Disable default modsecurity_rules_file if modsecurity-snippet is specified (#8021)
* Disabled default modsecurity_rules_file if modsecurity-snippet is specifed The default modsecurity_rules_file overwrites the ModSecurity-snippet if it is specified with custom config settings like "SecRuleEngine On". This will not let Modsecurity be in blocking mode even if "SecRuleEngine On" is specified in the ModSecurity-snippet configuration * Remove unnecessary comments Only have the default Modsecurity conf settings in case Modsecurity configuration snippet is not present and remove unnecessary comments * Fixed modsecurity default file only if Modsecurity snippet present Fixed if condition Modsecurity snippet present have modsecurity default config file * Added e2e test to disabling modsecurity conf Added e2e in case modsecurity-snippet enabled to disable settings in default modsecurity.conf * Validate writing to a different location Validate also modsecurity to write to a different location instead of the default directory * Fixed the formatting * Fixed if empty ModsecuritySnippet * Fixed ModsecuritySnippet condition * Fixed the condition also in ingress controller template * Removed the default config condition in ingress controller template * Fixed the default config condition in ingress controller template * Fixed pull-ingress-nginx-test * Revert "Fixed the default config condition in ingress controller template" This reverts commit 9d38eca40fe615a4c756500ca57b05634240edde. * Revert template_test * Adjusted the formating %v
This commit is contained in:
Moh Basher
GitHub
parent
2ff5af08d4
commit
fea7fed6da
4 changed files with 43 additions and 6 deletions
|
|
@ -342,4 +342,41 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
|
|||
Expect().
|
||||
Status(http.StatusOK)
|
||||
})
|
||||
|
||||
ginkgo.It("should disable default modsecurity conf setting when modsecurity-snippet is specified", func() {
|
||||
host := "modsecurity.foo.com"
|
||||
nameSpace := f.Namespace
|
||||
|
||||
snippet := `SecRuleEngine On
|
||||
SecRequestBodyAccess On
|
||||
SecAuditEngine RelevantOnly
|
||||
SecAuditLogParts ABIJDEFHZ
|
||||
SecAuditLogType Concurrent
|
||||
SecAuditLog /var/tmp/modsec_audit.log
|
||||
SecAuditLogStorageDir /var/tmp/
|
||||
SecRule REQUEST_HEADERS:User-Agent \"block-ua\" \"log,deny,id:107,status:403,msg:\'UA blocked\'\"`
|
||||
|
||||
annotations := map[string]string{
|
||||
"nginx.ingress.kubernetes.io/enable-modsecurity": "true",
|
||||
"nginx.ingress.kubernetes.io/modsecurity-snippet": snippet,
|
||||
}
|
||||
f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "load_module, lua_package, _by_lua, location, root, {, }")
|
||||
// Sleep a while just to guarantee that the configmap is applied
|
||||
framework.Sleep()
|
||||
ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
|
||||
f.EnsureIngress(ing)
|
||||
|
||||
f.WaitForNginxServer(host,
|
||||
func(server string) bool {
|
||||
return !strings.Contains(server, "modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;") &&
|
||||
strings.Contains(server, "SecAuditLog /var/tmp/modsec_audit.log")
|
||||
})
|
||||
|
||||
f.HTTPTestClient().
|
||||
GET("/").
|
||||
WithHeader("Host", host).
|
||||
WithHeader("User-Agent", "block-ua").
|
||||
Expect().
|
||||
Status(http.StatusForbidden)
|
||||
})
|
||||
})
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue