ingress-nginx
ingress-nginx copied to clipboard
Update modsecurity module to 3.0.11
Hi,
Could you update modsecurity module to 3.0.11 ?
https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.11
Best regards,
Guillaume
Hi,
The current Nginx Ingress Controller version comes with ModSecurity 3.0.8. The OWASP security rules bundled make use of "expirevar". This is not supported by ModSecurity 3.0.8, therefore those rules simply don't work, although there are no error messages.
This was fixed in 3.0.11: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.11
I think it becomes urgent to migrate Nginx controller to ModSecurity 3.0.11.
Thank you for your great work.
/triage accepted
/priority important-longterm
cc @tao12345666333 @strongjz @rikatz
@gulecroc if you open a PR we can accept, the line change is here https://github.com/kubernetes/ingress-nginx/blob/main/images/nginx/rootfs/build.sh#L62
I hope it's ok. I'm not very familiar with the procedures ...
I hope it's ok. I'm not very familiar with the procedures ...
you just need to sign the cncf cla before we can accept it.
@strongjz I signed something named CLA, I hope it's ok now.
It seems this issue was resolved with controller version 1.9.6.
@BernhardGruen you'are right, I was waiting for the release. Fix in v1.9.6. Thanks you @iliuta
I just upgrade chart v4.8.4 to v4.9.1 with controller v1.9.6, but the modseurity lib version is still v3.0.8 :
"producer": {
"components": [
"OWASP_CRS/3.3.5\""
],
"secrules_engine": "DetectionOnly",
"connector": "ModSecurity-nginx v1.0.3",
"modsecurity": "ModSecurity v3.0.8 (Linux)"
},
@iliuta do you have the same ?
@gulecroc I'm sorry, where should I look for that json snippet?
But, in any case, the reason I needed modsecurity 3.0.11 is for having DOS rules work (expirevar directive). I also installed the newest helm chart, tested it, but DOS rule are still not working. So I guess either there is a problem with ModSecurity itself or the right version is finally not included in the nginx's build.
@iliuta to test it, I add a custom rule to my Ingress (could be set on the chart too) :
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/modsecurity-snippet: |
SecRuleEngine On
SecRule REQUEST_HEADERS:User-Agent \"fern-scanner\" \"log,deny,id:99,status:403,msg:\'Fern Scanner Identified again\'\"
Then I just called my service : curl https://url/ -k -H "user-agent: fern-scanner"
This will generate an ingress log with the modsecurity informations
Hi @strongjz,
Do you have any idea why after upgrade chart to v4.9.1 with controller v1.9.6, the modsecurity version is still v3.0.8 ?
I checked the branch and it seems good :
- release-1.9 : https://github.com/kubernetes/ingress-nginx/blob/release-1.9/images/nginx/rootfs/build.sh#L63
- controller 1.9.6 : https://github.com/kubernetes/ingress-nginx/blob/controller-v1.9.6/images/nginx/rootfs/build.sh#L63
Controller logs :
-------------------------------------------------------------------------------
NGINX Ingress controller
Release: v1.9.6
Build: 6a73aa3b05040a97ef8213675a16142a9c95952a
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.21.6
-------------------------------------------------------------------------------
Image : registry.k8s.io/ingress-nginx/controller:v1.9.6@sha256:1405cc613bd95b2c6edd8b2a152510ae91c7e62aea4698500d23b2145960ab9c
Thank you.
Let me look into it. It may have been missed in the cherry pick for the latest release. I'm at an offsite this week for work, so it might be next week and next release, 1.9.7 or 1.10.0.
/assign @strongjz
/close
This is updated on v1.10.0
@rikatz: Closing this issue.
In response to this:
/close
This is updated on v1.10.0
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
Hi @strongjz @gulecroc , thanks for the release. I've just tested and it seems to work.
/reopen
Hi @strongjz and @rikatz,
The controller shows modsecurity v3.0.12 in the logs :
"producer": {
"modsecurity": "ModSecurity v3.0.12 (Linux)",
"connector": "ModSecurity-nginx v1.0.3",
"secrules_engine": "DetectionOnly",
"components": [
"OWASP_CRS/3.3.5\""
]
},
I think there is a problem because the build is v3.0.11 : https://github.com/kubernetes/ingress-nginx/blob/controller-v1.10.0/images/nginx/rootfs/build.sh#L63 Maybe the build don't work with the commit id, but only the tag ?
Best regards, Guillaume
@gulecroc: Reopened this issue.
In response to this:
/reopen
Hi @strongjz and @rikatz,
The controller shows modsecurity v3.0.12 in the logs :
"producer": { "modsecurity": "ModSecurity v3.0.12 (Linux)", "connector": "ModSecurity-nginx v1.0.3", "secrules_engine": "DetectionOnly", "components": [ "OWASP_CRS/3.3.5\"" ] },
I think there is a problem because the build is v3.0.11 : https://github.com/kubernetes/ingress-nginx/blob/controller-v1.10.0/images/nginx/rootfs/build.sh#L63 Maybe the build don't work with the commit id, but only the tag ?
Best regards, Guillaume
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.