Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nginx+libmodsecurity and work with gzip #251

Open
RunFox opened this issue Sep 13, 2021 · 8 comments
Open

Nginx+libmodsecurity and work with gzip #251

RunFox opened this issue Sep 13, 2021 · 8 comments

Comments

@RunFox
Copy link

RunFox commented Sep 13, 2021
edited
Loading

Hello. I use Nginx 1.20.1 + libmodsecurity-3.0.4-4.el8 as reverse proxy. When we receive request with Content-Encoding: gzip and Content-Type: application/json - activate rule from default modsecurity.conf:

SecRule REQBODY_ERROR "!@eq 0" \
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"

As I understand - we recieve data with gzip as binary content, then it send to modsecurity in binary fromat and json parser give error because data is not valid json.
I think, this is actually true for xml and any another data with compression.Is there way to work with compressed data with Modsecurity or workaround? I understand, that i can disable rule for analyze json and xml - but it's bad way, thats affect level of security.
@airween
Copy link
Member

airween commented Sep 13, 2021

May be you should take a look at this:

https://github.com/coreruleset/body-decompress-plugin

Perhaps you will get some ideas.

@RunFox
Copy link
Author

RunFox commented Sep 13, 2021

Hi, @airween
Do you work with this plugin?
Does it work with modsecurity v3?
I see this plugin for response body. Is your idea try for rewrite for processing gzip request body in fly?

@airween
Copy link
Member

airween commented Sep 13, 2021

Do you work with this plugin?

no, just tested,

Does it work with modsecurity v3?

this plugin has made for mod_security2, but with few modifications it works with v3 too.

I see this plugin for response body. Is your idea try for rewrite for processing gzip request body in fly?

No, the author is @azurit.

@RunFox
Copy link
Author

RunFox commented Sep 13, 2021
edited
Loading

Thank you for idea)

this plugin has made for mod_security2, but with few modifications it works with v3 too

What kind of modification was done? In plugin's description there is information "for embedded". Did you try it with reverse-proxy configuration? How fast does it work?)

@azurit
Copy link

azurit commented Sep 13, 2021

As you are running in reverse proxy mode, please see SecDisableBackendCompression ModSecurity configuration directive.

@RunFox
Copy link
Author

RunFox commented Sep 13, 2021

As you are running in reverse proxy mode, please see SecDisableBackendCompression ModSecurity configuration directive.

@azurit hello and thank you for anwer)
Unfortunately, as i know, SecDisableBackendCompression is not support in modsecurity v3

@azurit
Copy link

azurit commented Sep 14, 2021

Ok, so please try my plugin as @airween suggested, as far as i remember, it should work with modsec3. Note that you need support for Lua in modsec.

@RunFox
Copy link
Author

RunFox commented Sep 14, 2021

@azurit thank you, i will try)

@Lenny1791 Lenny1791 mentioned this issue Nov 5, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@airween @azurit @RunFox