From 0652b900e8b177375d1217db15092ecceb638aff Mon Sep 17 00:00:00 2001 From: Marios Levogiannis Date: Thu, 19 May 2022 14:05:07 +0300 Subject: [PATCH] Use the context to decide whether ModSecurity is enabled or not Currently, the connector decides whether ModSecurity is enabled or not based on the configuration directive in the request's location conf. In case of an internal redirect and if ModSecurity is not enabled in the internal redirect's location conf, the log handler will not run and the transaction of the original request will not be logged. This commit extends the current behavior of the header and body filters, which assume that a null context means that ModSecurity is disabled, to the pre access and log handlers. As a result, the connector will always decide based on the original request whether ModSecurity is enabled or not. --- src/ngx_http_modsecurity_body_filter.c | 1 + src/ngx_http_modsecurity_header_filter.c | 2 +- src/ngx_http_modsecurity_log.c | 12 ++---------- src/ngx_http_modsecurity_pre_access.c | 11 ++--------- 4 files changed, 6 insertions(+), 20 deletions(-) diff --git a/src/ngx_http_modsecurity_body_filter.c b/src/ngx_http_modsecurity_body_filter.c index ae0749c..c073de7 100644 --- a/src/ngx_http_modsecurity_body_filter.c +++ b/src/ngx_http_modsecurity_body_filter.c @@ -55,6 +55,7 @@ ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in) dd("body filter, recovering ctx: %p", ctx); if (ctx == NULL) { + dd("ModSecurity not enabled or an error occured"); return ngx_http_next_body_filter(r, in); } diff --git a/src/ngx_http_modsecurity_header_filter.c b/src/ngx_http_modsecurity_header_filter.c index c3af172..f857384 100644 --- a/src/ngx_http_modsecurity_header_filter.c +++ b/src/ngx_http_modsecurity_header_filter.c @@ -428,7 +428,7 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r) if (ctx == NULL) { - dd("something really bad happened or ModSecurity is disabled. going to the next filter."); + dd("ModSecurity not enabled or an error occured"); return ngx_http_next_header_filter(r); } diff --git a/src/ngx_http_modsecurity_log.c b/src/ngx_http_modsecurity_log.c index 254bc1c..a17bf6f 100644 --- a/src/ngx_http_modsecurity_log.c +++ b/src/ngx_http_modsecurity_log.c @@ -41,17 +41,9 @@ ngx_http_modsecurity_log_handler(ngx_http_request_t *r) { ngx_pool_t *old_pool; ngx_http_modsecurity_ctx_t *ctx; - ngx_http_modsecurity_conf_t *mcf; dd("catching a new _log_ phase handler"); - mcf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity_module); - if (mcf == NULL || mcf->enable != 1) - { - dd("ModSecurity not enabled... returning"); - return NGX_OK; - } - /* if (r->method != NGX_HTTP_GET && r->method != NGX_HTTP_POST && r->method != NGX_HTTP_HEAD) { @@ -65,8 +57,8 @@ ngx_http_modsecurity_log_handler(ngx_http_request_t *r) dd("recovering ctx: %p", ctx); if (ctx == NULL) { - dd("something really bad happened here. returning NGX_ERROR"); - return NGX_ERROR; + dd("ModSecurity not enabled or an error occured"); + return NGX_OK; } dd("calling msc_process_logging for %p", ctx); diff --git a/src/ngx_http_modsecurity_pre_access.c b/src/ngx_http_modsecurity_pre_access.c index dc1a499..5085fa5 100644 --- a/src/ngx_http_modsecurity_pre_access.c +++ b/src/ngx_http_modsecurity_pre_access.c @@ -48,16 +48,9 @@ ngx_http_modsecurity_pre_access_handler(ngx_http_request_t *r) #if 1 ngx_pool_t *old_pool; ngx_http_modsecurity_ctx_t *ctx; - ngx_http_modsecurity_conf_t *mcf; dd("catching a new _preaccess_ phase handler"); - mcf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity_module); - if (mcf == NULL || mcf->enable != 1) - { - dd("ModSecurity not enabled... returning"); - return NGX_DECLINED; - } /* * FIXME: * In order to perform some tests, let's accept everything. @@ -76,8 +69,8 @@ ngx_http_modsecurity_pre_access_handler(ngx_http_request_t *r) if (ctx == NULL) { - dd("ctx is null; Nothing we can do, returning an error."); - return NGX_HTTP_INTERNAL_SERVER_ERROR; + dd("ModSecurity not enabled or an error occured"); + return NGX_DECLINED; } if (ctx->request_body_processed) {