About the implementation of dynamic configuration rules

owasp-modsecurity / ModSecurity-nginx

ModSecurity v3 Nginx Connector

Apache License 2.0

1.48k stars 274 forks source link

About the implementation of dynamic configuration rules #297

Closed aipach closed 1 year ago

aipach commented 1 year ago

1.Why does the modsecurity_rules instruction parameter not support the ngx.var.xxx($xxx) variable? 2.In order to not create a lot of location configuration, how to dynamically implement the rule configuration based on different domain names?

martinhsv commented 1 year ago

Hello @aipach ,

If I'm understanding your question 2 correctly, you can supply different configurations for two different nginx server blocks, or two different location blocks.

If you believe that those methods are inadequate for some needs, please fully illustrate how you would like to be using the technique you described in your first point, and why that would be preferable.

aipach commented 1 year ago

@martinhsv For example： server { listen 80; server_name localhost;

    #charset koi8-r;
    #access_log  logs/host.access.log  main;
    set $sec_path /usr/local/openresty/nginx/conf/rules/modsecurity.conf;   
    modsecurity on;
    modsecurity_rules_file $sec_path ;

    location / {

        root   html;
        index  index.html index.htm;
    }

} error: nginx: [emerg] "modsecurity_rules_file" directive Failed to open the file: $sec_path

Some directives in nginx can take variables, Why is this configuration not allowed?

martinhsv commented 1 year ago

Hello @aipach ,

I don't believe this is unique to modsecurity_rules_file . My understanding is that within nginx, variables are expected in some places and not in others. I.e. that implementation of variable expansion is for specifically chosen items and not a general rule.

For example, I don't believe you can replace:

client_max_body_size 5M;

with

    set $cmb 5M;
    client_max_body_size $cmb ;

If there were a compelling use case, what you suggest could be considered as an enhancement. But given that this has not arisen in the 5 years since v3.0.0 was released, I guess I'm assuming that most users find being able to specify paths directly within server or location blocks to be sufficient.

If you like, feel free to illustrate an example where you think variable expansion would be of high value compared to what one can do today.

aipach commented 1 year ago

Hello @martinhsv ,

I know that this configuration will consume a lot of memory.

I just want to change variables for different domain names to implement different rules and reduce the configuration of nginx, or use lua language to directly modify the loaded rules of the memory variable value, reducing the number of nginx reload times, Achieve real-time rule change effect.

Anyway, thanks for your reply, I have been trying to see the source code modification.