|
From: Francisco M. <fra...@gm...> - 2015-04-30 04:30:56
|
Hello, We are running the 1.8.0 version of Nginx with Modsecurity 2.9.0 nginx_refactoring branch compiled. 2015/04/29 19:51:38 [notice] 6430#0: ModSecurity for nginx (STABLE)/2.9.0 ( http://www.modsecurity.org/) configured. 2015/04/29 19:51:38 [notice] 6430#0: ModSecurity: APR compiled version="1.3.9"; loaded version="1.3.9" 2015/04/29 19:51:38 [notice] 6430#0: ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05" 2015/04/29 19:51:38 [notice] 6430#0: ModSecurity: LUA compiled version="Lua 5.1" 2015/04/29 19:51:38 [notice] 6430#0: ModSecurity: LIBXML compiled version="2.7.6" 2015/04/29 19:51:38 [notice] 6430#0: ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On. In our configuration, we want to set the CORS headers to any request accessing us. For doing that, in nginx we do: add_header 'Access-Control-Allow-Origin' $cors_origin always; add_header 'Access-Control-Allow-Credentials' $cors_credentials always; add_header 'Access-Control-Allow-Methods' $cors_methods always; add_header 'Access-Control-Allow-Headers' $cors_headers always; add_header 'Access-Control-Max-Age' $cors_maxage always; Note that we use the *always* keyword so that we *always* add those headers even when the backend (which is running with a proxy_pass) returns an error. Our location in nginx configuration file looks like this: location / { ModSecurityEnabled on; ModSecurityConfig modsecurity.d/modsecurity.conf; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; add_header 'Access-Control-Allow-Origin' $cors_origin always; add_header 'Access-Control-Allow-Credentials' $cors_credentials always; add_header 'Access-Control-Allow-Methods' $cors_methods always; add_header 'Access-Control-Allow-Headers' $cors_headers always; add_header 'Access-Control-Max-Age' $cors_maxage always; if ($user) { proxy_pass http://nextver; break; } proxy_pass http://currver; } When doing a curl I don't see the "Access-Control" headers. If I comment "ModSecurityEnabled/Config " lines, I can see them there: < Access-Control-Allow-Origin: * < Access-Control-Allow-Credentials: true < Access-Control-Allow-Methods: HEAD, GET, POST, PUT, PATCH, DELETE, OPTIONS < Access-Control-Allow-Headers: X-USER-AGENT, X-REQUESTED-WITH, X-USER-VERSION, X-COUNTRY-CODE < Access-Control-Max-Age: 86400 I can also see the wanted headers if I access to a non-error page. I've been looking a little into the code and it seems there was a somewhat related bug solved by https://github.com/SpiderLabs/ModSecurity/pull/749/files . My guess is that the somewhat new *always* directive is messing things up, as I see that if make a request to a URL that returns a non-error, the headers are there. My (flawed) intuition tells me that maybe the *always* directive is somehow not honored by modsecurity and it will block headers on an error? Can anyone point me how to delve into this issue further, to confirm my suspicions, or look into the possible bug themselves? Thanks for your help, /fran |
