-
-
Notifications
You must be signed in to change notification settings - Fork 247
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Modsecurity with Nginx #142
Comments
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
I'm working on adding the required packages to Alpine; I have pushed initial commits and will add a comment here once at the stage to open an MR in their package system. I believe lsio may consider adding this but only when alpine packages are available as nginx isn't built from source as it is with other projects. In the meantime I am working on a fork here that will use the built packages for an initial setup. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Log4Shell hurry-up |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Any news about modsecurity and csr? Maybe some code can be taken from this project that has no activity |
Afraid not. I have an image built here for any who want to try: |
Any news about this? This project includes ModSecurity but I guess they aren't using alpine https://github.com/bunkerity/bunkerized-nginx |
There's the project here: https://github.com/andrewnk/docker-alpine-nginx-modsec which uses alpine and has Modsec Nginx Connector, GeoIP, ModSec OWASP Rules, and download/extract nginx and GeoIP databases. |
I already have (half) a patch in for this, and I believe we are officially waiting on alpine to bring this into the repositories and for it to enter stable. I've just heard nothing back yet, and afraid I haven't got time in the next few months for projects outside of what I need directly for work. If you want to SSO sign in to the alpine Gitlab to bump there, please do. This is what needs to move in order to bring this in. The thread is here: https://gitlab.alpinelinux.org/alpine/aports/-/issues/9418 |
And can naxsi with nxtool be added? |
Naxsi is an alternative WAF, no? I think adding that would be outside the scope of modsecurity. |
Yes, is another Waf with a different approach. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Any progress with this? |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Is there any progress? or it has been abandoned? |
Can't abandoned something that was never started. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
i was also curious if this is someday be planned? i was looking around and found that modsecurity with NGINX alpine is configurable https://github.com/andrewnk/docker-alpine-nginx-modsec |
Just to clarify, we (lsio) are not working on this. Or image installs nginx using the apk package repository. There is no package in the Alpine repository for modsecurity. We're not opposed to building some things from source, but we don't currently want to take on building nginx from source (which could include building all the currently used modules, rather than installing them via apk, but I am not positive). If there is a way to build modsecurity and use it with nginx when installed from apk we could entertain that, but it would be ideal if modsecurity were available in apk. I'm removing the inactivity label, and adding the awaiting approval (exempt from inactivity) label. Comments saying "this other project has nginx+modsecurity" are unfortunately not helpful to us unless the project also installs nginx via apk (not built from source), so please consider this before linking to other projects. |
I don't have any spare time for working on something like this at the moment. If others desperately want to use it, I would suggest pulling the image provided. Otherwise, please bump the people at Alpine on their gitlab and ask someone to take a look at my fork, as that is the way this will eventually make it into the SWAG image. |
Okay, so update, alpine don't want to add modsecurity to their packages. The claim is that the project has been abandoned, although that isn't the impression I get so I don't really have a clear reason as to why. I'm also not aware of any alternative FOSS WAF available that might be a viable alternative. I have open branches (libmodsec) (nginx connector) (CRS) on their gitlab that anyone is free to use (probably needed some work, hence was waiting some guidance fro the alpine community on that), and I have provided a container image above, so anyone who wants to add this themselves is free to do so obviously. I assume there's no equivalent of a PPA with alpine packages, but that would seem an obvious to thing to do in this situation in the meantime to make it easier for those who want to to modify the image and continue pulling updates from the master branch here. |
The only alternative I know is naxsi |
I think I remember looking at this some time ago. Looks like the latest release was two years ago, so possibly alpine is gonna be even less inclined to incorporate it.
Is there an equivalent of the CRS available? As I think having a ready-to-go set of rules is key.
1 May 2023 16:33:39 lordraiden ***@***.***>:
…
Okay, so update, alpine don't want to add modsecurity to their packages[https://gitlab.alpinelinux.org/alpine/aports/-/issues/9418#note_303804]. The claim is that the project has been abandoned, although that isn't the impression I get so I don't really have a clear reason as to why. I'm also not aware of any alternative FOSS WAF available that might be a viable alternative.
I have open branches (libmodsec)[https://gitlab.alpinelinux.org/stellarpower/aports/-/tree/testing/libmodsecurity] (nginx connector)[https://gitlab.alpinelinux.org/stellarpower/aports/-/tree/testing/nginx-mod-http-modsecurity] (CRS)[https://gitlab.alpinelinux.org/stellarpower/aports/-/tree/testing/modsecurity-crs] on their gitlab that anyone is free to use (probably needed some work, hence was waiting some guidance fro the alpine community on that), and I have provided a container image above, so anyone who wants to add this themselves is free to do so obviously.
I assume there's no equivalent of a PPA with alpine packages, but that would seem an obvious to thing to do in this situation in the meantime to make it easier for those who want to to modify the image and continue pulling updates from the master branch here.
The best option is to go with naxsi
https://github.com/nbs-system/naxsi
—
Reply to this email directly, view it on GitHub[#142 (comment)], or unsubscribe[https://github.com/notifications/unsubscribe-auth/ABGF2AOIETKQWD5KWXSLNJDXD7JVHANCNFSM5AYBQ7IQ].
You are receiving this because you were mentioned.[Tracking image][https://github.com/notifications/beacon/ABGF2AOSP62FKVWLMJ6U6IDXD7JVHA5CNFSM5AYBQ7I2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOLMXYQPQ.gif]
|
Anyway ModSecurity development is quite active I don't understand what they mean with the project being abandoned If I look at this example I see modsecurity with nginx with an alpine image |
I'm not so sure on the nginx end of things. That repository is only for the library. The connector for nginx is a different repository and their last commit was 5/20/2022. https://github.com/SpiderLabs/ModSecurity-nginx The example links given for how to set it up doesn't use the nginx connector for ModSecurity. Rather they run nginx as the front facing server and reverse proxy to apache behind it. Apache is where ModSecurity is sitting at in the example. As for the modsecurity-crs docker container.... It builds both apache and ngixn versions of the module from source and do not reference pre-packaged versions of it. |
Can you implement a proxy pass to a modsecurity container, similar to authelia/authentik? |
Is it possible to add Modsecurity rules to Nginx?
The text was updated successfully, but these errors were encountered: