Re: [mod-security-users] Add Headers with NGinx and ModSecurity

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Cool. Thank you for sharing Mikaël!

On Fri, Sep 18, 2020 at 03:38:16PM +0200, Mikaël Pirio wrote:
> I succeeded using NGinx Lua module.
> 
> In my modsec conf:
> 
> SecRule TX:IS_API_REQ "@eq 1" \
>     "id:6,\
>     phase:1,\
>     pass,\
>     nolog,\
>     setenv:'ratelimit_limit=%{tx.api_req_counter_max}',\
>     setenv:'ratelimit_counter=%{session.api_req_counter}',\
>     setenv:'ratelimit_reset=%{session.api_req_counter__expire_timestamp}'"
> 
> 
> Nginx Conf:
> 
> ...
>     location /api/ {
>       set_by_lua $ratelimit_limit 'return os.getenv("ratelimit_limit")';
>       set_by_lua $ratelimit_remaining 'return os.getenv("ratelimit_limit")
> - os.getenv("ratelimit_counter")';
>       set_by_lua $ratelimit_reset 'return os.getenv("ratelimit_reset")';
> 
>       add_header X-RateLimit-Limit "$ratelimit_limit";
>       add_header X-RateLimit-Remaining "$ratelimit_remaining";
>       add_header X-RateLimit-Reset "$ratelimit_reset";
>       ...
>   }
> ...
> 
> 
> Le ven. 18 sept. 2020 à 09:53, Christian Folini <chr...@ne...>
> a écrit :
> 
> > On Fri, Sep 18, 2020 at 09:11:11AM +0430, Ehsan Mahdavi wrote:
> > > Hi
> > >
> > > You can use nginx directives to add headers like  nginx directive
> > > add_header.
> >
> > Oops. I thought this was not possible, but now I realize I was thinking of
> > the response body. Of course I was wrong.
> >
> > Sorry for the misinformation on my behalf. I'm too much of an Apache
> > person.
> >
> > Christian
> >
> >
> > >
> > > I personally recommend using extra module headers-more. It can be found
> > here
> > >
> > > https://github.com/openresty/headers-more-nginx-module
> > >
> > > On Thu, Sep 17, 2020, 21:37 Mikaël Pirio <mik...@bo...>
> > > wrote:
> > >
> > > > Hello,
> > > >
> > > > I use libModSecurity 3.0.3 and I would like to know if we can add
> > > > responses headers (with nginx) like we can do with Apache (use
> > `setenv` in
> > > > rule and use this env variable in Apache config) ?
> > > >
> > > > Thanks,
> > > > _______________________________________________
> > > > mod-security-users mailing list
> > > > mod...@li...
> > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > > > http://www.modsecurity.org/projects/commercial/rules/
> > > > http://www.modsecurity.org/projects/commercial/support/
> > > >
> >
> >
> > > _______________________________________________
> > > mod-security-users mailing list
> > > mod...@li...
> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > > http://www.modsecurity.org/projects/commercial/rules/
> > > http://www.modsecurity.org/projects/commercial/support/
> >
> >
> >
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
> >

> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/