recovery context after internal redirect #273
Conversation
|
@martinhsv could you help to review for this? |
|
@zimmerle @AirisX @defanator #241 doesn't resolve the problem too. |
|
Hello @liudongmiao, |
|
@AirisX I think https://github.com/SpiderLabs/ModSecurity-nginx/blob/master/tests/modsecurity-config-custom-error-page.t should be ok. However, the test case doesn't check the created transaction in log. And if the request method is non-HEAD, it would be changed to GET. In my test case, without this patch, there would be two transaction. If you don't use custom erorr_page, you can ignore this. For erorr_page, nginx would call You can debug with IDE like Clion, or read http://nginx.org/en/docs/dev/development_guide.html#http_request_redirection
All nginx phases:
|
|
We also agree that this pull request is in the right direction, however it does not directly close pull request #255, contrary to what is stated in the first comment. Specifically, the log handler will only run if ModSecurity is also enabled in the internal redirect's location conf, but not if it is not (with the exception of phase 1 rules where the log handler runs because of the "early logging" workaround). This is demonstrated by the updated test case included in pull request #255 (the current test case does not cover the aforementioned problematic cases). The problem is that the connector decides whether ModSecurity is enabled or not based on the configuration directive in the request's location conf. At the time the log handler runs, the original request has already been replaced by a new one with the internal redirect's location conf. As a result, if ModSecurity is not enabled in the internal redirect's location conf, the check at line 47 will fail and the original transaction will not be logged. What is required is to make this decision based on the original request, in which case the recovered context should be used instead of the location conf. There are two possible options here:
As a PoC, the second option was implemented in this branch. These changes can either be included in this pull request, or we can open a new one. |
|
Is there any news please? |
|
@mlevogiannis I have checked your commit, how to merge it into this PR? |
log phase would use the final location for redirect, so we should use context to determine whether it should be logged.
|
This commit should be merge, I having same prob |
|
Hi all, Just wondering where things stand with this? Thanks, |
|
To all: sorry for the delay, the new team takes care with sources since end of January, 2024. We weren't able to review all PR's, but now I try to take a look here too. Thanks and sorry again. |
|
|
I have rebased onto the latest master and updated the branch in our repository so that the newly introduced CI workflow tests pass. As a recap, our branch:
@liudongmiao Can you please update this PR's branch with the changes in our branch? You may either cherry-pick the 3 extra commits or "git reset" your branch with our branch and force push it. |
|
@mlevogiannis The original patch should be very easy to understand, as it will get the context from clean handler if the context is reset. And there is reference from realip module. |
|
Definitely need to see the error_page issues with ModSecurity nginx resolved after 2 years of it being in limbo and all of us running patch files to achieve functionality that should be baked into the main repo for all to benefit. |
|
should this problem need to solve to main branches ? |
|
Please read this comment. I need some help to reproduce the original issue. |
|
merged in #326 |
In
error_page, nginx would reset context. Thenmodsecurity-nginxcannot recovery from previous context.It will act like this:
Then, like a new request: (request method set to
GET)In previous,
r->error_pagewas introduced to solve thelogproblem. However, it doesn't solve the root cause.This PR should close #270, #255 and other
error_page(internal redirect) issues.