ModSecurity icon indicating copy to clipboard operation
ModSecurity copied to clipboard
verified publisher icon owasp-modsecurity

Question: how is setenv supposed to work in ModSecurity 3.0.x

Open duckasylum opened this issue 2 months ago • 3 comments

Hi,

In the documentation under setenv there is a sentence Description: Creates and updates environment variables that can be accessed by both ModSecurity and the web server.

I have rule that detects specific forms actions from GET and POST requests (parameter called "formaction"). I expanded the rule by registering a setenv variable called CUSTOMFORMACTION. This part all works - rule triggers, writes to log and all that. Now comes the issue.

How am I supposed to access this new env variable in Nginx? When I just try to access it by $CUSTOMFORMACTION or $customformaction I get an nginx error on startup: nginx: [emerg] unknown 'customformaction' variable. Is there a special way of accessing the variable?

My ultimate goal is to create a configuration entry like this: proxy_set_header x-custom-form-action $CUSTOMFORMACTION.

or is there an way to add a header from a modsecurity rule in nginx like there is supposed to be in apache (using mod_headers)

Edit: From debug log I can see that ModSecurity is creating the setenv variable with the correct value (well it is till encapsulated between / / - but I think this would not stop it from working at this point), but in nginx debug log I see no mention of that variable other than in generic phase 6 there is a reference to the ModSecurity rule match. Nothing like http script var event or similar

duckasylum avatar Oct 17 '25 13:10 duckasylum

Hi @duckasylum,

thanks for bringing this up.

In the documentation under setenv there is a sentence Description: Creates and updates environment variables that can be accessed by both ModSecurity and the web server.

Correct, setenv action does this and libmodsecurity3 supports it.

How am I supposed to access this new env variable in Nginx? When I just try to access it by $CUSTOMFORMACTION or $customformaction I get an nginx error on startup: nginx: [emerg] unknown 'customformaction' variable. Is there a special way of accessing the variable?

unfortunately the current Nginx connector does not support it.

I have to check how can we solve this annoying lack of the library and connector cooperation.

or is there an way to add a header from a modsecurity rule in nginx like there is supposed to be in apache (using mod_headers)

no, unfortunately the connector does not handle the environments at all (if I'm not wrong)

Edit: From debug log I can see that ModSecurity is creating the setenv variable with the correct value (well it is till encapsulated between / / - but I think this would not stop it from working at this point), but in nginx debug log I see no mention of that variable other than in generic phase 6 there is a reference to the ModSecurity rule match. Nothing like http script var event or similar

yes, correct, the library creates the environment variable. We should add this to connector too.

airween avatar Oct 17 '25 19:10 airween

Do I understand correctly that the connector currently is not aware of the setenv variables created by the library?

If the connector would know about them then the variables could be passed on or more specifically created with ngx_http_add_variable() function and given a value through ngx_http_set_variable_pt and then the variable would in theory be accessible from nginx?

duckasylum avatar Oct 17 '25 22:10 duckasylum

Do I understand correctly that the connector currently is not aware of the setenv variables created by the library?

yes.

If the connector would know about them then the variables could be passed on or more specifically created with ngx_http_add_variable() function and given a value through ngx_http_set_variable_pt and then the variable would in theory be accessible from nginx?

I haven't checked the related Nginx API functions yet, but if you have, probably yes.

airween avatar Oct 18 '25 20:10 airween