Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nginx: [emerg] "modsecurity_rules_file" directive #110

Closed
schadom opened this issue May 28, 2018 · 12 comments
Closed

nginx: [emerg] "modsecurity_rules_file" directive #110

schadom opened this issue May 28, 2018 · 12 comments
Assignees

Comments

@schadom
Copy link

schadom commented May 28, 2018

Bug Description

Nginx 1.13.12 emerges and thus fails to start if using one of the following directives modsecurity_rules_file or modsecurity_rules_remote in http{}, server{} or location{} context.

Versions affected

  • ModSecurity-nginx (latest)
  • ModSecurity v3 (latest)
  • Debian 9.4.5
  • nginx/1.13.12

Steps to reproduce

Building modsecurity and modsecurity-nginx dynamic module for nginx:

# build modsecurity
cd /opt/
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git submodule init
git submodule update
./build.sh
./configure
make
make install

# build modsecurity-nginx module
cd /opt/
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
wget http://nginx.org/download/nginx-1.13.12.tar.gz
tar zxvf nginx-1.13.12.tar.gz
cd nginx-1.13.12
./configure --with-compat --add-dynamic-module=../ModSecurity-nginx
make modules
cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules

After the module has been built without errors, configure modsecurity with modsecurity_rules_file or modsecurity_rules_remote in nginx.conf. Nginx's config-test will fail with both directives, thus nginx won't start anymore:

foo@debian ~ # cat /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /var/run/nginx.pid;
..
load_module modules/ngx_http_modsecurity_module.so;
..
http {
..
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
..
}

foo@debian /etc/nginx # nginx -t
nginx: [emerg] "modsecurity_rules_file" directive ??K?? in /etc/nginx/nginx.conf:73
nginx: configuration file /etc/nginx/nginx.conf test failed

and

foo@debian ~ # cat /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /var/run/nginx.pid;
..
load_module modules/ngx_http_modsecurity_module.so;
..
http {
..
modsecurity on;
modsecurity_rules_remote abc123 https://example.com/modsecurity.conf;
..
}

foo@debian /etc/nginx # nginx -t
nginx: [emerg] "modsecurity_rules_remote" directive  in /etc/nginx/nginx.conf:73
nginx: configuration file /etc/nginx/nginx.conf test failed

Expected result

Nginx should not emerg on modsecurity_rules_file or modsecurity_rules_remote

@schadom
Copy link
Author

schadom commented May 28, 2018

Apparently the modsecurity_rules inline directive seems to work without issues. Even filtering and blocking with the SecRule below seems to work as expected;

foo@debian ~ # cat /etc/nginx/nginx.conf
..
http {
..
modsecurity on;
modsecurity_rules '
  SecRuleEngine On
  SecRequestBodyAccess On
  SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
';
..
}

Logs:

foo@debian /etc/nginx # tail -f /var/log/nginx/error.log
2018/05/28 23:05:17 [notice] 31395#31395: ModSecurity-nginx v1.0.0

foo@debian ~ # tail -f /var/log/nginx/access.log
192.168.100.200 - - [28/May/2018:23:06:34 +0200] "GET /?testparam=test123 HTTP/2.0" 403 162 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"

@schadom schadom changed the title Seems to be broken with nginx/1.13.12 nginx: [emerg] "modsecurity_rules_file" directive May 28, 2018
@schadom
Copy link
Author

schadom commented May 28, 2018

Using the default nginx mainline deb-package via apt from http://nginx.org/packages/mainline/debian/ repo. Attached the output of nginx -V;

foo@debian ~ # nginx -V
nginx version: nginx/1.13.12
built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) 
built with OpenSSL 1.1.0f  25 May 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.13.12/debian/debuild-base/nginx-1.13.12=. -specs=/usr/share/dpkg/no-pie-compile.specs -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-specs=/usr/share/dpkg/no-pie-link.specs -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

@zimmerle
Copy link
Contributor

Hi @schadom,

Tested with today's version of the connector and libModSec and everything seems to be working fine. You are welcomed to re-open the issue in case you still face the problem in the most recent version.

One hypothesis is that the nginx binary was different from the headers used during compilation. Not sure if nginx keep binary compatibility.

@schadom
Copy link
Author

schadom commented Oct 30, 2018

Hi @schadom,

Tested with today's version of the connector and libModSec and everything seems to be working fine. You are welcomed to re-open the issue in case you still face the problem in the most recent version.

One hypothesis is that the nginx binary was different from the headers used during compilation. Not sure if nginx keep binary compatibility.

Hi @zimmerle, thank you very much for having a deeper look into the issue. Will try to recompile libModSec and the connector later today and report back if the problem still persists. Regards

@diazjf
Copy link

diazjf commented Nov 12, 2018

I am working on adding this feature to Kubernetes Ingress-NGINX. I encountered an issue with this particular feature.

When applying modsecurity_rules_remote I get the following:

Error: exit status 1
2018/11/12 02:39:01 [notice] 2973#2973: ModSecurity-nginx v1.0.0
2018/11/12 02:39:01 [emerg] 2973#2973: "modsecurity_rules_remote" directive  in /tmp/nginx-cfg593838611:439
nginx: [emerg] "modsecurity_rules_remote" directive  in /tmp/nginx-cfg593838611:439
nginx: configuration file /tmp/nginx-cfg593838611 test failed
nginx version: nginx/1.15.5
built by gcc 8.2.0 (Debian 8.2.0-9) 
built with OpenSSL 1.1.1  11 Sep 2018
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --modules-path=/etc/nginx/modules --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_sub_module --with-http_v2_module --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-http_secure_link_module --with-http_gunzip_module --with-file-aio --without-mail_pop3_module --without-mail_smtp_module --without-mail_imap_module --without-http_uwsgi_module --without-http_scgi_module --with-cc-opt='-g -Og -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wno-deprecated-declarations -fno-strict-aliasing -D_FORTIFY_SOURCE=2 --param=ssp-buffer-size=4 -DTCP_FASTOPEN=23 -fPIC -I/root/.hunter/_Base/2c5c6fc/98b522c/92161a9/Install/include -Wno-cast-function-type -m64 -mtune=native' --with-ld-opt='-fPIE -fPIC -pie -Wl,-z,relro -Wl,-z,now -L/root/.hunter/_Base/2c5c6fc/98b522c/92161a9/Install/lib' --user=www-data --group=www-data --add-module=/tmp/build/ngx_devel_kit-0.3.1rc1 --add-module=/tmp/build/set-misc-nginx-module-0.32 --add-module=/tmp/build/headers-more-nginx-module-0.33 --add-module=/tmp/build/nginx-http-auth-digest-274490cec649e7300fea97fed13d84e596bbc0ce --add-module=/tmp/build/ngx_http_substitutions_filter_module-bc58cb11844bc42735bbaef7085ea86ace46d05b --add-module=/tmp/build/lua-nginx-module-e94f2e5d64daa45ff396e262d8dab8e56f5f10e0 --add-module=/tmp/build/lua-upstream-nginx-module-0.07 --add-module=/tmp/build/nginx-influxdb-module-0e2cb6cbf850a29c81e44be9e33d9a15d45c50e8 --add-dynamic-module=/tmp/build/nginx-opentracing-0.6.0/opentracing --add-dynamic-module=/tmp/build/ModSecurity-nginx-fc061a57a8b0abda79b17cbe103d78db803fa575 --add-dynamic-module=/tmp/build/ngx_http_geoip2_module-3.2 --add-module=/tmp/build/nginx_ajp_module-bf6cd93f2098b59260de8d494f0f4b1f11a84627 --add-module=/tmp/build/ngx_brotli

@diazjf
Copy link

diazjf commented Nov 12, 2018

@diazjf
Copy link

diazjf commented Nov 12, 2018

  • ModSecurity-nginx (latest)
  • ModSecurity v3 (latest)

@zimmerle
Copy link
Contributor

Hi @diazjf,

Make sure your modsecurity is compiled with support to curl. Your configuration summary should show something like this:

   + LibCURL                                       ....found v7.62.0 
      -lcurl,  -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL

@aledbf
Copy link

aledbf commented Nov 12, 2018

@zimmerle the image mentioned by @diazjf contains the LibCURL output during the build but the issue still persists. How I can debug what is missing?

@aledbf
Copy link

aledbf commented Nov 13, 2018

@zimmerle I found the issue. If the FQDN or the URL (content) is not valid I just get

nginx: [emerg] "modsecurity_rules_remote" directive  in /data/nginx.conf:441

without any context about the real issue.

@victorhora
Copy link
Contributor

Reopening this issue for further investigation.

We should consider adding more helpful messages for failed SecRemoteRules download if that's the problem that @aledbf is mentioning in the end.

@github-actions
Copy link

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants