Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Customize ModSecurity to be used in Locations #3309

Merged
merged 1 commit into from
Nov 7, 2018
Merged

Customize ModSecurity to be used in Locations #3309

merged 1 commit into from
Nov 7, 2018

Conversation

diazjf
Copy link

@diazjf diazjf commented Oct 27, 2018
edited
Loading

Allows ModSecurity to be configured per location. The
following annotations will be added:

  • enable-modsecurity
  • enable-owasp-core-rules
  • modsecurity-transaction-id

Fixes #3167

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Oct 27, 2018
@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Oct 27, 2018
@diazjf
Copy link
Author

diazjf commented Oct 27, 2018

/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 27, 2018
@diazjf diazjf changed the title Customize ModSecurity to be used in locations Customize ModSecurity to be used in Locations Oct 30, 2018
@diazjf diazjf force-pushed the modsecurity-location branch 5 times, most recently from 6637952 to a8bdbd1 Compare October 31, 2018 20:30
@diazjf
Copy link
Author

diazjf commented Nov 1, 2018 

Error: exit status 1
2018/10/31 20:54:44 [notice] 1588#1588: ModSecurity-nginx v1.0.0
2018/10/31 20:54:44 [emerg] 1588#1588: "modsecurity_rules_file" directive Rules error. File: /etc/nginx/modsecurity/modsecurity.conf. Line: 234. Column: 17. Failed to load locate the unicode map file from: unicode.mapping 20127 Looking at: 'unicode.mapping 20127', 'unicode.mapping 20127', '/etc/nginx/modsecurity/unicode.mapping 20127', '/etc/nginx/modsecurity/unicode.mapping 20127'.  in /tmp/nginx-cfg183879158:325
nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /etc/nginx/modsecurity/modsecurity.conf. Line: 234. Column: 17. Failed to load locate the unicode map file from: unicode.mapping 20127 Looking at: 'unicode.mapping 20127', 'unicode.mapping 20127', '/etc/nginx/modsecurity/unicode.mapping 20127', '/etc/nginx/modsecurity/unicode.mapping 20127'.  in /tmp/nginx-cfg183879158:325
nginx: configuration file /tmp/nginx-cfg183879158 test failed

Seeing the following error. @aledbf when will the fix for #3329 be pushed to master?

@aledbf
Copy link
Member

aledbf commented Nov 1, 2018

@diazjf we need to wait for owasp-modsecurity/ModSecurity#1941

@diazjf diazjf force-pushed the modsecurity-location branch 2 times, most recently from 034efec to 1d94edd Compare November 2, 2018 04:13
@diazjf
Copy link
Author

diazjf commented Nov 2, 2018

Fix for ModSecurity Library seen in the following link owasp-modsecurity/ModSecurity#1941

@diazjf diazjf force-pushed the modsecurity-location branch 4 times, most recently from cd500ea to f85ac12 Compare November 2, 2018 17:16
diazjf
diazjf commented Nov 2, 2018
View reviewed changes
images/nginx/rootfs/build.sh Outdated
@@ -413,14 +413,19 @@ git submodule update
cd "$BUILD_PATH"
git clone -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
cd ModSecurity/
git checkout 973c1f1028429452308bcbce7df8a6283dc59ffe
git checkout 18cdffdbca75e6b9f790f6df2807a32cd805c0a0
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aledbf Can the e2e test image obtain the changes in this PR?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@diazjf please remove this change ^^ and rebase from master to use the latest change introduced in #3353 and #3354

@diazjf diazjf force-pushed the modsecurity-location branch 2 times, most recently from 2cc91cc to 42f429d Compare November 4, 2018 05:16
diazjf
diazjf commented Nov 4, 2018
View reviewed changes
images/nginx/rootfs/build.sh Outdated
@@ -421,6 +421,11 @@ sh build.sh
make
make install

# Copy over modsecurity.conf
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

-------------------------------------------------------------------------------
W1104 04:52:36.972626       9 queue.go:130] requeuing configmap-change, err 
-------------------------------------------------------------------------------
Error: exit status 1
2018/11/04 04:52:36 [notice] 1600#1600: ModSecurity-nginx v1.0.0
2018/11/04 04:52:36 [emerg] 1600#1600: "modsecurity_rules_file" directive Rules error. File: /etc/nginx/modsecurity/modsecurity.conf. Line: 236. Column: 17. Failed to locate the unicode map file from: unicode.mapping Looking at: 'unicode.mapping', 'unicode.mapping', '/etc/nginx/modsecurity/unicode.mapping', '/etc/nginx/modsecurity/unicode.mapping'.  in /tmp/nginx-cfg215230822:325
nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /etc/nginx/modsecurity/modsecurity.conf. Line: 236. Column: 17. Failed to locate the unicode map file from: unicode.mapping Looking at: 'unicode.mapping', 'unicode.mapping', '/etc/nginx/modsecurity/unicode.mapping', '/etc/nginx/modsecurity/unicode.mapping'.  in /tmp/nginx-cfg215230822:325
nginx: configuration file /tmp/nginx-cfg215230822 test failed
-------------------------------------------------------------------------------

I think we still need these changes in the image.

@aledbf ^^

Copy link
Member

@aledbf aledbf Nov 4, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@diazjf please remove the second commit and rebase from master. The image is updated with the latest version of the modules and the mapping file in #3357

Also, if a change is required in the nginx image, that needs to be done in a separate PR.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done!

@aledbf aledbf mentioned this pull request Nov 4, 2018
Closed
@diazjf diazjf force-pushed the modsecurity-location branch 3 times, most recently from b6fed2f to 351727e Compare November 5, 2018 17:51
@diazjf
Copy link
Author

diazjf commented Nov 5, 2018

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 5, 2018
@diazjf
Copy link
Author

diazjf commented Nov 5, 2018

/assign @aledbf

@diazjf diazjf mentioned this pull request Nov 5, 2018
Closed
@aledbf
Copy link
Member

aledbf commented Nov 6, 2018

@diazjf besides the on/off comment this lgtm. Please change the value of the annotations and we are ok to merge

@diazjf
Copy link
Author

diazjf commented Nov 6, 2018

@aledbf added to your comment and rebased with master.

@diazjf diazjf force-pushed the modsecurity-location branch 5 times, most recently from a33f49b to 1934654 Compare November 7, 2018 01:47
Allows ModSecurity to be configured per location
5195600 
The following annotations will be added:

- enable-modsecurity
- enable-owasp-core-rules
- modsecurity-transaction-id

Fixes kubernetes#3167
@diazjf
Copy link
Author

diazjf commented Nov 7, 2018

@aledbf ready!

@aledbf
Copy link
Member

aledbf commented Nov 7, 2018

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 7, 2018
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aledbf, diazjf

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@aledbf
Copy link
Member

aledbf commented Nov 7, 2018

@diazjf thanks!

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 7, 2018
@k8s-ci-robot k8s-ci-robot merged commit d97999c into kubernetes:master Nov 7, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aledbf aledbf aledbf left review comments

@ElvinEfendi ElvinEfendi Awaiting requested review from ElvinEfendi

Assignees

@aledbf aledbf

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@diazjf @aledbf @k8s-ci-robot