Ingress-nginx: Modsecurity can never be enabled in enforced mode

Created on 17 Feb 2020  路  10Comments  路  Source: kubernetes/ingress-nginx

NGINX Ingress controller version:
nginx version: nginx/1.17.7 (27.1)
Kubernetes version (use kubectl version):
v1.17.2

What happened:
I've enabled ModSecurity for Ingress.

Inspecting generated config I see:

modsecurity on;

modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;

modsecurity_rules '
SecRuleEngine On
SecDebugLog /tmp/sec.log
SecAuditEngine On
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Concurrent
SecAuditLogFormat JSON
SecDebugLogLevel 9

SecDefaultAction "phase:1,log,auditlog,deny,status:403"
SecDefaultAction "phase:2,log,auditlog,deny,status:403"

SecCollectionTimeout 600
SecRuleEngine On
SecRule REQUEST_URI ".*" "id:3, phase:1,log,deny,status:403,msg:'Not allowed URI - blocking'"
';

In logs (/tmp/sec.log):

[158193468095.532845] [/foo] [4] Not running any disruptive action (or block): deny. SecRuleEngine is not On.

What you expected to happen:

All requests should be blocked.

What do you think went wrong? :

ModSecurity probably? does not support variable overloading because /etc/nginx/modsecurity/modsecurity.conf is included before the custom block and that one has SecRuleEngine DetectionOnly

How to reproduce it:
See above.

/kind bug

kinbug
Source
picture dz0ny

All 10 comments

yes it can, see 3 latest posts in https://github.com/kubernetes/ingress-nginx/issues/4385

zetaab picture zetaab on 18 Feb 2020

Hi, I think last 0.29 version broke this. Just upgraded and things are not being blocked anymore.

fonsecas72 picture fonsecas72 on 20 Feb 2020
👍1

What I have
```

config-map

enable-modsecurity: "true"
modsecurity-transaction-id: "$request_id"
"modsecurity-snippet" = <<EOF

Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off
SecAuditEngine RelevantOnly
SecRuleRemoveById 911100
EOF

ingress

"nginx.ingress.kubernetes.io/modsecurity-snippet" = "SecRuleEngine On"

(irrelevant but i use terraform provider)

fonsecas72 picture fonsecas72 on 20 Feb 2020

Hi, I've been also experiencing since version 0.29.0 that requests are not being blocked at all. Version 0.28.0 works correctly.

kun-attila picture kun-attila on 5 Mar 2020

Closing. Fixed in https://github.com/kubernetes/ingress-nginx/pull/5276

aledbf picture aledbf on 28 Mar 2020

@aledbf Looking at the PR it only allows us to turn modsecurity off? The request in this issue seems to be to allow users to turn modsecurity ON without messing about with the configmap.
Some users cannot turn on modsecurity for all ingresses at all because of this: https://github.com/SpiderLabs/ModSecurity-nginx/issues/163
On our clusters we have about a hundred ingresses or so, a great deal of them are using external auth. So if we were to turn on modsecurity in configmap, all these ingresses break, and asking users to add annotations to explicitly disable modsecurity is quite a big lift.

dcherniv picture dcherniv on 31 Mar 2020

@dcherniv I opened an issue in modsecurity-nginx related to the scenario yo describe. Please check https://github.com/SpiderLabs/ModSecurity-nginx/issues/183

The gist https://gist.github.com/aledbf/f6ccf154d4db8a3046b1067db80bd889 is what I've used to reproduce it.

Edit: waiting for a response in the modsecurity issue

aledbf picture aledbf on 31 Mar 2020

To anyone affected by this issue, please test
quay.io/kubernetes-ingress-controller/nginx-ingress-controller-amd64:modsec

This image contains PR #5315, which changes the order of the modsecurity configuration and e2e tests to avoid regressions.
I am still waiting for a response in the modsecurity issue but I can reproduce the problem with https://github.com/SpiderLabs/ModSecurity-nginx/issues/183#issuecomment-607496882

If the image does not fix the issue, please post the ingress definitions and indicate if modsecurity is enabled in the configmap or not.

aledbf picture aledbf on 2 Apr 2020

@aledbf modsec tag appears to be working for me:

 curl -v "https://app.example.com/login" -H "user-agent: fern-scanner" > /dev/null
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [281 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [281 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
} [5 bytes data]
< HTTP/2 403 
< date: Sat, 04 Apr 2020 00:41:59 GMT
< content-type: text/html
< content-length: 146
< strict-transport-security: max-age=15724800; includeSubDomains

Gets correctly returned a 403. Nothing is specified in the configmap. Only the following ingress spec:

    nginx.ingress.kubernetes.io/enable-modsecurity: "true"
    nginx.ingress.kubernetes.io/enable-owasp-core-rules: "true"
    nginx.ingress.kubernetes.io/modsecurity-snippet: |
      SecRuleEngine On
      SecAuditEngine RelevantOnly
      SecAuditLogFormat JSON
      SecAuditLogType Serial
      SecAuditLog /dev/stdout
      SecRule REQUEST_HEADERS:User-Agent \"fern-scanner\" \"log,deny,id:107,status:403,msg:\'Fern Scanner Identified\'\"
dcherniv picture dcherniv on 4 Apr 2020
👍1

@dcherniv thank you for testing :+1:

aledbf picture aledbf on 4 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

yuyang0 picture yuyang0  路  3Comments
cxj110 picture cxj110  路  3Comments
lachlancooper picture lachlancooper  路  3Comments
cabrinoob picture cabrinoob  路  3Comments
kfox1111 picture kfox1111  路  3Comments