airween
commented
3 years ago May be you should take a look at this:
https://github.com/coreruleset/body-decompress-plugin
Perhaps you will get some ideas.
Open RunFox opened 3 years ago
airween
commented
3 years ago May be you should take a look at this:
https://github.com/coreruleset/body-decompress-plugin
Perhaps you will get some ideas.
RunFox
commented
3 years ago Hi, @airween Do you work with this plugin? Does it work with modsecurity v3? I see this plugin for response body. Is your idea try for rewrite for processing gzip request body in fly?
airween
commented
3 years ago Do you work with this plugin?
no, just tested,
Does it work with modsecurity v3?
this plugin has made for mod_security2, but with few modifications it works with v3 too.
I see this plugin for response body. Is your idea try for rewrite for processing gzip request body in fly?
No, the author is @azurit.
RunFox
commented
3 years ago Thank you for idea)
this plugin has made for mod_security2, but with few modifications it works with v3 too
What kind of modification was done? In plugin's description there is information "for embedded". Did you try it with reverse-proxy configuration? How fast does it work?)
azurit
commented
3 years ago As you are running in reverse proxy mode, please see SecDisableBackendCompression ModSecurity configuration directive.
RunFox
commented
3 years ago As you are running in reverse proxy mode, please see
SecDisableBackendCompressionModSecurity configuration directive.
@azurit hello and thank you for anwer) Unfortunately, as i know, SecDisableBackendCompression is not support in modsecurity v3
azurit
commented
3 years ago Ok, so please try my plugin as @airween suggested, as far as i remember, it should work with modsec3. Note that you need support for Lua in modsec.
RunFox
commented
3 years ago @azurit thank you, i will try)
Hello. I use Nginx 1.20.1 + libmodsecurity-3.0.4-4.el8 as reverse proxy. When we receive request with Content-Encoding: gzip and Content-Type: application/json - activate rule from default modsecurity.conf:
As I understand - we recieve data with gzip as binary content, then it send to modsecurity in binary fromat and json parser give error because data is not valid json. I think, this is actually true for xml and any another data with compression.Is there way to work with compressed data with Modsecurity or workaround? I understand, that i can disable rule for analyze json and xml - but it's bad way, thats affect level of security.