Skip to content

Commit

Permalink
New option modsecurity_error_log that can disable modsecurity loggi…
Browse files Browse the repository at this point in the history
…ng into nginx error log
  • Loading branch information
JakubOnderka committed Jul 2, 2024
1 parent ef64996 commit d2051c9
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 8 deletions.
1 change: 1 addition & 0 deletions src/ngx_http_modsecurity_common.h
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,7 @@ typedef struct {
void *rules_set;

ngx_flag_t enable;
ngx_flag_t error_log;
#if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
ngx_flag_t sanity_checks_enabled;
#endif
Expand Down
35 changes: 27 additions & 8 deletions src/ngx_http_modsecurity_module.c
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,7 @@ ngx_http_modsecurity_process_intervention (Transaction *transaction, ngx_http_re
intervention.log = NULL;
intervention.disruptive = 0;
ngx_http_modsecurity_ctx_t *ctx = NULL;
ngx_http_modsecurity_conf_t *mcf;

dd("processing intervention");

Expand All @@ -160,12 +161,20 @@ ngx_http_modsecurity_process_intervention (Transaction *transaction, ngx_http_re
return 0;
}

log = intervention.log;
if (intervention.log == NULL) {
log = "(no log message was specified)";
mcf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity_module);
if (mcf == NULL) {
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}

ngx_log_error(NGX_LOG_ERR, (ngx_log_t *)r->connection->log, 0, "%s", log);
// logging to nginx error log can be disable by setting `modsecurity_error_log` to off
if (mcf->error_log) {
log = intervention.log;
if (intervention.log == NULL) {
log = "(no log message was specified)";
}

ngx_log_error(NGX_LOG_ERR, (ngx_log_t *)r->connection->log, 0, "%s", log);
}

if (intervention.log != NULL) {
free(intervention.log);
Expand Down Expand Up @@ -226,7 +235,7 @@ ngx_http_modsecurity_process_intervention (Transaction *transaction, ngx_http_re
dd("intervention -- calling log handler manually with code: %d", intervention.status);
ngx_http_modsecurity_log_handler(r);
ctx->logged = 1;
}
}

if (r->header_sent)
{
Expand Down Expand Up @@ -465,23 +474,23 @@ static ngx_command_t ngx_http_modsecurity_commands[] = {
NGX_HTTP_LOC_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1,
ngx_conf_set_rules,
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_modsecurity_conf_t, enable),
0,
NULL
},
{
ngx_string("modsecurity_rules_file"),
NGX_HTTP_LOC_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1,
ngx_conf_set_rules_file,
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_modsecurity_conf_t, enable),
0,
NULL
},
{
ngx_string("modsecurity_rules_remote"),
NGX_HTTP_LOC_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE2,
ngx_conf_set_rules_remote,
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_modsecurity_conf_t, enable),
0,
NULL
},
{
Expand All @@ -492,6 +501,14 @@ static ngx_command_t ngx_http_modsecurity_commands[] = {
0,
NULL
},
{
ngx_string("modsecurity_error_log"),
NGX_HTTP_LOC_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_MAIN_CONF|NGX_CONF_FLAG,
ngx_conf_set_flag_slot,
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_modsecurity_conf_t, error_log),
NULL
},
ngx_null_command
};

Expand Down Expand Up @@ -703,6 +720,7 @@ ngx_http_modsecurity_create_conf(ngx_conf_t *cf)
conf->rules_set = msc_create_rules_set();
conf->pool = cf->pool;
conf->transaction_id = NGX_CONF_UNSET_PTR;
conf->error_log = NGX_CONF_UNSET;
#if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
conf->sanity_checks_enabled = NGX_CONF_UNSET;
#endif
Expand Down Expand Up @@ -742,6 +760,7 @@ ngx_http_modsecurity_merge_conf(ngx_conf_t *cf, void *parent, void *child)

ngx_conf_merge_value(c->enable, p->enable, 0);
ngx_conf_merge_ptr_value(c->transaction_id, p->transaction_id, NULL);
ngx_conf_merge_value(c->error_log, p->error_log, 1);
#if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
ngx_conf_merge_value(c->sanity_checks_enabled, p->sanity_checks_enabled, 0);
#endif
Expand Down

0 comments on commit d2051c9

Please sign in to comment.