Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Modsecurity with Nginx #142

Open
bloodyburger opened this issue Jul 21, 2021 · 29 comments
Open

Modsecurity with Nginx #142

bloodyburger opened this issue Jul 21, 2021 · 29 comments
Labels
awaiting-approval Stale exempt

Comments

@bloodyburger
Copy link

Is it possible to add Modsecurity rules to Nginx?

@github-actions
Copy link

Thanks for opening your first issue here! Be sure to follow the bug or feature issue templates!

@github-actions
Copy link

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stellarpower
Copy link

stellarpower commented Aug 24, 2021

I'm working on adding the required packages to Alpine; I have pushed initial commits and will add a comment here once at the stage to open an MR in their package system. I believe lsio may consider adding this but only when alpine packages are available as nginx isn't built from source as it is with other projects. In the meantime I am working on a fork here that will use the built packages for an initial setup.

@github-actions
Copy link

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@davidecavestro
Copy link

Log4Shell hurry-up

@github-actions
Copy link

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@lordraiden
Copy link

lordraiden commented Jan 14, 2022

@stellarpower

Any news about modsecurity and csr?

Maybe some code can be taken from this project that has no activity
https://github.com/bunkerity/bunkerized-nginx

@stellarpower
Copy link

Afraid not. I have an image built here for any who want to try: registry.gitlab.com/stellarpower/open-container-repository/docker-swag/add-modsecurity-with-manual-packages:1.18.0
I'm waiting on Alpine ot hear back. IIRC I bumped a while ago. I'd prefer some comments form someone there before opening a PR and potentially needing lots of changes before it'd be accepted, but I've not heard a peep. If I don't I'll just try to merge my brnch nad see if someone clocks it.

@lordraiden
Copy link

Afraid not. I have an image built here for any who want to try: registry.gitlab.com/stellarpower/open-container-repository/docker-swag/add-modsecurity-with-manual-packages:1.18.0 I'm waiting on Alpine ot hear back. IIRC I bumped a while ago. I'd prefer some comments form someone there before opening a PR and potentially needing lots of changes before it'd be accepted, but I've not heard a peep. If I don't I'll just try to merge my brnch nad see if someone clocks it.

Any news about this?

This project includes ModSecurity but I guess they aren't using alpine https://github.com/bunkerity/bunkerized-nginx
The problem is that the project looks dead.

@sloanja
Copy link

sloanja commented Feb 17, 2022

There's the project here: https://github.com/andrewnk/docker-alpine-nginx-modsec which uses alpine and has Modsec Nginx Connector, GeoIP, ModSec OWASP Rules, and download/extract nginx and GeoIP databases.

@stellarpower
Copy link

I already have (half) a patch in for this, and I believe we are officially waiting on alpine to bring this into the repositories and for it to enter stable. I've just heard nothing back yet, and afraid I haven't got time in the next few months for projects outside of what I need directly for work. If you want to SSO sign in to the alpine Gitlab to bump there, please do. This is what needs to move in order to bring this in. The thread is here: https://gitlab.alpinelinux.org/alpine/aports/-/issues/9418

@lordraiden
Copy link

I already have (half) a patch in for this, and I believe we are officially waiting on alpine to bring this into the repositories and for it to enter stable. I've just heard nothing back yet, and afraid I haven't got time in the next few months for projects outside of what I need directly for work. If you want to SSO sign in to the alpine Gitlab to bump there, please do. This is what needs to move in order to bring this in. The thread is here: https://gitlab.alpinelinux.org/alpine/aports/-/issues/9418

And can naxsi with nxtool be added?
https://github.com/nbs-system/naxsi

@stellarpower
Copy link

Naxsi is an alternative WAF, no? I think adding that would be outside the scope of modsecurity.

@lordraiden
Copy link

Naxsi is an alternative WAF, no? I think adding that would be outside the scope of modsecurity.

Yes, is another Waf with a different approach.
Just saying in case things to put modsecurity into swag doesnt go well

@github-actions
Copy link

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@lordraiden
Copy link

Any progress with this?

@github-actions
Copy link

github-actions bot commented Jun 9, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@lordraiden
Copy link

Is there any progress? or it has been abandoned?

@j0nnymoe
Copy link
Member

Can't abandoned something that was never started.

@github-actions
Copy link

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@farzadha2
Copy link

i was also curious if this is someday be planned? i was looking around and found that modsecurity with NGINX alpine is configurable https://github.com/andrewnk/docker-alpine-nginx-modsec

@nemchik
Copy link
Member

nemchik commented Jan 2, 2023

Just to clarify, we (lsio) are not working on this. Or image installs nginx using the apk package repository. There is no package in the Alpine repository for modsecurity. We're not opposed to building some things from source, but we don't currently want to take on building nginx from source (which could include building all the currently used modules, rather than installing them via apk, but I am not positive). If there is a way to build modsecurity and use it with nginx when installed from apk we could entertain that, but it would be ideal if modsecurity were available in apk.

I'm removing the inactivity label, and adding the awaiting approval (exempt from inactivity) label.

Comments saying "this other project has nginx+modsecurity" are unfortunately not helpful to us unless the project also installs nginx via apk (not built from source), so please consider this before linking to other projects.

@nemchik nemchik added awaiting-approval Stale exempt and removed no-issue-activity labels Jan 2, 2023
@stellarpower
Copy link

I don't have any spare time for working on something like this at the moment. If others desperately want to use it, I would suggest pulling the image provided. Otherwise, please bump the people at Alpine on their gitlab and ask someone to take a look at my fork, as that is the way this will eventually make it into the SWAG image.

@stellarpower
Copy link

Okay, so update, alpine don't want to add modsecurity to their packages. The claim is that the project has been abandoned, although that isn't the impression I get so I don't really have a clear reason as to why. I'm also not aware of any alternative FOSS WAF available that might be a viable alternative.

I have open branches (libmodsec) (nginx connector) (CRS) on their gitlab that anyone is free to use (probably needed some work, hence was waiting some guidance fro the alpine community on that), and I have provided a container image above, so anyone who wants to add this themselves is free to do so obviously.

I assume there's no equivalent of a PPA with alpine packages, but that would seem an obvious to thing to do in this situation in the meantime to make it easier for those who want to to modify the image and continue pulling updates from the master branch here.

@lordraiden
Copy link

lordraiden commented May 1, 2023

Okay, so update, alpine don't want to add modsecurity to their packages. The claim is that the project has been abandoned, although that isn't the impression I get so I don't really have a clear reason as to why. I'm also not aware of any alternative FOSS WAF available that might be a viable alternative.

I have open branches (libmodsec) (nginx connector) (CRS) on their gitlab that anyone is free to use (probably needed some work, hence was waiting some guidance fro the alpine community on that), and I have provided a container image above, so anyone who wants to add this themselves is free to do so obviously.

I assume there's no equivalent of a PPA with alpine packages, but that would seem an obvious to thing to do in this situation in the meantime to make it easier for those who want to to modify the image and continue pulling updates from the master branch here.

The only alternative I know is naxsi

https://github.com/nbs-system/naxsi

@stellarpower
Copy link

stellarpower commented May 1, 2023 via email

@lordraiden
Copy link

lordraiden commented May 23, 2023

Anyway ModSecurity development is quite active
https://github.com/SpiderLabs/ModSecurity/releases
https://azure.microsoft.com/en-us/blog/microsoft-sponsors-owasp-modsecurity-crs-to-improve-application-security/

I don't understand what they mean with the project being abandoned

If I look at this example I see modsecurity with nginx with an alpine image
https://jflower.co.uk/setup-nginx-as-a-reverse-proxy-and-waf-with-modsecurity-in-docker/
https://hub.docker.com/r/owasp/modsecurity-crs/

@shinji257
Copy link

I'm not so sure on the nginx end of things. That repository is only for the library. The connector for nginx is a different repository and their last commit was 5/20/2022.

https://github.com/SpiderLabs/ModSecurity-nginx

The example links given for how to set it up doesn't use the nginx connector for ModSecurity. Rather they run nginx as the front facing server and reverse proxy to apache behind it. Apache is where ModSecurity is sitting at in the example.

As for the modsecurity-crs docker container.... It builds both apache and ngixn versions of the module from source and do not reference pre-packaged versions of it.

@loukaniko85
Copy link

Can you implement a proxy pass to a modsecurity container, similar to authelia/authentik?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
awaiting-approval Stale exempt
Projects
None yet
Development

No branches or pull requests

10 participants