Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

modsecurity 3.0 interferes with nginx even when disabled. #3336

Closed
debugnetiq1 opened this issue Feb 3, 2025 · 6 comments
Closed

modsecurity 3.0 interferes with nginx even when disabled. #3336

debugnetiq1 opened this issue Feb 3, 2025 · 6 comments
Labels
3.x Related to ModSecurity version 3.x

Comments

@debugnetiq1
Copy link

Site running joomla 3.9

In modsecurity.conf disabled engine to see where the issue is
#SecRuleEngine On
SecRuleEngine Off

Using modsecurity-3.conf-recommended w/o any change except the above and SecDebugLog

Version:
2025/02/03 04:33:09 [notice] 2074355#2074355: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/49/0)
2025/02/03 04:33:09 [notice] 2074355#2074355: libmodsecurity3 version 3.0.13

Activated debug log for modsecurity

SecDebugLog /var/log/nginx/modsecurity_debug.log
SecDebugLogLevel 4

Can't see in the log any error or hint of a "block" action

In nginx.conf
. . .
location ~* ^.*{
limit_req zone=speedbump_req burst=20;
limit_conn speedbump_conn 10;
modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity.conf;
proxy_cache nginx_cache;
. . .

With modsecurity off or commented out

Image

With modsecurity on

Image

nginx build
configure arguments: --build=welcome
--prefix=/usr/share/nginx-1.26.2
--sbin-path=/usr/sbin/nginx-1.26.2
--modules-path=/usr/lib64/nginx-1.26.2/modules
--conf-path=/etc/ng inx-1.26.2/nginx-1.26.2.conf
--error-log-path=/var/log/nginx-1.26.2/error.log
--http-log-path=/var/log/nginx-1.26.2/access.log
--http-client-body-temp-path=/var/lib/nginx- 1.26.2/tmp/client_body
--http-proxy-temp-path=/var/lib/nginx-1.26.2/tmp/proxy
--http-fastcgi-temp-path=/var/lib/nginx-1.26.2/tmp/fastcgi
--http-uwsgi-temp-path=/var/lib/nginx-1.26.2/tmp/uwsgi
--http-scgi-temp-path=/var/lib/nginx-1.26.2/tmp/scgi
--pid-path=/var/run/nginx.pid
--lock-path=/var/lock/subsys/nginx-1.26.2
--user=nginx
--group=nginx
...
--with-stream=dynamic
--with-stream_ssl_module
--with-compat
--add-dynamic-module=/var/www/data/packages/ModSecurity-nginx

modsecurity_debug.log:

modsecurity_debug.log
@debugnetiq1 debugnetiq1 added the 3.x Related to ModSecurity version 3.x label Feb 3, 2025
@airween
Copy link
Member

airween commented Feb 3, 2025

Hi @debugnetiq1,

do you use latest stable ModSecurity-nginx connector (from here) or you cloned from Github with the current state? If you use the current GH state, probably you ran into this issue.

@debugnetiq1
Copy link
Author

Ubuntu 24.01 x64 with latest modsecurity-nginx 1.0.3 (which seems broken - similar issue reported in the link)

Then what's the working recipe? Which versions should be relied upon?

Thanks

https://otland.net/threads/how-to-build-nginx-from-source-and-optimize-it-for-security-and-performance-including-tls.288892/
https://sys-ops.id/install-owasp-modsecurity-with-nginx-on-ubuntu-2404/
git clone https://github.com/owasp-modsecurity/ModSecurity.git
cd ModSecurity
git submodule init && git submodule update

./build.sh
./configure
make && make install

nginx connector for mod-security:
cd /var/www/data/packages/
git clone https://github.com/SpiderLabs/ModSecurity-nginx.git

In the logs
2025/02/03 04:33:09 [notice] 2074355#2074355: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/49/0)
2025/02/03 04:33:09 [notice] 2074355#2074355: libmodsecurity3 version 3.0.13

@airween
Copy link
Member

airween commented Feb 3, 2025

Then what's the working recipe? Which versions should be relied upon?

As I hinted in my previous comment you should use the latest stable release, grab it from here.

@rejarevaldy
Copy link

rejarevaldy commented Feb 4, 2025
edited
Loading

Then what's the working recipe? Which versions should be relied upon?

As I hinted in my previous comment you should use the latest stable release, grab it from here.

I encountered the same issue as @debugnetiq1. After reinstalling the connector using the latest stable release here and following the steps below, ModSecurity started working correctly:

Steps to Resolve:

  1. Download and Extract Nginx:

    wget https://nginx.org/download/nginx-1.26.2.tar.gz -O /tmp/rebuild/nginx-1.26.2.tar.gz
tar -zxvf /tmp/rebuild/nginx-1.26.2.tar.gz -C /tmp/rebuild

  2. Download and Extract the ModSecurity Connector:

    wget https://github.com/owasp-modsecurity/ModSecurity-nginx/releases/download/v1.0.3/modsecurity-nginx-v1.0.3.tar.gz -O /tmp/rebuild/modsecurity-nginx-v1.0.3.tar.gz
tar -zxvf /tmp/rebuild/modsecurity-nginx-v1.0.3.tar.gz -C /tmp/rebuild/

  3. Compile Nginx with the ModSecurity Connector:

    cd /tmp/rebuild/nginx-1.26.2
./configure --with-compat --add-dynamic-module=/tmp/rebuild/modsecurity-nginx-v1.0.3
make
sudo make install

  4. Move and Enable the Module:

    sudo cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules-available/
sudo ln -sf /etc/nginx/modules-available/ngx_http_modsecurity_module.so /etc/nginx/modules-enabled/ngx_http_modsecurity_module.so

@airween
Copy link
Member

airween commented Feb 12, 2025

Do we need to keep open this issue?

@airween
Copy link
Member

airween commented Feb 18, 2025

I'm going to close this issue. For the references, please take a look at PR's ModSecurity-nginx/344 (I mentioned that here) and also this one.

@airween airween closed this as completed Feb 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3.x Related to ModSecurity version 3.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@airween @debugnetiq1 @rejarevaldy