Thread: [mod-security-users] Add Headers with NGinx and ModSecurity
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Mikaël P. <mik...@bo...> - 2020-09-17 17:03:57
|
Hello, I use libModSecurity 3.0.3 and I would like to know if we can add responses headers (with nginx) like we can do with Apache (use `setenv` in rule and use this env variable in Apache config) ? Thanks, |
|
From: Christian F. <chr...@ne...> - 2020-09-17 17:50:14
|
On Thu, Sep 17, 2020 at 06:56:26PM +0200, Mikaël Pirio wrote: > Hello, > > I use libModSecurity 3.0.3 and I would like to know if we can add responses > headers (with nginx) like we can do with Apache (use `setenv` in rule and > use this env variable in Apache config) ? Unfortunately not. NGINX does not even let ModSec inspect the response, let alone manipulate it. It's an architecture decision with the webserver. Christian > > Thanks, > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Mikaël P. <mik...@bo...> - 2020-09-17 18:49:48
|
Really ? We can't add a custom response header in Nginx if an env variable
is set in ModSec? Like in the example with Apache:
# In ModSec rules file, define 'ratelimit_limit' env variable
SecRule &TX:IS_API_REQ "@eq 1"
"id:'129793',phase:2,setenv:'ratelimit_limit=%{tx.api_req_counter_max}'"
# In Apache conf, use mod_header to set Header based on that env variable
Header always set X-RateLimit-Limit "%{ratelimit_limit}e"
Le jeu. 17 sept. 2020 à 19:51, Christian Folini <chr...@ne...>
a écrit :
>
> Unfortunately not. NGINX does not even let ModSec inspect the response,
> let alone manipulate it. It's an architecture decision with the webserver.
>
> Christian
>
|
|
From: Ehsan M. <ehs...@gm...> - 2020-09-18 04:41:41
|
Hi You can use nginx directives to add headers like nginx directive add_header. I personally recommend using extra module headers-more. It can be found here https://github.com/openresty/headers-more-nginx-module On Thu, Sep 17, 2020, 21:37 Mikaël Pirio <mik...@bo...> wrote: > Hello, > > I use libModSecurity 3.0.3 and I would like to know if we can add > responses headers (with nginx) like we can do with Apache (use `setenv` in > rule and use this env variable in Apache config) ? > > Thanks, > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Christian F. <chr...@ne...> - 2020-09-18 07:51:34
|
On Fri, Sep 18, 2020 at 09:11:11AM +0430, Ehsan Mahdavi wrote: > Hi > > You can use nginx directives to add headers like nginx directive > add_header. Oops. I thought this was not possible, but now I realize I was thinking of the response body. Of course I was wrong. Sorry for the misinformation on my behalf. I'm too much of an Apache person. Christian > > I personally recommend using extra module headers-more. It can be found here > > https://github.com/openresty/headers-more-nginx-module > > On Thu, Sep 17, 2020, 21:37 Mikaël Pirio <mik...@bo...> > wrote: > > > Hello, > > > > I use libModSecurity 3.0.3 and I would like to know if we can add > > responses headers (with nginx) like we can do with Apache (use `setenv` in > > rule and use this env variable in Apache config) ? > > > > Thanks, > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Mikaël P. <mik...@bo...> - 2020-09-18 13:38:50
|
I succeeded using NGinx Lua module.
In my modsec conf:
SecRule TX:IS_API_REQ "@eq 1" \
"id:6,\
phase:1,\
pass,\
nolog,\
setenv:'ratelimit_limit=%{tx.api_req_counter_max}',\
setenv:'ratelimit_counter=%{session.api_req_counter}',\
setenv:'ratelimit_reset=%{session.api_req_counter__expire_timestamp}'"
Nginx Conf:
...
location /api/ {
set_by_lua $ratelimit_limit 'return os.getenv("ratelimit_limit")';
set_by_lua $ratelimit_remaining 'return os.getenv("ratelimit_limit")
- os.getenv("ratelimit_counter")';
set_by_lua $ratelimit_reset 'return os.getenv("ratelimit_reset")';
add_header X-RateLimit-Limit "$ratelimit_limit";
add_header X-RateLimit-Remaining "$ratelimit_remaining";
add_header X-RateLimit-Reset "$ratelimit_reset";
...
}
...
Le ven. 18 sept. 2020 à 09:53, Christian Folini <chr...@ne...>
a écrit :
> On Fri, Sep 18, 2020 at 09:11:11AM +0430, Ehsan Mahdavi wrote:
> > Hi
> >
> > You can use nginx directives to add headers like nginx directive
> > add_header.
>
> Oops. I thought this was not possible, but now I realize I was thinking of
> the response body. Of course I was wrong.
>
> Sorry for the misinformation on my behalf. I'm too much of an Apache
> person.
>
> Christian
>
>
> >
> > I personally recommend using extra module headers-more. It can be found
> here
> >
> > https://github.com/openresty/headers-more-nginx-module
> >
> > On Thu, Sep 17, 2020, 21:37 Mikaël Pirio <mik...@bo...>
> > wrote:
> >
> > > Hello,
> > >
> > > I use libModSecurity 3.0.3 and I would like to know if we can add
> > > responses headers (with nginx) like we can do with Apache (use
> `setenv` in
> > > rule and use this env variable in Apache config) ?
> > >
> > > Thanks,
> > > _______________________________________________
> > > mod-security-users mailing list
> > > mod...@li...
> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > > http://www.modsecurity.org/projects/commercial/rules/
> > > http://www.modsecurity.org/projects/commercial/support/
> > >
>
>
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
|
|
From: Christian F. <chr...@ne...> - 2020-09-18 13:59:05
|
Cool. Thank you for sharing Mikaël!
On Fri, Sep 18, 2020 at 03:38:16PM +0200, Mikaël Pirio wrote:
> I succeeded using NGinx Lua module.
>
> In my modsec conf:
>
> SecRule TX:IS_API_REQ "@eq 1" \
> "id:6,\
> phase:1,\
> pass,\
> nolog,\
> setenv:'ratelimit_limit=%{tx.api_req_counter_max}',\
> setenv:'ratelimit_counter=%{session.api_req_counter}',\
> setenv:'ratelimit_reset=%{session.api_req_counter__expire_timestamp}'"
>
>
> Nginx Conf:
>
> ...
> location /api/ {
> set_by_lua $ratelimit_limit 'return os.getenv("ratelimit_limit")';
> set_by_lua $ratelimit_remaining 'return os.getenv("ratelimit_limit")
> - os.getenv("ratelimit_counter")';
> set_by_lua $ratelimit_reset 'return os.getenv("ratelimit_reset")';
>
> add_header X-RateLimit-Limit "$ratelimit_limit";
> add_header X-RateLimit-Remaining "$ratelimit_remaining";
> add_header X-RateLimit-Reset "$ratelimit_reset";
> ...
> }
> ...
>
>
> Le ven. 18 sept. 2020 à 09:53, Christian Folini <chr...@ne...>
> a écrit :
>
> > On Fri, Sep 18, 2020 at 09:11:11AM +0430, Ehsan Mahdavi wrote:
> > > Hi
> > >
> > > You can use nginx directives to add headers like nginx directive
> > > add_header.
> >
> > Oops. I thought this was not possible, but now I realize I was thinking of
> > the response body. Of course I was wrong.
> >
> > Sorry for the misinformation on my behalf. I'm too much of an Apache
> > person.
> >
> > Christian
> >
> >
> > >
> > > I personally recommend using extra module headers-more. It can be found
> > here
> > >
> > > https://github.com/openresty/headers-more-nginx-module
> > >
> > > On Thu, Sep 17, 2020, 21:37 Mikaël Pirio <mik...@bo...>
> > > wrote:
> > >
> > > > Hello,
> > > >
> > > > I use libModSecurity 3.0.3 and I would like to know if we can add
> > > > responses headers (with nginx) like we can do with Apache (use
> > `setenv` in
> > > > rule and use this env variable in Apache config) ?
> > > >
> > > > Thanks,
> > > > _______________________________________________
> > > > mod-security-users mailing list
> > > > mod...@li...
> > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > > > http://www.modsecurity.org/projects/commercial/rules/
> > > > http://www.modsecurity.org/projects/commercial/support/
> > > >
> >
> >
> > > _______________________________________________
> > > mod-security-users mailing list
> > > mod...@li...
> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > > http://www.modsecurity.org/projects/commercial/rules/
> > > http://www.modsecurity.org/projects/commercial/support/
> >
> >
> >
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
> >
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
|
Thanks for helping keep SourceForge clean.
X