owasp-modsecurity / ModSecurity-nginx

ModSecurity v3 Nginx Connector
Apache License 2.0
1.58k stars 282 forks source link

ngx_http_modsecurity_module.so: undefined symbol: ngx_http_top_body_filter #294

Closed bourneenery closed 1 year ago

bourneenery commented 1 year ago

Hello,

I'm trying to load the ModSecurity-nginx connector but after compilation and installation nginx is throwing the following error after compiling manually as dynamic module from https://github.com/SpiderLabs/ModSecurity-nginx.git and using my exact nginx version nginx-1.21.0.tar.gz

nginx: [emerg] dlopen() "/home/build/bin/nginx/modules/ngx_http_modsecurity_module.so" failed (/home/build/bin/nginx/modules/ngx_http_modsecurity_module.so: undefined symbol: ngx_http_top_body_filter) in /home/build/bin/nginx/conf/nginx.conf:4

I loaded the module as,

"load_module modules/ngx_http_modsecurity_module.so;" in the nginx.conf.

I have compiled and installed ModSecurity from https://github.com/SpiderLabs/ModSecurity successfully with no errors, it's currently under /usr/local/modsecurity/lib/libmodsecurity.so

/home/build/bin/nginx/sbin/nginx -V

nginx version: nginx/1.21.0 built by gcc 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04) built with OpenSSL 1.1.1f 31 Mar 2020 TLS SNI support enabled configure arguments: --prefix=/home/build/bin/nginx --with-compat --with-http_auth_request_module --with-file-aio --with-threads --with-http_gzip_static_module --with-http_realip_module --with-http_flv_module --with-http_mp4_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-cc-opt='-static -static-libgcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fPIC' --with-ld-opt='-static -Wl,-z,relro -Wl,-z,now -pie' --with-pcre=../pcre-8.44 --with-pcre-jit --with-zlib=../zlib-1.2.11 --with-openssl=../openssl-1.1.1f --with-openssl-opt=no-nextprotoneg --add-module=/home/build/headers-more-nginx-module

file /home/build/bin/nginx/modules/ngx_http_modsecurity_module.so

/home/build/bin/nginx/modules/ngx_http_modsecurity_module.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=2ee88e266909459bf86a1439ea8f0ac988584357, with debug_info, not stripped

ldd /home/build/bin/nginx/modules/ngx_http_modsecurity_module.so

    linux-vdso.so.1 (0x00007ffdddb87000)
    libmodsecurity.so.3 => /usr/local/modsecurity/lib/libmodsecurity.so.3 (0x00007f9b6f7ca000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f9b6f5d0000)
    libcurl.so.4 => /lib/x86_64-linux-gnu/libcurl.so.4 (0x00007f9b6f53e000)
    libGeoIP.so.1 => /lib/x86_64-linux-gnu/libGeoIP.so.1 (0x00007f9b6f500000)
    libxml2.so.2 => /lib/x86_64-linux-gnu/libxml2.so.2 (0x00007f9b6f346000)
    libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007f9b6f2d3000)
    libmaxminddb.so.0 => /lib/x86_64-linux-gnu/libmaxminddb.so.0 (0x00007f9b6f2ca000)
    libyajl.so.2 => /lib/x86_64-linux-gnu/libyajl.so.2 (0x00007f9b6f2be000)
    libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f9b6f0dc000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f9b6fa2d000)
    libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f9b6f0c1000)
    libnghttp2.so.14 => /lib/x86_64-linux-gnu/libnghttp2.so.14 (0x00007f9b6f098000)
    libidn2.so.0 => /lib/x86_64-linux-gnu/libidn2.so.0 (0x00007f9b6f077000)
    librtmp.so.1 => /lib/x86_64-linux-gnu/librtmp.so.1 (0x00007f9b6f055000)
    libssh.so.4 => /lib/x86_64-linux-gnu/libssh.so.4 (0x00007f9b6efe7000)
    libpsl.so.5 => /lib/x86_64-linux-gnu/libpsl.so.5 (0x00007f9b6efd4000)
    libssl.so.1.1 => /lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007f9b6ef41000)
    libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007f9b6ec6b000)
    libgssapi_krb5.so.2 => /lib/x86_64-linux-gnu/libgssapi_krb5.so.2 (0x00007f9b6ec1e000)
    libldap_r-2.4.so.2 => /lib/x86_64-linux-gnu/libldap_r-2.4.so.2 (0x00007f9b6ebc6000)
    liblber-2.4.so.2 => /lib/x86_64-linux-gnu/liblber-2.4.so.2 (0x00007f9b6ebb5000)
    libbrotlidec.so.1 => /lib/x86_64-linux-gnu/libbrotlidec.so.1 (0x00007f9b6eba7000)
    libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f9b6eb8b000)
    libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f9b6eb68000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f9b6eb62000)
    libicuuc.so.66 => /lib/x86_64-linux-gnu/libicuuc.so.66 (0x00007f9b6e97a000)
    liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f9b6e951000)
    libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f9b6e802000)
    libunistring.so.2 => /lib/x86_64-linux-gnu/libunistring.so.2 (0x00007f9b6e680000)
    libgnutls.so.30 => /lib/x86_64-linux-gnu/libgnutls.so.30 (0x00007f9b6e4aa000)
    libhogweed.so.5 => /lib/x86_64-linux-gnu/libhogweed.so.5 (0x00007f9b6e471000)
    libnettle.so.7 => /lib/x86_64-linux-gnu/libnettle.so.7 (0x00007f9b6e437000)
    libgmp.so.10 => /lib/x86_64-linux-gnu/libgmp.so.10 (0x00007f9b6e3b3000)
    libkrb5.so.3 => /lib/x86_64-linux-gnu/libkrb5.so.3 (0x00007f9b6e2d6000)
    libk5crypto.so.3 => /lib/x86_64-linux-gnu/libk5crypto.so.3 (0x00007f9b6e2a5000)
    libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x00007f9b6e29c000)
    libkrb5support.so.0 => /lib/x86_64-linux-gnu/libkrb5support.so.0 (0x00007f9b6e28d000)
    libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f9b6e271000)
    libsasl2.so.2 => /lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007f9b6e254000)
    libgssapi.so.3 => /lib/x86_64-linux-gnu/libgssapi.so.3 (0x00007f9b6e20f000)
    libbrotlicommon.so.1 => /lib/x86_64-linux-gnu/libbrotlicommon.so.1 (0x00007f9b6e1ec000)
    libicudata.so.66 => /lib/x86_64-linux-gnu/libicudata.so.66 (0x00007f9b6c729000)
    libp11-kit.so.0 => /lib/x86_64-linux-gnu/libp11-kit.so.0 (0x00007f9b6c5f3000)
    libtasn1.so.6 => /lib/x86_64-linux-gnu/libtasn1.so.6 (0x00007f9b6c5dd000)
    libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1 (0x00007f9b6c5d6000)
    libheimntlm.so.0 => /lib/x86_64-linux-gnu/libheimntlm.so.0 (0x00007f9b6c5ca000)
    libkrb5.so.26 => /lib/x86_64-linux-gnu/libkrb5.so.26 (0x00007f9b6c535000)
    libasn1.so.8 => /lib/x86_64-linux-gnu/libasn1.so.8 (0x00007f9b6c48e000)
    libhcrypto.so.4 => /lib/x86_64-linux-gnu/libhcrypto.so.4 (0x00007f9b6c456000)
    libroken.so.18 => /lib/x86_64-linux-gnu/libroken.so.18 (0x00007f9b6c43d000)
    libffi.so.7 => /lib/x86_64-linux-gnu/libffi.so.7 (0x00007f9b6c431000)
    libwind.so.0 => /lib/x86_64-linux-gnu/libwind.so.0 (0x00007f9b6c407000)
    libheimbase.so.1 => /lib/x86_64-linux-gnu/libheimbase.so.1 (0x00007f9b6c3f3000)
    libhx509.so.5 => /lib/x86_64-linux-gnu/libhx509.so.5 (0x00007f9b6c3a5000)
    libsqlite3.so.0 => /lib/x86_64-linux-gnu/libsqlite3.so.0 (0x00007f9b6c27c000)
    libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007f9b6c241000)

Any advise is appreciated, thank you!

martinhsv commented 1 year ago

Hello @bourneenery ,

I do not recall having seen that particularly error message before.

Can you specify fully the steps you followed? Either reproduce them here, or point to the specific link.

You could also try alternative instructions, in case the ones you used are easily misinterpreted somehow. (For example: https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/)

( Also, what versions are you using for ModSecurity and ModSecurity-nginx? )

bourneenery commented 1 year ago

Hi Martin,

Thank you for your response. The steps I followed are from the exact same link you posted, no errors were thrown during the compilation. The ModSecurity and ModSecurity-nginx versions are the one used in that guide, which I presume it's the latest for both.

The module works if I completely rebuild the nginx binary with make && make install, but compiling this as a dynamic module always fail with the error provided earlier.

Any advise is appreciated. Thanks!

martinhsv commented 1 year ago

I'm not following you.

With the problem scenario that prompted your report, did you install nginx itself via sudo apt install nginx (or equivalent)? Or did you build it yourself from source?

bourneenery commented 1 year ago

Hi Martin,

Yes, correct. I built it myself from source. I included the ./configure line in the first post.

Any advise is very appreciated.

martinhsv commented 1 year ago

In that case, it sounds more like you have not correctly built nginx. That is not something I can offer guidance on.

My suggestion would be to install nginx from repo.

If want information on building nginx yourself, you could consider inquiring with the nginx project as that group would be the subject matter experts on building nginx.

airween commented 1 year ago

I'm trying to load the ModSecurity-nginx connector ...

nginx version: nginx/1.21.0 built by gcc 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04) ... Any advise is appreciated, thank you!

there is a package for Ubuntu 18.04: https://modsecurity.digitalwave.hu - but Nginx version is the same as in Ubuntu 18.04, not the 1.21.

For 1.21, you should make your own package from this package source: https://salsa.debian.org/modsecurity-packaging-team/libnginx-mod-http-modsecurity. It's not the final version for 1.21, but only few small cosmetics need.