Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhancement: increase SecPcreMatchLimit for specific file #3304

Open
Orgoth opened this issue Nov 19, 2024 · 11 comments
Open

Enhancement: increase SecPcreMatchLimit for specific file #3304

Orgoth opened this issue Nov 19, 2024 · 11 comments

Comments

@Orgoth
Copy link

Orgoth commented Nov 19, 2024

Is there a way to increase the SecPcreMatchLimit for a specific file?
Our Application has an API which receives very large amounts of data and I only want to increase the limit for this API.
The global limit should stay the same.

@airween
Copy link
Member

airween commented Nov 19, 2024

Hi @Orgoth,

which version do you use?

If you use libmodsecurity3 and Nginx, you should try to put into a location block:

    location /api/endpoint {
        modsecurity_rules '
          SecPcreMatchLimit 1024
        ';
    }

See this part of documentation.

@Orgoth
Copy link
Author

Orgoth commented Nov 19, 2024

Sorry forgot to mention.
I am using libapache2-mod-security2 2.9.3-3+deb11u2.

I suspect, I can create a files block within the vhost and set the rule for this specific file.
Thank you very much.

@airween
Copy link
Member

airween commented Nov 19, 2024

Please feel free to close this issue if you could solve that.

@Orgoth
Copy link
Author

Orgoth commented Nov 19, 2024

Sadly, this is not possible.

SecPcreMatchLimit not allowed in <Location> context
SecPcreMatchLimit not allowed in <FilesMatch> context
SecPcreMatchLimit not allowed in <Directory> context
ModSecurity: SecPcreMatchLimit not allowed in VirtualHost

@Orgoth
Copy link
Author

Orgoth commented Nov 19, 2024

I will disable modsecurity via exclude rule for this api, the coworker confirmed, he will take responsibility.

But could this behavior be changed?
That you allow Apache in the module/lib that this rule can be set in the VHOST?

https://github.com/owasp-modsecurity/ModSecurity/tree/v2/master

Or is this something you do not have control and can not be changed within the module, to tell apache, it is allowed within the vhost?

@airween
Copy link
Member

airween commented Nov 19, 2024

I'm not sure if it's possible - @marcstern what do you think?

@marcstern
Copy link

It's currently a global setting, but nothing would forbid to set it at the location level, as the value is used in each msc_pregcomp_ex() individually.

@Orgoth
Copy link
Author

Orgoth commented Nov 27, 2024

but nothing would forbid to set it at the location level

How to do so?

@marcstern
Copy link

I mean we could implement a change in the code

@Orgoth
Copy link
Author

Orgoth commented Jan 14, 2025

Is there anything new on this?

@marcstern
Copy link

Hi @Orgoth, we didn't had the time to work on this (a lot of higher priorities).
If somebody wants to create a PR, this could speed things up.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants