Update modsecurity module to 3.0.11

[gulecroc]

Hi,

Could you update modsecurity module to 3.0.11 ?

https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.11

Best regards,

Guillaume

[iliuta]

Hi,

The current Nginx Ingress Controller version comes with ModSecurity 3.0.8. The OWASP security rules bundled make use of "expirevar". This is not supported by ModSecurity 3.0.8, therefore those rules simply don't work, although there are no error messages.

This was fixed in 3.0.11: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.11

I think it becomes urgent to migrate Nginx controller to ModSecurity 3.0.11.

Thank you for your great work.

[longwuyuan]

/triage accepted

[longwuyuan]

/priority important-longterm

cc @tao12345666333 @strongjz @rikatz

[strongjz]

@gulecroc if you open a PR we can accept, the line change is here https://github.com/kubernetes/ingress-nginx/blob/main/images/nginx/rootfs/build.sh#L62

[iliuta]

I hope it's ok. I'm not very familiar with the procedures ...

[strongjz]

I hope it's ok. I'm not very familiar with the procedures ...

you just need to sign the cncf cla before we can accept it.

[iliuta]

@strongjz I signed something named CLA, I hope it's ok now.

[BernhardGruen]

It seems this issue was resolved with controller version 1.9.6.

[gulecroc]

@BernhardGruen you'are right, I was waiting for the release. Fix in v1.9.6. Thanks you @iliuta

[gulecroc]

I just upgrade chart v4.8.4 to v4.9.1 with controller v1.9.6, but the modseurity lib version is still v3.0.8 :

      "producer": {
        "components": [
          "OWASP_CRS/3.3.5\""
        ],
        "secrules_engine": "DetectionOnly",
        "connector": "ModSecurity-nginx v1.0.3",
        "modsecurity": "ModSecurity v3.0.8 (Linux)"
      },

@iliuta do you have the same ?

[iliuta]

@gulecroc I'm sorry, where should I look for that json snippet?

But, in any case, the reason I needed modsecurity 3.0.11 is for having DOS rules work (expirevar directive). I also installed the newest helm chart, tested it, but DOS rule are still not working. So I guess either there is a problem with ModSecurity itself or the right version is finally not included in the nginx's build.

[gulecroc]

@iliuta to test it, I add a custom rule to my Ingress (could be set on the chart too) :

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/modsecurity-snippet: |
      SecRuleEngine On
      SecRule REQUEST_HEADERS:User-Agent \"fern-scanner\" \"log,deny,id:99,status:403,msg:\'Fern Scanner Identified again\'\"

Then I just called my service : curl https://url/ -k -H "user-agent: fern-scanner"

This will generate an ingress log with the modsecurity informations

[gulecroc]

Hi @strongjz,

Do you have any idea why after upgrade chart to v4.9.1 with controller v1.9.6, the modsecurity version is still v3.0.8 ?

I checked the branch and it seems good :

• release-1.9 : https://github.com/kubernetes/ingress-nginx/blob/release-1.9/images/nginx/rootfs/build.sh#L63
• controller 1.9.6 : https://github.com/kubernetes/ingress-nginx/blob/controller-v1.9.6/images/nginx/rootfs/build.sh#L63

Controller logs :

-------------------------------------------------------------------------------
NGINX Ingress controller
  Release:       v1.9.6
  Build:         6a73aa3b05040a97ef8213675a16142a9c95952a
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.21.6

-------------------------------------------------------------------------------

Image : registry.k8s.io/ingress-nginx/controller:v1.9.6@sha256:1405cc613bd95b2c6edd8b2a152510ae91c7e62aea4698500d23b2145960ab9c

Thank you.

[strongjz]

Let me look into it. It may have been missed in the cherry pick for the latest release. I'm at an offsite this week for work, so it might be next week and next release, 1.9.7 or 1.10.0.

/assign @strongjz

[rikatz]

/close

This is updated on v1.10.0

[k8s-ci-robot]

@rikatz: Closing this issue.

In response to this:

/close

This is updated on v1.10.0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[iliuta]

Hi @strongjz @gulecroc , thanks for the release. I've just tested and it seems to work.

[gulecroc]

/reopen

Hi @strongjz and @rikatz,

The controller shows modsecurity v3.0.12 in the logs :

    "producer": {
      "modsecurity": "ModSecurity v3.0.12 (Linux)",
      "connector": "ModSecurity-nginx v1.0.3",
      "secrules_engine": "DetectionOnly",
      "components": [
        "OWASP_CRS/3.3.5\""
      ]
    },

I think there is a problem because the build is v3.0.11 : https://github.com/kubernetes/ingress-nginx/blob/controller-v1.10.0/images/nginx/rootfs/build.sh#L63 Maybe the build don't work with the commit id, but only the tag ?

Best regards, Guillaume

[k8s-ci-robot]

@gulecroc: Reopened this issue.

In response to this:

/reopen

Hi @strongjz and @rikatz,

The controller shows modsecurity v3.0.12 in the logs :

   "producer": {
     "modsecurity": "ModSecurity v3.0.12 (Linux)",
     "connector": "ModSecurity-nginx v1.0.3",
     "secrules_engine": "DetectionOnly",
     "components": [
       "OWASP_CRS/3.3.5\""
     ]
   },

I think there is a problem because the build is v3.0.11 : https://github.com/kubernetes/ingress-nginx/blob/controller-v1.10.0/images/nginx/rootfs/build.sh#L63 Maybe the build don't work with the commit id, but only the tag ?

Best regards, Guillaume

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.