Open kpushkaryov opened 2 years ago
Hi @kpushkaryov ,
This sounds like fundamentally the same issue as https://github.com/SpiderLabs/ModSecurity-nginx/issues/41.
Feel free to correct me if you think I am mistaken.
@martinhsv, the issues may be related, but I'm not sure. The error messages are similar, but still different. Also, SecResponseBodyLimit
isn't mentioned there and I don't know whether the two cases are processed in the same way inside nginx.
I can't make the
SecResponseBodyLimit
directive together withSecResponseBodyLimitAction Reject
block oversized responses from nginx. ModSecurity-nginx reports "Headers are already sent. Cannot perform the redirection at this point" toerror.log
. The client receives the response in full with code 200.The results are similar when I use a rule instead, e.g.
SecRule RESPONSE_CONTENT_LENGTH "@ge 10000" "phase:4,id:1,deny,log,msg:'Oversized response',status:403"
. There is "Headers are already sent" inerror.log
, but the client receives an empty response without status code. Three different status codes are reported in logs for this request: 500 is inaccess.log
, 200 inerror.log
, 403 in ModSecurity audit log.ModSecurity version: 3.0.5. ModSecurity-nginx version: 1.0.2. nginx version: 1.20.1.
nginx -V
info:The config of nginx is as follows:
In
/nginx/www
I have two text files, of whichjack.txt
is bigger than the response size limit of 10240 bytes:When I access them, both files are returned successfully:
The most relevant part of
error.log
is:In
modsec_audit.log
we see that ModSecurity assigned code 403 to the oversized response:Also, inspection of
modsec_debug.log
confirms that the request is to be rejected:Nevertheless, the client receives the response in full with code 200.
As far as I understand, when ModSecurity tries to block the response it's too late, as its headers have already been sent.
I've tried to debug the issue myself. As
error.log
shows, response headers are sent betweenngx_http_modsecurity_header_filter()
andngx_http_modsecurity_body_filter()
. Looking from GDB, the headers are sent byngx_http_header_filter()
at the end of the filter chain:This happens before response body processing and I can't see what should have stopped nginx from sending the headers before the body was checked by ModSecurity.
An archive file with all logs, config and data files mentioned above is attached. nginx.zip