fix error

Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org>

.github/workflows/build.yml

@@ -57,9 +57,9 @@ jobs:
       - name: Install dependencies with apt
         run: |
           sudo add-apt-repository universe
-          sudo apt-get update
-          sudo apt-get -y \
-          --fix-missing install \
+          sudo apt-get -qq update
+          sudo apt-get -y -qq \
+          --fix-missing --no-install-recommends install \
           gcc make \
           libxml2-dev \
           libxslt-dev \
@@ -89,26 +89,28 @@ jobs:
 
       - name: Configure compilation of dynamic module
         run: |
-          ls -l
           cd ${{ github.workspace }}/nginx-${{ matrix.nginx_version }}
           ./configure \
           --with-compat \
           --add-dynamic-module=${{ github.workspace }}/ \
           --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' \
           --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' \
-          --prefix=/usr/share/nginx \
+          --prefix=/etc/nginx \
+          --sbin-path=/usr/sbin/nginx \
           --conf-path=/etc/nginx/nginx.conf \
           --http-log-path=/var/log/nginx/access.log \
           --error-log-path=/var/log/nginx/error.log \
           --lock-path=/var/lock/nginx.lock \
           --pid-path=/run/nginx.pid \
           --modules-path=/usr/lib/nginx/modules \
-          --http-client-body-temp-path=/var/lib/nginx/body \
-          --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
-          --http-proxy-temp-path=/var/lib/nginx/proxy \
-          --http-scgi-temp-path=/var/lib/nginx/scgi \
-          --http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
+          --http-client-body-temp-path=/var/cache/nginx/client_temp \
+          --http-proxy-temp-path=/var/cache/nginx/proxy_temp \
+          --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
+          --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
+          --http-scgi-temp-path=/var/cache/nginx/scgi_temp \
           --with-debug \
+          --with-file-aio \
+          --with-threads \
           --with-http_ssl_module \
           --with-http_stub_status_module \
           --with-http_realip_module \
@@ -126,10 +128,22 @@ jobs:
           --with-http_xslt_module=dynamic \
           --with-stream=dynamic
 
-      - name: Compile dynamic module  
-        run: |  
+      - name: Compile dynamic module and install nginx
+        run: |
           cd ${{ github.workspace }}/nginx-${{ matrix.nginx_version }}
           make modules
+          make
+          sudo make install
+
+      - name: Run tests
+        run: |
+          wget http://hg.nginx.org/nginx-tests/archive/tip.tar.gz
+          tar xzf tip.tar.gz
+          cd nginx-tests-*
+          cp ../t/* .
+          export TEST_NGINX_BINARY=/usr/sbin/nginx
+          export TEST_NGINX_GLOBALS="load_module \"/usr/lib/nginx/modules/ngx_http_coraza_module.so\";"
+          prove . -t coraza*.t
 
       - name: Upload a Build Artifact
         uses: actions/upload-artifact@v2

.github/workflows/stale.yml

@@ -1,19 +1,19 @@
-#name: "Close stale issues"
-#on:
-#  schedule:
-#  - cron: "0 0 * * *"
-#
-#jobs:
-#  stale:
-#    runs-on: ubuntu-latest
-#    steps:
-#    - uses: actions/stale@v3
-#      with:
-#        repo-token: ${{ secrets.GITHUB_TOKEN }}
-#        stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days'
-#        stale-pr-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days'
-#        stale-issue-label: 'no-issue-activity'
-#        stale-pr-label: 'no-pr-activity'
-#        exempt-issue-label: 'nostale,work-in-progress'
-#        days-before-stale: 30
-#        days-before-close: 5
+name: "Close stale issues"
+on:
+  schedule:
+  - cron: "0 0 * * *"
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/stale@v3
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days'
+        stale-pr-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days'
+        stale-issue-label: 'no-issue-activity'
+        stale-pr-label: 'no-pr-activity'
+        exempt-issue-label: 'nostale,work-in-progress'
+        days-before-stale: 30
+        days-before-close: 5

.gitignore

@@ -1 +1 @@
-.vscode/
+.vscode/

Dockerfile

@@ -1,56 +1,91 @@
-FROM ubuntu:latest
-
-RUN apt-get update \
-    && apt install -y wget build-essential libpcre++-dev git-core libtool openssl libssl-dev zlib1g-dev\
-    && wget http://nginx.org/download/nginx-1.22.0.tar.gz \
-    && tar -xvzf nginx-1.22.0.tar.gz
-WORKDIR /nginx-1.22.0
-
-RUN wget https://go.dev/dl/go1.19.linux-amd64.tar.gz && \
-    tar -C /usr/local -xzf go1.19.linux-amd64.tar.gz
-
-ENV PATH="$PATH:/usr/local/go/bin"
-ENV CPPFLAGS="-DPNG_ARM_NEON_OPT=0"
-COPY . coraza
-
-RUN git clone https://github.com/corazawaf/libcoraza && \
-    cd libcoraza && \
-    ./build.sh && \
-    ./configure && \
-    make && \
-    make install
-
-RUN  ./configure \
-    --with-compat \
-    --add-module=/nginx-1.22.0/coraza/ \
-    --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' \
-    --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' \
-    --prefix=/usr/share/nginx \
-    --conf-path=/etc/nginx/nginx.conf \
-    --http-log-path=/var/log/nginx/access.log \
-    --error-log-path=/var/log/nginx/error.log \
-    --lock-path=/var/lock/nginx.lock \
-    --pid-path=/run/nginx.pid \
-    --modules-path=/usr/lib/nginx/modules \
-    --http-client-body-temp-path=/var/lib/nginx/body \
-    --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
-    --http-proxy-temp-path=/var/lib/nginx/proxy \
-    --http-scgi-temp-path=/var/lib/nginx/scgi \
-    --http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
-    --with-debug \
-    --with-http_ssl_module \
-    --with-http_stub_status_module \
-    #--with-http_realip_module \
-    --with-http_auth_request_module \
-    --with-http_v2_module \
-    #--with-http_dav_module \
-    --with-http_slice_module \
-    --with-threads \
-    --with-http_addition_module \
-    #--with-http_geoip_module=dynamic \
-    --with-http_gunzip_module \
-    #--with-http_gzip_static_module \
-    #--with-http_image_filter_module=dynamic \
-    --with-http_sub_module \
-    #--with-http_xslt_module=dynamic \
-    --with-stream=dynamic
+FROM golang as go-builder
+
+ARG libcoraza_version=master
+
+# For latest build deps, see https://github.com/nginxinc/docker-nginx/blob/master/mainline/alpine/Dockerfile
+RUN set -eux; \
+  apt-get update -qq; \
+  apt-get install -qq --no-install-recommends \
+    autoconf \
+    automake \
+    libtool \
+    gcc \
+    bash \
+    make
+
+COPY ./libcoraza /tmp/master
+
+RUN set -eux; \
+    #wget https://github.com/corazawaf/libcoraza/tarball/master -O /tmp/master; \
+    #tar -xvf /tmp/master; \
+    #cd corazawaf-libcoraza-*; \
+    cd /tmp/master; \
+    ./build.sh; \
+    ./configure; \
+    make; \
+    make V=1 install
+
+FROM nginx:stable as ngx-coraza
+
+COPY --from=go-builder /usr/local/include/coraza /usr/local/include/coraza
+COPY --from=go-builder /usr/local/lib/libcorazacore.a /usr/local/lib
+COPY --from=go-builder /usr/local/lib/libcorazautils.a /usr/local/lib
+COPY --from=go-builder /usr/local/lib/libcorazacore.so /usr/local/lib
+COPY --from=go-builder /usr/local/lib/libcorazautils.so /usr/local/lib
+
+# For latest build deps, see https://github.com/nginxinc/docker-nginx/blob/master/mainline/alpine/Dockerfile
+RUN set -eux; \
+  apt-get update -qq; \
+  apt-get install -qq --no-install-recommends \
+  gcc \
+  gnupg1 \
+  ca-certificates  \
+  libc-dev \
+  make \
+  openssl \
+  curl \
+  gnupg \
+  wget \
+  libpcre3 libpcre3-dev \
+  zlib1g-dev
+
+COPY . /usr/src/coraza-nginx
+
+# Download sources
+RUN set -eux; \
+    curl "http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" -o - | tar zxC /usr/src -f -;
+    # Reuse same cli arguments as the nginx:alpine image used to build
+
+RUN CONFARGS=$(nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p');\
+    cd /usr/src/nginx-$NGINX_VERSION; \
+    ./configure --with-compat "$CONFARGS" --add-dynamic-module=/usr/src/coraza-nginx; \
+    make modules; \
+    mkdir -p /usr/lib/nginx/modules; \
+    find objs/*.so -print; \    
+    cp objs/ngx_*.so /usr/lib/nginx/modules
+
+FROM nginx:stable
+
+RUN sed -i -e "s|events {|load_module \"/usr/lib/nginx/modules/ngx_http_coraza_module.so\";\n\nevents {|" /etc/nginx/nginx.conf;
+
+COPY ./coraza.conf /etc/nginx/conf.d/coraza.conf
+COPY --from=ngx-coraza /usr/lib/nginx/modules/ /usr/lib/nginx/modules/
+COPY --from=go-builder /usr/local/lib/libcorazacore.so /usr/local/lib
+COPY --from=go-builder /usr/local/lib/libcorazautils.so /usr/local/lib
+
+RUN ldconfig -v
+
+COPY ./t /tmp/t
+
+RUN set -eux; \
+    apt-get update -qq; \
+    apt-get install -qq --no-install-recommends curl perl; \
+    curl http://hg.nginx.org/nginx-tests/archive/tip.tar.gz -o tip.tar.gz; \
+    tar xzf tip.tar.gz; \
+    cd nginx-tests-*; \
+    cp /tmp/t/* . ;\
+    export TEST_NGINX_BINARY=/usr/sbin/nginx; \
+    export TEST_NGINX_GLOBALS="load_module \"/usr/lib/nginx/modules/ngx_http_coraza_module.so\";"; \
+    prove . -t coraza*.t
+
+>>>>>>> db83d99 (fix error)

config

@@ -10,38 +10,39 @@
 
 ngx_addon_name="ngx_http_coraza_module"
 coraza_dependency="ngx_http_postpone_filter_module \
-                        ngx_http_ssi_filter_module \
-                        ngx_http_charset_filter_module \
-                        ngx_http_sub_filter_module \
-                        ngx_http_addition_filter_module \
-                        ngx_http_gunzip_filter_module \
-                        ngx_http_userid_filter_module \
-                        ngx_http_headers_filter_module \
-                        ngx_http_copy_filter_module"
+                   ngx_http_ssi_filter_module \
+                   ngx_http_charset_filter_module \
+                   ngx_http_xslt_filter_module \
+                   ngx_http_image_filter_module \
+                   ngx_http_sub_filter_module \
+                   ngx_http_addition_filter_module \
+                   ngx_http_gunzip_filter_module \
+                   ngx_http_userid_filter_module \
+                   ngx_http_headers_filter_module \
+                   ngx_http_copy_filter_module"
 
 
 if test -n "$ngx_module_link"; then
 	ngx_module_type=HTTP_FILTER
 	ngx_module_name="$ngx_addon_name"
 	ngx_module_srcs="$ngx_addon_dir/src/ngx_http_coraza_module.c \
-            $ngx_addon_dir/src/ngx_http_coraza_pre_access.c \
-            $ngx_addon_dir/src/ngx_http_coraza_header_filter.c \
-            $ngx_addon_dir/src/ngx_http_coraza_body_filter.c \
-            $ngx_addon_dir/src/ngx_http_coraza_log.c \
-            $ngx_addon_dir/src/ngx_http_coraza_rewrite.c \
-            "
+                     $ngx_addon_dir/src/ngx_http_coraza_pre_access.c \
+                     $ngx_addon_dir/src/ngx_http_coraza_header_filter.c \
+                     $ngx_addon_dir/src/ngx_http_coraza_body_filter.c \
+                     $ngx_addon_dir/src/ngx_http_coraza_log.c \
+                     $ngx_addon_dir/src/ngx_http_coraza_rewrite.c \
+                     $ngx_addon_dir/src/ngx_http_coraza_utils.c \
+                     "
 	ngx_module_deps="$ngx_addon_dir/src/ddebug.h \
-            $ngx_addon_dir/src/ngx_http_coraza_common.h \
-            "
         ngx_module_libs="-lcoraza"
         ngx_module_incs="-L/usr/local/lib"
 
-        ngx_module_order="ngx_http_chunked_filter_module \
-                          ngx_http_v2_filter_module \
-                          ngx_http_range_header_filter_module \
-                          ngx_http_gzip_filter_module \
-                          $ngx_module_name \
-                          $coraza_dependency";
+    ngx_module_order="ngx_http_chunked_filter_module \
+                      ngx_http_v2_filter_module \
+                      ngx_http_range_header_filter_module \
+                      ngx_http_gzip_filter_module \
+                      $ngx_module_name \
+                      $coraza_dependency";
 
 	. auto/module
 else
@@ -52,19 +53,18 @@ else
 	CORE_LIBS="$CORE_LIBS $ngx_feature_libs"
 
 	HTTP_FILTER_MODULES="$HTTP_FILTER_MODULES ngx_http_coraza_module"
-	NGX_ADDON_SRCS="\
-	    $NGX_ADDON_SRCS \
-	    $ngx_addon_dir/src/ngx_http_coraza_module.c \
-	    $ngx_addon_dir/src/ngx_http_coraza_pre_access.c \
-	    $ngx_addon_dir/src/ngx_http_coraza_header_filter.c \
-	    $ngx_addon_dir/src/ngx_http_coraza_body_filter.c \
-	    $ngx_addon_dir/src/ngx_http_coraza_log.c \
-	    $ngx_addon_dir/src/ngx_http_coraza_rewrite.c \
-	    "
+	NGX_ADDON_SRCS="$NGX_ADDON_SRCS \
+                    $ngx_addon_dir/src/ngx_http_coraza_module.c \
+                    $ngx_addon_dir/src/ngx_http_coraza_pre_access.c \
+                    $ngx_addon_dir/src/ngx_http_coraza_header_filter.c \
+                    $ngx_addon_dir/src/ngx_http_coraza_body_filter.c \
+                    $ngx_addon_dir/src/ngx_http_coraza_log.c \
+                    $ngx_addon_dir/src/ngx_http_coraza_rewrite.c \
+                    $ngx_addon_dir/src/ngx_http_coraza_utils.c \
+                    "
 
-	NGX_ADDON_DEPS="\
-	    $NGX_ADDON_DEPS \
-	    $ngx_addon_dir/src/ddebug.h \
-	    $ngx_addon_dir/src/ngx_http_coraza_common.h \
-	    "
+	NGX_ADDON_DEPS="$NGX_ADDON_DEPS \
+                    $ngx_addon_dir/src/ddebug.h \
+                    $ngx_addon_dir/src/ngx_http_coraza_common.h \
+                    "
 fi

coraza.conf

@@ -0,0 +1,5 @@
+coraza on;
+coraza_rules 'SecRuleEngine On
+              SecRule ARGS "@streq whee" "id:10,phase:2"
+              SecRule ARGS "@streq whee" "id:11,phase:2"
+              ';

ngx-modsec.stp → ngx-coraza.stp

@@ -6,12 +6,12 @@ global rules_phase
 
 
 # Rules
-probe process("/usr/local/lib/libcoraza.so.3").function("evaluate@rule.cc*")
+probe process("/usr/local/lib/libcoraza.so").function("evaluate@rule.cc*")
 {
     begin_rule = gettimeofday_us();
 }
 
-probe process("/usr/local/lib/libcoraza.so.3").function("evaluate@rule.cc*").return
+probe process("/usr/local/lib/libcoraza.so").function("evaluate@rule.cc*").return
 {
     elapsed_rule = gettimeofday_us() - begin_rule
     rules[$this->m_ruleId] <<< elapsed_rule

src/ngx_http_coraza_common.h

@@ -126,5 +126,7 @@ ngx_int_t ngx_http_coraza_pre_access_handler(ngx_http_request_t *r);
 /* ngx_http_coraza_rewrite.c */
 ngx_int_t ngx_http_coraza_rewrite_handler(ngx_http_request_t *r);
 
+/* ngx_http_coraza_utils.c */
+ngx_int_t ngx_str_to_char(ngx_str_t a, char *str, ngx_pool_t *p);
 
 #endif /* _ngx_http_coraza_COMMON_H_INCLUDED_ */