Use the context to decide whether ModSecurity is enabled or not

Currently, the connector decides whether ModSecurity is enabled or not based on the configuration directive in the request's location conf. In case of an internal redirect and if ModSecurity is not enabled in the internal redirect's location conf, the log handler will not run and the transaction of the original request will not be logged. This commit extends the current behavior of the header and body filters, which assume that a null context means that ModSecurity is disabled, to the pre access and log handlers. As a result, the connector will always decide based on the original request whether ModSecurity is enabled or not.
grnet · Jun 3, 2024 · 0652b90 · 0652b90
1 parent 1f7e64c
commit 0652b90
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 20 deletions.
diff --git a/src/ngx_http_modsecurity_body_filter.c b/src/ngx_http_modsecurity_body_filter.c
@@ -55,6 +55,7 @@ ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
     dd("body filter, recovering ctx: %p", ctx);
 
     if (ctx == NULL) {
+        dd("ModSecurity not enabled or an error occured");
         return ngx_http_next_body_filter(r, in);
     }
 

diff --git a/src/ngx_http_modsecurity_header_filter.c b/src/ngx_http_modsecurity_header_filter.c
@@ -428,7 +428,7 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r)
 
     if (ctx == NULL)
     {
-        dd("something really bad happened or ModSecurity is disabled. going to the next filter.");
+        dd("ModSecurity not enabled or an error occured");
         return ngx_http_next_header_filter(r);
     }
 

diff --git a/src/ngx_http_modsecurity_log.c b/src/ngx_http_modsecurity_log.c
@@ -41,17 +41,9 @@ ngx_http_modsecurity_log_handler(ngx_http_request_t *r)
 {
     ngx_pool_t                   *old_pool;
     ngx_http_modsecurity_ctx_t   *ctx;
-    ngx_http_modsecurity_conf_t  *mcf;
 
     dd("catching a new _log_ phase handler");
 
-    mcf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity_module);
-    if (mcf == NULL || mcf->enable != 1)
-    {
-        dd("ModSecurity not enabled... returning");
-        return NGX_OK;
-    }
-
     /*
     if (r->method != NGX_HTTP_GET &&
         r->method != NGX_HTTP_POST && r->method != NGX_HTTP_HEAD) {
@@ -65,8 +57,8 @@ ngx_http_modsecurity_log_handler(ngx_http_request_t *r)
     dd("recovering ctx: %p", ctx);
 
     if (ctx == NULL) {
-        dd("something really bad happened here. returning NGX_ERROR");
-        return NGX_ERROR;
+        dd("ModSecurity not enabled or an error occured");
+        return NGX_OK;
     }
 
     dd("calling msc_process_logging for %p", ctx);

diff --git a/src/ngx_http_modsecurity_pre_access.c b/src/ngx_http_modsecurity_pre_access.c
@@ -48,16 +48,9 @@ ngx_http_modsecurity_pre_access_handler(ngx_http_request_t *r)
 #if 1
     ngx_pool_t                   *old_pool;
     ngx_http_modsecurity_ctx_t   *ctx;
-    ngx_http_modsecurity_conf_t  *mcf;
 
     dd("catching a new _preaccess_ phase handler");
 
-    mcf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity_module);
-    if (mcf == NULL || mcf->enable != 1)
-    {
-        dd("ModSecurity not enabled... returning");
-        return NGX_DECLINED;
-    }
     /*
      * FIXME:
      * In order to perform some tests, let's accept everything.
@@ -76,8 +69,8 @@ ngx_http_modsecurity_pre_access_handler(ngx_http_request_t *r)
 
     if (ctx == NULL)
     {
-        dd("ctx is null; Nothing we can do, returning an error.");
-        return NGX_HTTP_INTERNAL_SERVER_ERROR;
+        dd("ModSecurity not enabled or an error occured");
+        return NGX_DECLINED;
     }
 
     if (ctx->request_body_processed) {