
ln -s /usr/local/modsecurity/lib/libyajl_s.a libyajl.a # static yajl is named as yajl_s
ln -s `g++ -print-file-name=libstdc++.a` # install libstdc++-static if gcc is not compiled from source

Then, link ngx_http_modsecurity_module.so manually:

# make modules
g++ -o objs/ngx_http_modsecurity_module.so \
  objs/addon/src/ngx_http_modsecurity_module.o \
  objs/addon/src/ngx_http_modsecurity_pre_access.o \
  objs/addon/src/ngx_http_modsecurity_header_filter.o \
  objs/addon/src/ngx_http_modsecurity_body_filter.o \
  objs/addon/src/ngx_http_modsecurity_log.o \
  objs/addon/src/ngx_http_modsecurity_rewrite.o \
  objs/ngx_http_modsecurity_module_modules.o \
  -shared \
  -static-libgcc -lmodsecurity -lyajl -lxml2 -llmdb -lpcre -lfuzzy -lmaxminddb -L /usr/local/modsecurity-static/lib \
  -ldl -lpthread -lz -lrt -llua
# i don't build with curl support, if you need it, then add `-lcurl`
# strip
strip --strip-unneeded  objs/ngx_http_modsecurity_module.so 
# verify pcre
readelf -sW objs/ngx_http_modsecurity_module.so | grep pcre | grep -v ms_pcre

On a very old Centos 5, the output of ldd ngx_http_modsecurity_module.so:

    linux-vdso.so.1 =>  (0x00007fff65186000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00002ac0de15e000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00002ac0de362000)
    libz.so.1 => /lib64/libz.so.1 (0x00002ac0de57e000)
    librt.so.1 => /lib64/librt.so.1 (0x00002ac0de792000)
    liblua-5.1.so => /usr/lib64/liblua-5.1.so (0x00002ac0de99b000)
    libm.so.6 => /lib64/libm.so.6 (0x00002ac0debc6000)
    libc.so.6 => /lib64/libc.so.6 (0x00002ac0dee49000)
    /lib64/ld-linux-x86-64.so.2 (0x0000003591c00000)