search

owasp-modsecurity / ModSecurity-nginx

ModSecurity v3 Nginx Connector
Apache License 2.0
1.48k stars 274 forks source link

use setenv as variable in nginx logging #296

Closed weestack closed 1 year ago

weestack commented 1 year ago

Hello there,

In apache its possible to use environment variables defined in modsecurity for the apaches access logging, I have been trying to use the same for nginx, but so far have not been able to, is this something thats only implemented for apache?

Modescurity.con:

[...]
SecAction "id:90100,phase:5,pass,nolog,\
  setvar:TX.perf_modsecinbound=$PERF_PHASE1,\
  setvar:TX.perf_modsecinbound=+$PERF_PHASE2,\
  setvar:TX.perf_application=$TX.ModSecTimestamp3start,\
  setvar:TX.perf_application=-$TX.ModSecTimestamp2end,\
  setvar:TX.perf_modsecoutbound=$PERF_PHASE3,\
  setvar:TX.perf_modsecoutbound=+$PERF_PHASE4,\
  setenv:ModSecTimeIn=%{TX.perf_modsecinbound},\
  setenv:ApplicationTime=%{TX.perf_application},\
  setenv:ModSecTimeOut=%{TX.perf_modsecoutbound},\
  setenv:ModSecAnomalyScoreInPLs=%{tx.anomaly_score_pl1}-%{tx.anomaly_score_pl2}-%{tx.anomaly_score_pl3}-%{tx.anomaly_score_pl4},\
  setenv:ModSecAnomalyScoreOutPLs=%{tx.outbound_anomaly_score_pl1}-%{tx.outbound_anomaly_score_pl2}-%{tx.outbound_anomaly_score_pl3}-%{tx.outbound_anomaly_score_pl4},\
  setenv:ModSecAnomalyScoreIn=%{TX.anomaly_score},\
  setenv:ModSecAnomalyScoreOut=%{TX.outbound_anomaly_score}"
[...]

nginx.conf

[...]
log_format server '$remote_addr $loc $webapp [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for" ss"$ModSecTimeIn"';
[...]

Where in Apache you would be able to use the env vars like this:

ErrorLogFormat          "[%{cu}t] [%-m:%-l] %-a %-L %M"
LogFormat "%h %{GEOIP_COUNTRY_CODE}e %u [%{%Y-%m-%d %H:%M:%S}t.%{usec_frac}t] \"%r\" %>s %b \
\"%{Referer}i\" \"%{User-Agent}i\" \"%{Content-Type}i\" %{remote}p %v %A %p %R \
%{BALANCER_WORKER_ROUTE}e %X \"%{cookie}n\" %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x \
%I %O %{ratio}n%% %D %{ModSecTimeIn}e %{ApplicationTime}e %{ModSecTimeOut}e \
%{ModSecAnomalyScoreInPLs}e %{ModSecAnomalyScoreOutPLs}e \
%{ModSecAnomalyScoreIn}e %{ModSecAnomalyScoreOut}e" extended
martinhsv commented 1 year ago

Hello @weestack ,

ModSecurity v3 supports setenv, but you will likely encounter limitations related to nginx itself. nginx doesn't support use of environment variables out-of-the-box the same way that Apache does.

I have, however, seen some users refer to some tools, such as envsubst, that do enable some such use.

The variety of contexts or use cases where such tools might meet your needs may vary.

fatihusta commented 3 months ago

Hi @weestack Did you find any solution for nginx?

@martinhsv Is it possible to set some variable to header? Because Nginx can access to header like http_x_modsec_rule_id.

airween commented 3 months ago

Hi @fatihusta,

Is it possible to set some variable to header?

Yes, it is, but after a quick check I can say Nginx is not able to create header from environment variable - see previous comment.

Because Nginx can access to header like http_x_modsec_rule_id.

Yes, but the connector does not handle the previously set environment variables. (Consider which environments need to handle?)

I see the legitimacy of the your request, but at the moment it is not a priority, sorry.

If you have any solutions, please send it as pull request.

fatihusta commented 3 months ago

Hi @airween Thank you for your answer.