Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Snippet for ModSecurity #3400

Merged
merged 1 commit into from
Nov 17, 2018
Merged

Add Snippet for ModSecurity #3400

merged 1 commit into from
Nov 17, 2018

Conversation

diazjf
Copy link

@diazjf diazjf commented Nov 12, 2018
edited
Loading

Adds a custom snippet to configure modsecurity.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Nov 12, 2018
@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Nov 12, 2018
@diazjf
Copy link
Author

diazjf commented Nov 12, 2018

Waiting on owasp-modsecurity/ModSecurity-nginx#110

@aledbf
Copy link
Member

aledbf commented Nov 12, 2018

@diazjf I am checking owasp-modsecurity/ModSecurity-nginx#110 (comment) in the build of the image

@aledbf
Copy link
Member

aledbf commented Nov 12, 2018

@diazjf please rebase from master (#3406 is merged)

@diazjf
Copy link
Author

diazjf commented Nov 12, 2018 

-------------------------------------------------------------------------------
W1112 18:51:38.925063       8 queue.go:130] requeuing e2e-tests-modsecuritylocation-1542048379881314035-5xs66/modsecurity.foo.com, err 
-------------------------------------------------------------------------------
Error: exit status 1
2018/11/12 18:51:38 [notice] 1691#1691: ModSecurity-nginx v1.0.0
2018/11/12 18:51:38 [emerg] 1691#1691: "modsecurity_rules_remote" directive  in /tmp/nginx-cfg622971149:447
nginx: [emerg] "modsecurity_rules_remote" directive  in /tmp/nginx-cfg622971149:447
nginx: configuration file /tmp/nginx-cfg622971149 test failed
-------------------------------------------------------------------------------

Still occurring after rebase.

^ @aledbf

@aledbf
Copy link
Member

aledbf commented Nov 12, 2018

@diazjf I just posted a comment in the modsecurity issue

@aledbf
Copy link
Member

aledbf commented Nov 12, 2018

@diazjf can you run the e2e tests locally adding the flag --v=2 here https://github.com/kubernetes/ingress-nginx/blob/master/test/manifests/ingress-controller/mandatory.yaml#L211
(I want to see the generated nginx.conf because nginx is not saying the directive is invalid)

@diazjf
Copy link
Author

diazjf commented Nov 13, 2018

@aledbf the above is when I cat a failed nginx.conf from the test.

@aledbf
Copy link
Member

aledbf commented Nov 13, 2018
edited
Loading

@diazjf I found the issue/s:

nginx: [emerg] "modsecurity_rules_remote" directive  in /data/2:441

Because all that, you need to check the URL is HTTPS and the resource exist while parsing the annotation.

@diazjf
Copy link
Author

diazjf commented Nov 13, 2018

@aledbf would it make sense for me to send a request to the URL to make sure it exists?

@diazjf
Copy link
Author

diazjf commented Nov 13, 2018

/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 13, 2018
diazjf
diazjf commented Nov 14, 2018
View reviewed changes
images/modsecurity/nginx.conf Outdated Show resolved Hide resolved
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Nov 15, 2018
@diazjf diazjf changed the title Add Remote Rules and Snippet for ModSecurity Add Snippet for ModSecurity Nov 15, 2018
@diazjf
Copy link
Author

diazjf commented Nov 15, 2018

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 15, 2018
@diazjf
Copy link
Author

diazjf commented Nov 15, 2018

@aledbf adding the RemoteRules feature doesn't seem to be feasible at the moment. There arn't any(that I've seen) guides on how to configure your own server.

I have changed the PR to just include the snippet. Remote Rules can be added that way in case anyone needs to use them.

@diazjf
Copy link
Author

diazjf commented Nov 15, 2018

/retest

@diazjf
Copy link
Author

diazjf commented Nov 15, 2018

/test all

Add a Snippet for ModSecurity
95b3042 
Allows for the configuration of Mod Security rules via
a Snippet.
@diazjf
Copy link
Author

diazjf commented Nov 16, 2018

/assign @aledbf

@aledbf
Copy link
Member

aledbf commented Nov 17, 2018

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 17, 2018
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aledbf, diazjf

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 17, 2018
@aledbf
Copy link
Member

aledbf commented Nov 17, 2018

@diazjf thanks!

@k8s-ci-robot k8s-ci-robot merged commit 442b01e into kubernetes:master Nov 17, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@antoineco antoineco Awaiting requested review from antoineco

@ElvinEfendi ElvinEfendi Awaiting requested review from ElvinEfendi

Assignees

@aledbf aledbf

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@diazjf @aledbf @k8s-ci-robot