Re: [Mod-security-developers] ModSecurity V2 as a dynamic nginx module

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Kestutis,

Did you ever tried the ModSecurity-nginx connector with v3? Any specific reason why not to use it?

I never tried to compile the v2 into a dynamic module. I would suggest to look at the ModSecurity-nginx module, it should be similar -
https://github.com/SpiderLabs/ModSecurity-nginx/blob/master/config

Br.,
Felipe “Zimmerle” Costa
Security Researcher, Lead Developer ModSecurity.

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>

From: Kestutis Armalis <kes...@ze...<mailto:kes...@ze...>>
Reply-To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>
Date: Tuesday, December 6, 2016 at 11:43 AM
To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>
Subject: [Mod-security-developers] ModSecurity V2 as a dynamic nginx module

Hi all,

We have been trying to test and try to "compile" ModSecurity V2 as a dynamic module for Nginx.

Nginx version: nginx/1.11.5 (nginx-plus-r11)

We configure the ModSecurity V2 with these parameters:
CFLAGS="$CFLAGS -fPIC" ./configure --enable-standalone-module --disable-apache2-module --enable-pcre-jit

Then we amend the resulting {{ModSecFolder}}/nginx/modsecurity/config file by deleting everything except for CFLAGS and CORE_LIBS variables as well as adding these lines:

ngx_addon_name=ngx_http_modsecurity

NGX_ADDON_SRCS="$NGX_ADDON_SRCS \
                $ngx_addon_dir/ngx_http_modsecurity.c \
                $ngx_addon_dir/apr_bucket_nginx.c \
                $ngx_addon_dir/ngx_pool_context.c"

NGX_ADDON_DEPS="$NGX_ADDON_DEPS \
                $ngx_addon_dir/apr_bucket_nginx.h \
                $ngx_addon_dir/ngx_pool_context.h"

CORE_LIBS="$ngx_addon_dir/../../standalone/.libs/standalone.a $CORE_LIBS"

CORE_INCS="$CORE_INCS \
        $ngx_addon_dir \
        $ngx_addon_dir/../../standalone \
        $ngx_addon_dir/../../apache2"

ngx_module_type=HTTP_AUX_FILTER
ngx_module_name="$ngx_addon_name"
ngx_module_srcs="$NGX_ADDON_SRCS"
ngx_module_deps="$NGX_ADDON_DEPS"
ngx_module_libs="$CORE_LIBS"
ngx_module_incs="$CORE_INCS"

. auto/module

Then we build it using the nginx's dynamic module creation instructions alongside with a few other modules.
The "make modules" command actually works and it produces a dynamic library that you can load using the config. It even checks for configuration errors and reports if there are any issues.

However,
upon runtime whenever the rules need to be actually run, this happens:

Program received signal SIGFPE, Arithmetic exception.
0x00007ffff5dc14a2 in ngx_pool_set_ctx (pool=0x7fffef051c00, index=104, data=data@entry=0x7fffef053278)
    at {{MODSECPATH}}/nginx/modsecurity/ngx_pool_context.c:131
131                sizeof(hash)) % ngx_pool_context_hash_size;

Looks like it's a division by 0, where ngx_pool_context_hash_size is a 0 and it seems never to be set via ngx_pool_context_init_conf function.

Our question is basically this: Has anyone tried and succeeded with compiling a version of ModSecurity for nginx without using the currently in development V3 (with the separate connector) ? Even if the dynamic module is for the open source community version of nginx (rather than the ngnix+).

Many thanks,
Kestutis Armalis

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.