From d381f1a2b10840c52ca78b1e3dd4848f9d22a731 Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Wed, 9 Mar 2022 18:06:14 -0300 Subject: [PATCH 01/10] fix: second pass changing names and main module Signed-off-by: Felipe Zipitria --- CHANGES | 2 +- README.md | 2 +- ngx-modsec.stp | 4 +- src/ddebug.h | 2 +- src/ngx_http_coraza_body_filter.c | 4 +- src/ngx_http_coraza_common.h | 10 +-- src/ngx_http_coraza_header_filter.c | 14 ++-- src/ngx_http_coraza_log.c | 4 +- src/ngx_http_coraza_module.c | 74 ++++++++------------ src/ngx_http_coraza_rewrite.c | 10 +-- tests/modsecurity-config-auditlog.t | 34 ++++----- tests/modsecurity-config-custom-error-page.t | 40 +++++------ tests/modsecurity-config-debuglog.t | 22 +++--- tests/modsecurity-config-merge.t | 24 +++---- tests/modsecurity-config.t | 22 +++--- tests/modsecurity-h2.t | 38 +++++----- tests/modsecurity-proxy-h2.t | 34 ++++----- tests/modsecurity-proxy.t | 34 ++++----- tests/modsecurity-request-body-h2.t | 18 ++--- tests/modsecurity-request-body.t | 22 +++--- tests/modsecurity-response-body.t | 6 +- tests/modsecurity-scoring.t | 8 +-- tests/modsecurity-transaction-id.t | 36 +++++----- tests/modsecurity.t | 50 ++++++------- tests/nginx-tests-cvt.pl | 8 +-- 25 files changed, 253 insertions(+), 269 deletions(-) diff --git a/CHANGES b/CHANGES index be9f5ad..7e8b892 100644 --- a/CHANGES +++ b/CHANGES @@ -58,5 +58,5 @@ v1.0.1 - 2019-Dec-16 v1.0.0 - 2017-Dec-20 -------------------- - - First version of ModSecurity-nginx connector + - First version of Coraza-nginx connector diff --git a/README.md b/README.md index 5ab6e3e..a9002d0 100644 --- a/README.md +++ b/README.md @@ -234,7 +234,7 @@ version of your libcoraza and the version of the nginx connector you are running ### Security issue Please do not publicly report any security issue. Instead, contact us at: -security@coraza.org to report the issue. Once the problem is fixed we will provide you with credit for the discovery. +security@coraza.io to report the issue. Once the problem is fixed we will provide you with credit for the discovery. ## Feature Request diff --git a/ngx-modsec.stp b/ngx-modsec.stp index 9c3e5fa..8c5fa65 100755 --- a/ngx-modsec.stp +++ b/ngx-modsec.stp @@ -6,12 +6,12 @@ global rules_phase # Rules -probe process("/usr/local/lib/libmodsecurity.so.3").function("evaluate@rule.cc*") +probe process("/usr/local/lib/libcoraza.so.3").function("evaluate@rule.cc*") { begin_rule = gettimeofday_us(); } -probe process("/usr/local/lib/libmodsecurity.so.3").function("evaluate@rule.cc*").return +probe process("/usr/local/lib/libcoraza.so.3").function("evaluate@rule.cc*").return { elapsed_rule = gettimeofday_us() - begin_rule rules[$this->m_ruleId] <<< elapsed_rule diff --git a/src/ddebug.h b/src/ddebug.h index 16c9e71..6e1fa95 100644 --- a/src/ddebug.h +++ b/src/ddebug.h @@ -34,7 +34,7 @@ # if (NGX_HAVE_VARIADIC_MACROS) -# define dd(...) fprintf(stderr, "modsec *** %s: ", __func__); \ +# define dd(...) fprintf(stderr, "coraza *** %s: ", __func__); \ fprintf(stderr, __VA_ARGS__); \ fprintf(stderr, " at %s line %d.\n", __FILE__, __LINE__) diff --git a/src/ngx_http_coraza_body_filter.c b/src/ngx_http_coraza_body_filter.c index 21f591b..7acd81d 100644 --- a/src/ngx_http_coraza_body_filter.c +++ b/src/ngx_http_coraza_body_filter.c @@ -1,5 +1,5 @@ /* - * ModSecurity connector for nginx, http://www.modsecurity.org/ + * Coraza connector for nginx, http://www.coraza.io/ * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with @@ -9,7 +9,7 @@ * * If any of the files related to licensing are missing or if you have any * other questions related to licensing please contact Trustwave Holdings, Inc. - * directly using the email address security@modsecurity.org. + * directly using the email address security@coraza.io. * */ diff --git a/src/ngx_http_coraza_common.h b/src/ngx_http_coraza_common.h index b14144f..86e39f7 100644 --- a/src/ngx_http_coraza_common.h +++ b/src/ngx_http_coraza_common.h @@ -1,5 +1,5 @@ /* - * ModSecurity connector for nginx, http://www.modsecurity.org/ + * Coraza connector for nginx, http://www.coraza.io/ * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with @@ -9,7 +9,7 @@ * * If any of the files related to licensing are missing or if you have any * other questions related to licensing please contact Trustwave Holdings, Inc. - * directly using the email address security@modsecurity.org. + * directly using the email address security@coraza.io. * */ @@ -37,8 +37,8 @@ * */ -#define CORAZA_NGINX_MAJOR "1" -#define CORAZA_NGINX_MINOR "0" +#define CORAZA_NGINX_MAJOR "0" +#define CORAZA_NGINX_MINOR "1" #define CORAZA_NGINX_PATCHLEVEL "0" #define CORAZA_NGINX_TAG "" #define CORAZA_NGINX_TAG_NUM "100" @@ -105,7 +105,7 @@ typedef struct { extern ngx_module_t ngx_http_coraza_module; /* ngx_http_coraza_module.c */ -int ngx_http_coraza_process_intervention (coraza_transaction_t transaction, ngx_http_request_t *r, ngx_int_t early_log); +ngx_int_t ngx_http_coraza_process_intervention (coraza_transaction_t *transaction, ngx_http_request_t *r, ngx_int_t early_log); ngx_http_coraza_ctx_t *ngx_http_coraza_create_ctx(ngx_http_request_t *r); char *ngx_str_to_char(ngx_str_t a, ngx_pool_t *p); diff --git a/src/ngx_http_coraza_header_filter.c b/src/ngx_http_coraza_header_filter.c index 6b375e1..9f27200 100644 --- a/src/ngx_http_coraza_header_filter.c +++ b/src/ngx_http_coraza_header_filter.c @@ -10,7 +10,7 @@ * * If any of the files related to licensing are missing or if you have any * other questions related to licensing please contact Trustwave Holdings, Inc. - * directly using the email address security@modsecurity.org. + * directly using the email address security@coraza.io. * */ @@ -356,7 +356,7 @@ ngx_http_coraza_header_filter(ngx_http_request_t *r) } /* XXX: can it happen ? already processed i mean */ -/* XXX: check behaviour on 'ModSecurity off' */ +/* XXX: check behaviour on 'Coraza off' */ if (ctx && ctx->processed) { @@ -376,8 +376,8 @@ ngx_http_coraza_header_filter(ngx_http_request_t *r) ctx->processed = 1; /* * - * Assuming ModSecurity module is running immediately before the - * ngx_http_header_filter, we will be able to populate ModSecurity with + * Assuming Coraza module is running immediately before the + * ngx_http_header_filter, we will be able to populate Coraza with * headers from the headers_out structure. * * As ngx_http_header_filter place a direct call to the @@ -452,13 +452,13 @@ ngx_http_coraza_header_filter(ngx_http_request_t *r) /* * Proxies will not like this... but it is necessary to unset * the content length in order to manipulate the content of - * response body in ModSecurity. + * response body in Coraza. * - * This header may arrive at the client before ModSecurity had + * This header may arrive at the client before Coraza had * a change to make any modification. That is why it is necessary * to set this to -1 here. * - * We need to have some kind of flag the decide if ModSecurity + * We need to have some kind of flag the decide if Coraza * will make a modification or not. If not, keep the content and * make the proxy servers happy. * diff --git a/src/ngx_http_coraza_log.c b/src/ngx_http_coraza_log.c index 4568255..1a71d0d 100644 --- a/src/ngx_http_coraza_log.c +++ b/src/ngx_http_coraza_log.c @@ -1,5 +1,5 @@ /* - * ModSecurity connector for nginx, http://www.modsecurity.org/ + * Coraza connector for nginx, http://www.coraza.io/ * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with @@ -9,7 +9,7 @@ * * If any of the files related to licensing are missing or if you have any * other questions related to licensing please contact Trustwave Holdings, Inc. - * directly using the email address security@modsecurity.org. + * directly using the email address security@coraza.io. * */ diff --git a/src/ngx_http_coraza_module.c b/src/ngx_http_coraza_module.c index facd06c..83fc77f 100644 --- a/src/ngx_http_coraza_module.c +++ b/src/ngx_http_coraza_module.c @@ -1,9 +1,9 @@ /* * Coraza connector for nginx, http://www.coraza.io/ * - * Based on ModSecurity's connector. + * Based on Coraza's connector. * - * ModSecurity nginx connector + * Coraza nginx connector * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * Coraza nginx connector @@ -43,13 +43,13 @@ static void ngx_http_coraza_cleanup_rules(void *data); * ngx_string's are not null-terminated in common case, so we need to convert * them into null-terminated ones before passing to CORAZA */ -ngx_inline char *ngx_str_to_char(ngx_str_t a, ngx_pool_t *p) +ngx_inline ngx_int_t ngx_str_to_char(ngx_str_t a, char* res, ngx_pool_t *p) { - char *str = NULL; + char *res = NULL; if (a.len == 0) { - return NULL; + return NGX_OK; } str = ngx_pnalloc(p, a.len + 1); @@ -65,13 +65,14 @@ ngx_inline char *ngx_str_to_char(ngx_str_t a, ngx_pool_t *p) return str; } -ngx_inline int -ngx_http_coraza_process_intervention(coraza_transaction_t transaction, ngx_http_request_t *r, ngx_int_t early_log) +ngx_inline ngx_int_t +ngx_http_coraza_process_intervention(coraza_transaction_t *transaction, ngx_http_request_t *r, ngx_int_t early_log) { char *log = NULL; coraza_intervention_t *intervention; ngx_http_coraza_ctx_t *ctx = NULL; - + ngx_table_elt_t *location = NULL; + dd("processing intervention"); ctx = ngx_http_get_module_ctx(r, ngx_http_coraza_module); @@ -84,7 +85,7 @@ ngx_http_coraza_process_intervention(coraza_transaction_t transaction, ngx_http_ if (intervention == NULL) { dd("nothing to do"); - return 0; + return NGX_OK; } log = intervention->log; @@ -107,7 +108,7 @@ ngx_http_coraza_process_intervention(coraza_transaction_t transaction, ngx_http_ if (r->header_sent) { dd("Headers are already sent. Cannot perform the redirection at this point."); - return -1; + return NGX_ERROR; } /** @@ -122,12 +123,8 @@ ngx_http_coraza_process_intervention(coraza_transaction_t transaction, ngx_http_ * */ ngx_http_clear_location(r); - ngx_str_t a = ngx_string(""); + ngx_str_t a = ngx_string(intervention->url); - a.data = (unsigned char *)intervention->url; - a.len = strlen(intervention->url); - - ngx_table_elt_t *location = NULL; location = ngx_list_push(&r->headers_out.headers); ngx_str_set(&location->key, "Location"); location->value = a; @@ -157,12 +154,12 @@ ngx_http_coraza_process_intervention(coraza_transaction_t transaction, ngx_http_ if (r->header_sent) { dd("Headers are already sent. Cannot perform the redirection at this point."); - return -1; + return NGX_ERROR; } dd("intervention -- returning code: %d", intervention.status); return intervention->status; } - return 0; + return NGX_OK; } void ngx_http_coraza_cleanup(void *data) @@ -230,24 +227,18 @@ ngx_conf_set_rules(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) int res; char *rules; ngx_str_t *value; - const char *error; + char *error; ngx_http_coraza_conf_t *mcf = conf; ngx_http_coraza_main_conf_t *mmcf; value = cf->args->elts; - rules = ngx_str_to_char(value[1], cf->pool); - - if (rules == (char *)-1) - { - return NGX_CONF_ERROR; - } - res = coraza_rules_add(mcf->waf, rules, (char **)&error); + res = coraza_rules_add(mcf->waf, (char *)value[1].data, &error); if (res < 0) { dd("Failed to load the rules: '%s' - reason: '%s'", rules, error); - return strdup(error); + return NGX_CONF_ERROR; } mmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_coraza_module); @@ -262,24 +253,18 @@ ngx_conf_set_rules_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) int res; char *rules_set; ngx_str_t *value; - const char *error; + char **error; ngx_http_coraza_conf_t *mcf = conf; ngx_http_coraza_main_conf_t *mmcf; value = cf->args->elts; - rules_set = ngx_str_to_char(value[1], cf->pool); - - if (rules_set == (char *)-1) - { - return NGX_CONF_ERROR; - } - res = coraza_rules_add(mcf->waf, rules_set, (char **)&error); + res = coraza_rules_add(mcf->waf, (char *)value[1].data, &error); if (res < 0) { dd("Failed to load the rules from: '%s' - reason: '%s'", rules_set, error); - return strdup(error); + return NGX_CONF_ERROR; } mmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_coraza_module); @@ -573,13 +558,12 @@ ngx_http_coraza_merge_conf(ngx_conf_t *cf, void *parent, void *child) ngx_http_coraza_conf_t *c = child; #if defined(CORAZA_DDEBUG) && (CORAZA_DDEBUG) ngx_http_core_loc_conf_t *clcf = ngx_http_conf_get_module_loc_conf(cf, ngx_http_core_module); + dd("merging loc config [%s] - parent: '%p' child: '%p'", + ngx_str_to_char(clcf->name, cf->pool), parent, + child); #endif int rules; - const char *error = NULL; - - dd("merging loc config [%s] - parent: '%p' child: '%p'", - ngx_str_to_char(clcf->name, cf->pool), parent, - child); + char **error = NULL; dd(" state - parent: '%d' child: '%d'", (int)c->enable, (int)p->enable); @@ -592,20 +576,20 @@ ngx_http_coraza_merge_conf(ngx_conf_t *cf, void *parent, void *child) #if defined(CORAZA_DDEBUG) && (CORAZA_DDEBUG) dd("PARENT RULES"); - msc_rules_dump(p->rules_set); + coraza_rules_dump(p->rules_set); dd("CHILD RULES"); - msc_rules_dump(c->rules_set); + coraza_rules_dump(c->rules_set); #endif - rules = coraza_rules_merge(c->waf, p->waf, (char **)&error); + rules = coraza_rules_merge(c->waf, p->waf, &error); if (rules < 0) { - return strdup(error); + return error; } #if defined(CORAZA_DDEBUG) && (CORAZA_DDEBUG) dd("NEW CHILD RULES"); - msc_rules_dump(c->rules_set); + coraza_rules_dump(c->rules_set); #endif return NGX_CONF_OK; } diff --git a/src/ngx_http_coraza_rewrite.c b/src/ngx_http_coraza_rewrite.c index 5c77f56..3526fc9 100644 --- a/src/ngx_http_coraza_rewrite.c +++ b/src/ngx_http_coraza_rewrite.c @@ -1,5 +1,5 @@ /* - * ModSecurity connector for nginx, http://www.modsecurity.org/ + * Coraza connector for nginx, http://www.coraza.io/ * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with @@ -9,7 +9,7 @@ * * If any of the files related to licensing are missing or if you have any * other questions related to licensing please contact Trustwave Holdings, Inc. - * directly using the email address security@modsecurity.org. + * directly using the email address security@coraza.io. * */ @@ -149,7 +149,7 @@ ngx_http_coraza_rewrite_handler(ngx_http_request_t *r) } /** - * Since incoming request headers are already in place, lets send it to ModSecurity + * Since incoming request headers are already in place, lets send it to Coraza * */ ngx_list_part_t *part = &r->headers_in.headers.part; @@ -170,7 +170,7 @@ ngx_http_coraza_rewrite_handler(ngx_http_request_t *r) * By using u_char (utf8_t) I believe nginx is hoping to deal * with utf8 strings. * Casting those into to unsigned char * in order to pass - * it to ModSecurity, it will handle with those later. + * it to Coraza, it will handle with those later. * */ @@ -183,7 +183,7 @@ ngx_http_coraza_rewrite_handler(ngx_http_request_t *r) } /** - * Since ModSecurity already knew about all headers, i guess it is safe + * Since Coraza already knew about all headers, i guess it is safe * to process this information. */ diff --git a/tests/modsecurity-config-auditlog.t b/tests/modsecurity-config-auditlog.t index 0094b3c..79ad9f5 100644 --- a/tests/modsecurity-config-auditlog.t +++ b/tests/modsecurity-config-auditlog.t @@ -1,7 +1,7 @@ #!/usr/bin/perl # -# ModSecurity, http://www.modsecurity.org/ +# Coraza, http://www.coraza.io/ # Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/) # # You may not use this file except in compliance with @@ -11,11 +11,11 @@ # # If any of the files related to licensing are missing or if you have any # other questions related to licensing please contact Trustwave Holdings, Inc. -# directly using the email address security@modsecurity.org. +# directly using the email address security@coraza.io. # -# Tests for ModSecurity module. +# Tests for Coraza module. ############################################################################### @@ -53,16 +53,16 @@ http { listen 127.0.0.1:8080; server_name localhost; - modsecurity on; - modsecurity_rules ' + coraza on; + coraza_rules ' SecRuleEngine On SecRule ARGS "@streq whee" "id:10,phase:2" SecRule ARGS "@streq whee" "id:11,phase:2" '; location / { - modsecurity_rules ' - SecRule ARGS "@streq root" "id:21,phase:1,auditlog,status:302,redirect:http://www.modsecurity.org" + coraza_rules ' + SecRule ARGS "@streq root" "id:21,phase:1,auditlog,status:302,redirect:http://www.coraza.io" SecDebugLog %%TESTDIR%%/auditlog-debug-root.txt SecDebugLogLevel 9 SecAuditEngine RelevantOnly @@ -74,9 +74,9 @@ http { } location /subfolder1/subfolder2 { - modsecurity_rules ' - SecRule ARGS "@streq subfolder2" "id:41,phase:1,status:302,auditlog,redirect:http://www.modsecurity.org" - SecRule ARGS "@streq subfolder1" "id:42,phase:1,status:302,auditlog,redirect:http://www.modsecurity.org" + coraza_rules ' + SecRule ARGS "@streq subfolder2" "id:41,phase:1,status:302,auditlog,redirect:http://www.coraza.io" + SecRule ARGS "@streq subfolder1" "id:42,phase:1,status:302,auditlog,redirect:http://www.coraza.io" SecDebugLog %%TESTDIR%%/auditlog-debug-subfolder2.txt SecDebugLogLevel 9 SecAuditEngine RelevantOnly @@ -89,8 +89,8 @@ http { } location /subfolder1 { - modsecurity_rules ' - SecRule ARGS "@streq subfolder1" "id:31,phase:1,status:302,auditlog,redirect:http://www.modsecurity.org" + coraza_rules ' + SecRule ARGS "@streq subfolder1" "id:31,phase:1,status:302,auditlog,redirect:http://www.coraza.io" SecDebugLog %%TESTDIR%%/auditlog-debug-subfolder1.txt SecDebugLogLevel 9 SecAuditLogParts AB @@ -102,10 +102,10 @@ http { } location /subfolder3/subfolder4 { - modsecurity_rules ' + coraza_rules ' SecResponseBodyAccess On - SecRule ARGS "@streq subfolder4" "id:61,phase:1,status:302,auditlog,redirect:http://www.modsecurity.org" - SecRule ARGS "@streq subfolder3" "id:62,phase:1,status:302,auditlog,redirect:http://www.modsecurity.org" + SecRule ARGS "@streq subfolder4" "id:61,phase:1,status:302,auditlog,redirect:http://www.coraza.io" + SecRule ARGS "@streq subfolder3" "id:62,phase:1,status:302,auditlog,redirect:http://www.coraza.io" SecRule ARGS "@streq subfolder4withE" "id:63,phase:1,ctl:auditLogParts=+E,auditlog" SecDebugLog %%TESTDIR%%/auditlog-debug-subfolder4.txt SecDebugLogLevel 9 @@ -118,8 +118,8 @@ http { } location /subfolder3 { - modsecurity_rules ' - SecRule ARGS "@streq subfolder3" "id:51,phase:1,status:302,auditlog,redirect:http://www.modsecurity.org" + coraza_rules ' + SecRule ARGS "@streq subfolder3" "id:51,phase:1,status:302,auditlog,redirect:http://www.coraza.io" SecDebugLog %%TESTDIR%%/auditlog-debug-subfolder3.txt SecDebugLogLevel 9 SecAuditLogParts AB diff --git a/tests/modsecurity-config-custom-error-page.t b/tests/modsecurity-config-custom-error-page.t index a8f5862..6e7fe06 100644 --- a/tests/modsecurity-config-custom-error-page.t +++ b/tests/modsecurity-config-custom-error-page.t @@ -1,7 +1,7 @@ #!/usr/bin/perl # -# ModSecurity, http://www.modsecurity.org/ +# Coraza, http://www.coraza.io/ # Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/) # # You may not use this file except in compliance with @@ -11,11 +11,11 @@ # # If any of the files related to licensing are missing or if you have any # other questions related to licensing please contact Trustwave Holdings, Inc. -# directly using the email address security@modsecurity.org. +# directly using the email address security@coraza.io. # -# Tests for ModSecurity module. +# Tests for Coraza module. ############################################################################### @@ -60,8 +60,8 @@ http { } location / { - modsecurity on; - modsecurity_rules ' + coraza on; + coraza_rules ' SecRuleEngine On SecRule ARGS "@streq root" "id:10,phase:1,auditlog,status:403,deny" SecDebugLog %%TESTDIR%%/auditlog-debug-local.txt @@ -79,8 +79,8 @@ http { listen 127.0.0.1:8080; server_name s2; - modsecurity on; - modsecurity_rules ' + coraza on; + coraza_rules ' SecRuleEngine On SecRule ARGS "@streq root" "id:10,phase:1,auditlog,status:403,deny" SecDebugLog %%TESTDIR%%/auditlog-debug-global.txt @@ -95,7 +95,7 @@ http { error_page 403 /403.html; location /403.html { - modsecurity off; + coraza off; root %%TESTDIR%%/http; internal; } @@ -125,11 +125,11 @@ my $t2; my $t3; my $t4; -# Performing requests to a server with ModSecurity enabled at location context +# Performing requests to a server with Coraza enabled at location context $t1 = http_get_host('s1', '/index.html?what=root'); $t2 = http_get_host('s1', '/index.html?what=other'); -# Performing requests to a server with ModSecurity enabled at server context +# Performing requests to a server with Coraza enabled at server context $t3 = http_get_host('s2', '/index.html?what=root'); $t4 = http_get_host('s2', '/index.html?what=other'); @@ -147,18 +147,18 @@ my $global = do { <$fh>; }; -like($t1, qr/$custom_txt/, 'ModSecurity at location / root'); -like($t2, qr/$index_txt/, 'ModSecurity at location / other'); -like($local, qr/what=root/, 'ModSecurity at location / root present in auditlog'); -unlike($local, qr/what=other/, 'ModSecurity at location / other not present in auditlog'); +like($t1, qr/$custom_txt/, 'Coraza at location / root'); +like($t2, qr/$index_txt/, 'Coraza at location / other'); +like($local, qr/what=root/, 'Coraza at location / root present in auditlog'); +unlike($local, qr/what=other/, 'Coraza at location / other not present in auditlog'); -like($t3, qr/$custom_txt/, 'ModSecurity at server / root'); -like($t4, qr/$index_txt/, 'ModSecurity at server / other'); -like($global, qr/what=root/, 'ModSecurity at server / root present in auditlog'); -unlike($global, qr/what=other/, 'ModSecurity at server / other not present in auditlog'); +like($t3, qr/$custom_txt/, 'Coraza at server / root'); +like($t4, qr/$index_txt/, 'Coraza at server / other'); +like($global, qr/what=root/, 'Coraza at server / root present in auditlog'); +unlike($global, qr/what=other/, 'Coraza at server / other not present in auditlog'); -like($local, qr/Access denied with code 403/, 'ModSecurity at location / 403 in auditlog'); -like($global, qr/Access denied with code 403/, 'ModSecurity at server / 403 in auditlog'); +like($local, qr/Access denied with code 403/, 'Coraza at location / 403 in auditlog'); +like($global, qr/Access denied with code 403/, 'Coraza at server / 403 in auditlog'); ############################################################################### diff --git a/tests/modsecurity-config-debuglog.t b/tests/modsecurity-config-debuglog.t index 5c65aca..8a6424e 100644 --- a/tests/modsecurity-config-debuglog.t +++ b/tests/modsecurity-config-debuglog.t @@ -1,7 +1,7 @@ #!/usr/bin/perl # -# ModSecurity, http://www.modsecurity.org/ +# Coraza, http://www.coraza.io/ # Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/) # # You may not use this file except in compliance with @@ -11,11 +11,11 @@ # # If any of the files related to licensing are missing or if you have any # other questions related to licensing please contact Trustwave Holdings, Inc. -# directly using the email address security@modsecurity.org. +# directly using the email address security@coraza.io. # -# Tests for ModSecurity module. +# Tests for Coraza module. ############################################################################### @@ -53,30 +53,30 @@ http { listen 127.0.0.1:8080; server_name localhost; - modsecurity on; - modsecurity_rules ' + coraza on; + coraza_rules ' SecRuleEngine On SecRule ARGS "@streq whee" "id:10,phase:2" SecRule ARGS "@streq whee" "id:11,phase:2" '; location / { - modsecurity_rules ' - SecRule ARGS "@streq root" "id:21,phase:1,status:302,redirect:http://www.modsecurity.org" + coraza_rules ' + SecRule ARGS "@streq root" "id:21,phase:1,status:302,redirect:http://www.coraza.io" SecDebugLog %%TESTDIR%%/debuglog-root.txt SecDebugLogLevel 9 '; } location /subfolder1 { - modsecurity_rules ' - SecRule ARGS "@streq subfolder1" "id:31,phase:1,status:302,redirect:http://www.modsecurity.org" + coraza_rules ' + SecRule ARGS "@streq subfolder1" "id:31,phase:1,status:302,redirect:http://www.coraza.io" SecDebugLog %%TESTDIR%%/debuglog-subfolder1.txt SecDebugLogLevel 9 '; location /subfolder1/subfolder2 { - modsecurity_rules ' - SecRule ARGS "@streq subfolder2" "id:41,phase:1,status:302,redirect:http://www.modsecurity.org" + coraza_rules ' + SecRule ARGS "@streq subfolder2" "id:41,phase:1,status:302,redirect:http://www.coraza.io" SecDebugLog %%TESTDIR%%/debuglog-subfolder2.txt SecDebugLogLevel 9 '; diff --git a/tests/modsecurity-config-merge.t b/tests/modsecurity-config-merge.t index 8115662..51a1d66 100644 --- a/tests/modsecurity-config-merge.t +++ b/tests/modsecurity-config-merge.t @@ -2,7 +2,7 @@ # (C) Andrei Belov -# Tests for ModSecurity-nginx connector (configuration merge). +# Tests for Coraza-nginx connector (configuration merge). ############################################################################### @@ -36,8 +36,8 @@ events { http { %%TEST_GLOBALS_HTTP%% - modsecurity on; - modsecurity_rules ' + coraza on; + coraza_rules ' SecRuleEngine On SecRequestBodyAccess On SecRequestBodyLimit 128 @@ -54,35 +54,35 @@ http { } location /modsec-disabled { - modsecurity_rules ' + coraza_rules ' SecRuleEngine Off '; proxy_pass http://127.0.0.1:%%PORT_8081%%; } location /nobodyaccess { - modsecurity_rules ' + coraza_rules ' SecRequestBodyAccess Off '; proxy_pass http://127.0.0.1:%%PORT_8081%%; } location /bodylimitprocesspartial { - modsecurity_rules ' + coraza_rules ' SecRequestBodyLimitAction ProcessPartial '; proxy_pass http://127.0.0.1:%%PORT_8081%%; } location /bodylimitincreased { - modsecurity_rules ' + coraza_rules ' SecRequestBodyLimit 512 '; proxy_pass http://127.0.0.1:%%PORT_8081%%; } location /server { - modsecurity off; + coraza off; location /server/modsec-disabled { proxy_pass http://127.0.0.1:%%PORT_8082%%; @@ -105,7 +105,7 @@ http { server { listen 127.0.0.1:%%PORT_8082%%; - modsecurity_rules ' + coraza_rules ' SecRuleEngine Off '; @@ -117,7 +117,7 @@ http { server { listen 127.0.0.1:%%PORT_8083%%; - modsecurity_rules ' + coraza_rules ' SecRequestBodyAccess Off '; @@ -129,7 +129,7 @@ http { server { listen 127.0.0.1:%%PORT_8084%%; - modsecurity_rules ' + coraza_rules ' SecRequestBodyLimitAction ProcessPartial '; @@ -141,7 +141,7 @@ http { server { listen 127.0.0.1:%%PORT_8085%%; - modsecurity_rules ' + coraza_rules ' SecRequestBodyLimit 512 '; diff --git a/tests/modsecurity-config.t b/tests/modsecurity-config.t index 6a1e226..48cd303 100644 --- a/tests/modsecurity-config.t +++ b/tests/modsecurity-config.t @@ -1,7 +1,7 @@ #!/usr/bin/perl # -# ModSecurity, http://www.modsecurity.org/ +# Coraza, http://www.coraza.io/ # Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/) # # You may not use this file except in compliance with @@ -11,11 +11,11 @@ # # If any of the files related to licensing are missing or if you have any # other questions related to licensing please contact Trustwave Holdings, Inc. -# directly using the email address security@modsecurity.org. +# directly using the email address security@coraza.io. # -# Tests for ModSecurity module. +# Tests for Coraza module. ############################################################################### @@ -52,29 +52,29 @@ http { listen 127.0.0.1:8080; server_name localhost; - modsecurity on; - modsecurity_rules ' + coraza on; + coraza_rules ' SecRuleEngine On SecRule ARGS "@streq whee" "id:10,phase:2" SecRule ARGS "@streq whee" "id:11,phase:2" '; location / { - modsecurity_rules ' + coraza_rules ' SecRuleEngine On - SecRule ARGS "@streq root" "id:21,phase:1,status:302,redirect:http://www.modsecurity.org" + SecRule ARGS "@streq root" "id:21,phase:1,status:302,redirect:http://www.coraza.io" '; } location /subfolder1 { - modsecurity_rules ' + coraza_rules ' SecRuleEngine On - SecRule ARGS "@streq subfolder1" "id:31,phase:1,status:302,redirect:http://www.modsecurity.org" + SecRule ARGS "@streq subfolder1" "id:31,phase:1,status:302,redirect:http://www.coraza.io" '; location /subfolder1/subfolder2 { - modsecurity_rules ' + coraza_rules ' SecRuleEngine On - SecRule ARGS "@streq subfolder2" "id:41,phase:1,status:302,redirect:http://www.modsecurity.org" + SecRule ARGS "@streq subfolder2" "id:41,phase:1,status:302,redirect:http://www.coraza.io" '; } } diff --git a/tests/modsecurity-h2.t b/tests/modsecurity-h2.t index 981d103..5067841 100644 --- a/tests/modsecurity-h2.t +++ b/tests/modsecurity-h2.t @@ -2,7 +2,7 @@ # (C) Andrei Belov -# Tests for ModSecurity module (HTTP/2). +# Tests for Coraza module (HTTP/2). ############################################################################### @@ -41,54 +41,54 @@ http { server_name localhost; location / { - modsecurity on; - modsecurity_rules ' + coraza on; + coraza_rules ' SecRuleEngine On SecRule ARGS "@streq whee" "id:10,phase:2" SecRule ARGS "@streq whee" "id:11,phase:2" '; } location /phase1 { - modsecurity on; - modsecurity_rules ' + coraza on; + coraza_rules ' SecRuleEngine On SecDefaultAction "phase:1,log,deny,status:403" - SecRule ARGS "@streq redirect301" "id:1,phase:1,status:301,redirect:http://www.modsecurity.org" - SecRule ARGS "@streq redirect302" "id:2,phase:1,status:302,redirect:http://www.modsecurity.org" + SecRule ARGS "@streq redirect301" "id:1,phase:1,status:301,redirect:http://www.coraza.io" + SecRule ARGS "@streq redirect302" "id:2,phase:1,status:302,redirect:http://www.coraza.io" SecRule ARGS "@streq block401" "id:3,phase:1,status:401,block" SecRule ARGS "@streq block403" "id:4,phase:1,status:403,block" '; } location /phase2 { - modsecurity on; - modsecurity_rules ' + coraza on; + coraza_rules ' SecRuleEngine On SecDefaultAction "phase:2,log,deny,status:403" - SecRule ARGS "@streq redirect301" "id:1,phase:2,status:301,redirect:http://www.modsecurity.org" - SecRule ARGS "@streq redirect302" "id:2,phase:2,status:302,redirect:http://www.modsecurity.org" + SecRule ARGS "@streq redirect301" "id:1,phase:2,status:301,redirect:http://www.coraza.io" + SecRule ARGS "@streq redirect302" "id:2,phase:2,status:302,redirect:http://www.coraza.io" SecRule ARGS "@streq block401" "id:3,phase:2,status:401,block" SecRule ARGS "@streq block403" "id:4,phase:2,status:403,block" '; } location /phase3 { - modsecurity on; - modsecurity_rules ' + coraza on; + coraza_rules ' SecRuleEngine On SecDefaultAction "phase:3,log,deny,status:403" - SecRule ARGS "@streq redirect301" "id:1,phase:3,status:301,redirect:http://www.modsecurity.org" - SecRule ARGS "@streq redirect302" "id:2,phase:3,status:302,redirect:http://www.modsecurity.org" + SecRule ARGS "@streq redirect301" "id:1,phase:3,status:301,redirect:http://www.coraza.io" + SecRule ARGS "@streq redirect302" "id:2,phase:3,status:302,redirect:http://www.coraza.io" SecRule ARGS "@streq block401" "id:3,phase:3,status:401,block" SecRule ARGS "@streq block403" "id:4,phase:3,status:403,block" '; } location /phase4 { - modsecurity on; - modsecurity_rules ' + coraza on; + coraza_rules ' SecRuleEngine On SecResponseBodyAccess On SecDefaultAction "phase:4,log,deny,status:403" - SecRule ARGS "@streq redirect301" "id:1,phase:4,status:301,redirect:http://www.modsecurity.org" - SecRule ARGS "@streq redirect302" "id:2,phase:4,status:302,redirect:http://www.modsecurity.org" + SecRule ARGS "@streq redirect301" "id:1,phase:4,status:301,redirect:http://www.coraza.io" + SecRule ARGS "@streq redirect302" "id:2,phase:4,status:302,redirect:http://www.coraza.io" SecRule ARGS "@streq block401" "id:3,phase:4,status:401,block" SecRule ARGS "@streq block403" "id:4,phase:4,status:403,block" '; diff --git a/tests/modsecurity-proxy-h2.t b/tests/modsecurity-proxy-h2.t index e8ef0ad..791bcbe 100644 --- a/tests/modsecurity-proxy-h2.t +++ b/tests/modsecurity-proxy-h2.t @@ -2,7 +2,7 @@ # (C) Andrei Belov -# Tests for ModSecurity over the http proxy module (HTTP/2). +# Tests for Coraza over the http proxy module (HTTP/2). ############################################################################### @@ -46,12 +46,12 @@ http { } location /phase1 { - modsecurity on; - modsecurity_rules ' + coraza on; + coraza_rules ' SecRuleEngine On SecDefaultAction "phase:1,log,deny,status:403" - SecRule ARGS "@streq redirect301" "id:1,phase:1,status:301,redirect:http://www.modsecurity.org" - SecRule ARGS "@streq redirect302" "id:2,phase:1,status:302,redirect:http://www.modsecurity.org" + SecRule ARGS "@streq redirect301" "id:1,phase:1,status:301,redirect:http://www.coraza.io" + SecRule ARGS "@streq redirect302" "id:2,phase:1,status:302,redirect:http://www.coraza.io" SecRule ARGS "@streq block401" "id:3,phase:1,status:401,block" SecRule ARGS "@streq block403" "id:4,phase:1,status:403,block" '; @@ -59,12 +59,12 @@ http { proxy_read_timeout 1s; } location /phase2 { - modsecurity on; - modsecurity_rules ' + coraza on; + coraza_rules ' SecRuleEngine On SecDefaultAction "phase:2,log,deny,status:403" - SecRule ARGS "@streq redirect301" "id:1,phase:2,status:301,redirect:http://www.modsecurity.org" - SecRule ARGS "@streq redirect302" "id:2,phase:2,status:302,redirect:http://www.modsecurity.org" + SecRule ARGS "@streq redirect301" "id:1,phase:2,status:301,redirect:http://www.coraza.io" + SecRule ARGS "@streq redirect302" "id:2,phase:2,status:302,redirect:http://www.coraza.io" SecRule ARGS "@streq block401" "id:3,phase:2,status:401,block" SecRule ARGS "@streq block403" "id:4,phase:2,status:403,block" '; @@ -72,12 +72,12 @@ http { proxy_read_timeout 1s; } location /phase3 { - modsecurity on; - modsecurity_rules ' + coraza on; + coraza_rules ' SecRuleEngine On SecDefaultAction "phase:3,log,deny,status:403" - SecRule ARGS "@streq redirect301" "id:1,phase:3,status:301,redirect:http://www.modsecurity.org" - SecRule ARGS "@streq redirect302" "id:2,phase:3,status:302,redirect:http://www.modsecurity.org" + SecRule ARGS "@streq redirect301" "id:1,phase:3,status:301,redirect:http://www.coraza.io" + SecRule ARGS "@streq redirect302" "id:2,phase:3,status:302,redirect:http://www.coraza.io" SecRule ARGS "@streq block401" "id:3,phase:3,status:401,block" SecRule ARGS "@streq block403" "id:4,phase:3,status:403,block" '; @@ -85,13 +85,13 @@ http { proxy_read_timeout 1s; } location /phase4 { - modsecurity on; - modsecurity_rules ' + coraza on; + coraza_rules ' SecRuleEngine On SecResponseBodyAccess On SecDefaultAction "phase:4,log,deny,status:403" - SecRule ARGS "@streq redirect301" "id:1,phase:4,status:301,redirect:http://www.modsecurity.org" - SecRule ARGS "@streq redirect302" "id:2,phase:4,status:302,redirect:http://www.modsecurity.org" + SecRule ARGS "@streq redirect301" "id:1,phase:4,status:301,redirect:http://www.coraza.io" + SecRule ARGS "@streq redirect302" "id:2,phase:4,status:302,redirect:http://www.coraza.io" SecRule ARGS "@streq block401" "id:3,phase:4,status:401,block" SecRule ARGS "@streq block403" "id:4,phase:4,status:403,block" '; diff --git a/tests/modsecurity-proxy.t b/tests/modsecurity-proxy.t index a412f5e..627336e 100644 --- a/tests/modsecurity-proxy.t +++ b/tests/modsecurity-proxy.t @@ -1,7 +1,7 @@ #!/usr/bin/perl -# Tests for ModSecurity over the http proxy module. +# Tests for Coraza over the http proxy module. ############################################################################### @@ -44,12 +44,12 @@ http { } location /phase1 { - modsecurity on; - modsecurity_rules ' + coraza on; + coraza_rules ' SecRuleEngine On SecDefaultAction "phase:1,log,deny,status:403" - SecRule ARGS "@streq redirect301" "id:1,phase:1,status:301,redirect:http://www.modsecurity.org" - SecRule ARGS "@streq redirect302" "id:2,phase:1,status:302,redirect:http://www.modsecurity.org" + SecRule ARGS "@streq redirect301" "id:1,phase:1,status:301,redirect:http://www.coraza.io" + SecRule ARGS "@streq redirect302" "id:2,phase:1,status:302,redirect:http://www.coraza.io" SecRule ARGS "@streq block401" "id:3,phase:1,status:401,block" SecRule ARGS "@streq block403" "id:4,phase:1,status:403,block" '; @@ -57,12 +57,12 @@ http { proxy_read_timeout 1s; } location /phase2 { - modsecurity on; - modsecurity_rules ' + coraza on; + coraza_rules ' SecRuleEngine On SecDefaultAction "phase:2,log,deny,status:403" - SecRule ARGS "@streq redirect301" "id:1,phase:2,status:301,redirect:http://www.modsecurity.org" - SecRule ARGS "@streq redirect302" "id:2,phase:2,status:302,redirect:http://www.modsecurity.org" + SecRule ARGS "@streq redirect301" "id:1,phase:2,status:301,redirect:http://www.coraza.io" + SecRule ARGS "@streq redirect302" "id:2,phase:2,status:302,redirect:http://www.coraza.io" SecRule ARGS "@streq block401" "id:3,phase:2,status:401,block" SecRule ARGS "@streq block403" "id:4,phase:2,status:403,block" '; @@ -70,12 +70,12 @@ http { proxy_read_timeout 1s; } location /phase3 { - modsecurity on; - modsecurity_rules ' + coraza on; + coraza_rules ' SecRuleEngine On SecDefaultAction "phase:3,log,deny,status:403" - SecRule ARGS "@streq redirect301" "id:1,phase:3,status:301,redirect:http://www.modsecurity.org" - SecRule ARGS "@streq redirect302" "id:2,phase:3,status:302,redirect:http://www.modsecurity.org" + SecRule ARGS "@streq redirect301" "id:1,phase:3,status:301,redirect:http://www.coraza.io" + SecRule ARGS "@streq redirect302" "id:2,phase:3,status:302,redirect:http://www.coraza.io" SecRule ARGS "@streq block401" "id:3,phase:3,status:401,block" SecRule ARGS "@streq block403" "id:4,phase:3,status:403,block" '; @@ -83,13 +83,13 @@ http { proxy_read_timeout 1s; } location /phase4 { - modsecurity on; - modsecurity_rules ' + coraza on; + coraza_rules ' SecRuleEngine On SecResponseBodyAccess On SecDefaultAction "phase:4,log,deny,status:403" - SecRule ARGS "@streq redirect301" "id:1,phase:4,status:301,redirect:http://www.modsecurity.org" - SecRule ARGS "@streq redirect302" "id:2,phase:4,status:302,redirect:http://www.modsecurity.org" + SecRule ARGS "@streq redirect301" "id:1,phase:4,status:301,redirect:http://www.coraza.io" + SecRule ARGS "@streq redirect302" "id:2,phase:4,status:302,redirect:http://www.coraza.io" SecRule ARGS "@streq block401" "id:3,phase:4,status:401,block" SecRule ARGS "@streq block403" "id:4,phase:4,status:403,block" '; diff --git a/tests/modsecurity-request-body-h2.t b/tests/modsecurity-request-body-h2.t index 825650b..c93ba95 100644 --- a/tests/modsecurity-request-body-h2.t +++ b/tests/modsecurity-request-body-h2.t @@ -2,7 +2,7 @@ # (C) Andrei Belov -# Tests for ModSecurity-nginx connector (request body operations, HTTP/2). +# Tests for Coraza-nginx connector (request body operations, HTTP/2). ############################################################################### @@ -48,11 +48,11 @@ http { listen 127.0.0.1:8080 http2; server_name localhost; - modsecurity on; + coraza on; client_header_buffer_size 1024; location /bodyaccess { - modsecurity_rules ' + coraza_rules ' SecRuleEngine On SecRequestBodyAccess On SecRule REQUEST_BODY "@rx BAD BODY" "id:11,phase:request,deny,log,status:403" @@ -61,7 +61,7 @@ http { } location /nobodyaccess { - modsecurity_rules ' + coraza_rules ' SecRuleEngine On SecRequestBodyAccess Off SecRule REQUEST_BODY "@rx BAD BODY" "id:21,phase:request,deny,log,status:403" @@ -71,7 +71,7 @@ http { } location /bodylimitreject { - modsecurity_rules ' + coraza_rules ' SecRuleEngine On SecRequestBodyAccess On SecRequestBodyLimit 128 @@ -82,7 +82,7 @@ http { } location /bodylimitprocesspartial { - modsecurity_rules ' + coraza_rules ' SecRuleEngine On SecRequestBodyAccess On SecRequestBodyLimit 128 @@ -97,8 +97,8 @@ http { } location = /useauth { - modsecurity on; - modsecurity_rules ' + coraza on; + coraza_rules ' SecRuleEngine On SecRequestBodyAccess On '; @@ -185,7 +185,7 @@ is($frame->{headers}->{':status'}, 403, "${method} request body limit process pa } TODO: { -# https://github.com/SpiderLabs/ModSecurity-nginx/issues/163 +# https://github.com/SpiderLabs/Coraza-nginx/issues/163 # https://github.com/nginx/nginx/commit/6c89d752c8ab3a3cc0832927484808b68153f8c4 local $TODO = 'not yet' unless $t->has_version('1.19.3'); diff --git a/tests/modsecurity-request-body.t b/tests/modsecurity-request-body.t index f455f9b..f4a998d 100644 --- a/tests/modsecurity-request-body.t +++ b/tests/modsecurity-request-body.t @@ -2,7 +2,7 @@ # (C) Andrei Belov -# Tests for ModSecurity-nginx connector (request body operations). +# Tests for Coraza-nginx connector (request body operations). ############################################################################### @@ -40,11 +40,11 @@ http { listen 127.0.0.1:8080; server_name localhost; - modsecurity on; + coraza on; client_header_buffer_size 1024; location /bodyaccess { - modsecurity_rules ' + coraza_rules ' SecRuleEngine On SecRequestBodyAccess On SecRule REQUEST_BODY "@rx BAD BODY" "id:11,phase:request,deny,log,status:403" @@ -53,7 +53,7 @@ http { } location /nobodyaccess { - modsecurity_rules ' + coraza_rules ' SecRuleEngine On SecRequestBodyAccess Off SecRule REQUEST_BODY "@rx BAD BODY" "id:21,phase:request,deny,log,status:403" @@ -63,7 +63,7 @@ http { } location /bodylimitreject { - modsecurity_rules ' + coraza_rules ' SecRuleEngine On SecRequestBodyAccess On SecRequestBodyLimit 128 @@ -74,12 +74,12 @@ http { } location /bodylimitrejectserver { - modsecurity off; + coraza off; proxy_pass http://127.0.0.1:%%PORT_8082%%; } location /bodylimitprocesspartial { - modsecurity_rules ' + coraza_rules ' SecRuleEngine On SecRequestBodyAccess On SecRequestBodyLimit 128 @@ -94,8 +94,8 @@ http { } location = /useauth { - modsecurity on; - modsecurity_rules ' + coraza on; + coraza_rules ' SecRuleEngine On SecRequestBodyAccess On '; @@ -106,8 +106,8 @@ http { server { listen 127.0.0.1:%%PORT_8082%%; - modsecurity on; - modsecurity_rules ' + coraza on; + coraza_rules ' SecRuleEngine On SecRequestBodyAccess On SecRequestBodyLimit 128 diff --git a/tests/modsecurity-response-body.t b/tests/modsecurity-response-body.t index 5403b8e..dedd2cd 100644 --- a/tests/modsecurity-response-body.t +++ b/tests/modsecurity-response-body.t @@ -2,7 +2,7 @@ # (C) Andrei Belov -# Tests for ModSecurity-nginx connector (response body operations). +# Tests for Coraza-nginx connector (response body operations). ############################################################################### @@ -39,11 +39,11 @@ http { listen 127.0.0.1:8080; server_name localhost; - modsecurity on; + coraza on; location /body1 { default_type text/plain; - modsecurity_rules ' + coraza_rules ' SecRuleEngine On SecResponseBodyAccess On SecResponseBodyLimit 128 diff --git a/tests/modsecurity-scoring.t b/tests/modsecurity-scoring.t index 65fcb13..d30a113 100644 --- a/tests/modsecurity-scoring.t +++ b/tests/modsecurity-scoring.t @@ -2,7 +2,7 @@ # (C) Andrei Belov -# Tests for ModSecurity-nginx connector (scoring). +# Tests for Coraza-nginx connector (scoring). ############################################################################### @@ -39,10 +39,10 @@ http { listen 127.0.0.1:8080; server_name localhost; - modsecurity on; + coraza on; location /absolute { - modsecurity_rules ' + coraza_rules ' SecRuleEngine On SecRule ARGS "@streq badarg1" "id:11,phase:2,setvar:tx.score=1" SecRule ARGS "@streq badarg2" "id:12,phase:2,setvar:tx.score=2" @@ -51,7 +51,7 @@ http { } location /iterative { - modsecurity_rules ' + coraza_rules ' SecRuleEngine On SecRule ARGS "@streq badarg1" "id:21,phase:2,setvar:tx.score=+1" SecRule ARGS "@streq badarg2" "id:22,phase:2,setvar:tx.score=+1" diff --git a/tests/modsecurity-transaction-id.t b/tests/modsecurity-transaction-id.t index f431c10..6e64568 100644 --- a/tests/modsecurity-transaction-id.t +++ b/tests/modsecurity-transaction-id.t @@ -2,7 +2,7 @@ # (C) Andrei Belov -# Tests for ModSecurity-nginx connector (modsecurity_transaction_id). +# Tests for Coraza-nginx connector (coraza_transaction_id). ############################################################################### @@ -33,7 +33,7 @@ events { http { %%TEST_GLOBALS_HTTP%% - modsecurity_transaction_id "tid-HTTP-DEFAULT-$request_id"; + coraza_transaction_id "tid-HTTP-DEFAULT-$request_id"; server { listen 127.0.0.1:8080; @@ -41,8 +41,8 @@ http { location / { error_log %%TESTDIR%%/e_s1l1.log info; - modsecurity on; - modsecurity_rules ' + coraza on; + coraza_rules ' SecRuleEngine On SecDefaultAction "phase:1,log,deny,status:403" SecRule ARGS "@streq block403" "id:4,phase:1,status:403,block" @@ -54,12 +54,12 @@ http { listen 127.0.0.1:8080; server_name server2; - modsecurity_transaction_id "tid-SERVER-DEFAULT-$request_id"; + coraza_transaction_id "tid-SERVER-DEFAULT-$request_id"; location / { error_log %%TESTDIR%%/e_s2l1.log info; - modsecurity on; - modsecurity_rules ' + coraza on; + coraza_rules ' SecRuleEngine On SecDefaultAction "phase:1,log,deny,status:403" SecRule ARGS "@streq block403" "id:4,phase:1,status:403,block" @@ -68,9 +68,9 @@ http { location /specific { error_log %%TESTDIR%%/e_s2l2.log info; - modsecurity on; - modsecurity_transaction_id "tid-LOCATION-SPECIFIC-$request_id"; - modsecurity_rules ' + coraza on; + coraza_transaction_id "tid-LOCATION-SPECIFIC-$request_id"; + coraza_rules ' SecRuleEngine On SecDefaultAction "phase:1,log,deny,status:403" SecRule ARGS "@streq block403" "id:4,phase:1,status:403,block" @@ -78,9 +78,9 @@ http { } location /debuglog { - modsecurity on; - modsecurity_transaction_id "tid-DEBUG-$request_id"; - modsecurity_rules ' + coraza on; + coraza_transaction_id "tid-DEBUG-$request_id"; + coraza_rules ' SecRuleEngine On SecDebugLog %%TESTDIR%%/modsec_debug.log SecDebugLogLevel 4 @@ -90,9 +90,9 @@ http { } location /auditlog { - modsecurity on; - modsecurity_transaction_id "tid-AUDIT-$request_id"; - modsecurity_rules ' + coraza on; + coraza_transaction_id "tid-AUDIT-$request_id"; + coraza_rules ' SecRuleEngine On SecDefaultAction "phase:1,log,deny,status:403" SecAuditEngine On @@ -143,7 +143,7 @@ Host: server2 EOF -isnt(lines($t, 'modsec_debug.log', 'tid-DEBUG-'), 0, 'libmodsecurity debug log'); +isnt(lines($t, 'modsec_debug.log', 'tid-DEBUG-'), 0, 'libcoraza debug log'); http(< Date: Wed, 9 Mar 2022 18:15:34 -0300 Subject: [PATCH 02/10] remove str_to_char --- src/ngx_http_coraza_common.h | 1 - src/ngx_http_coraza_module.c | 28 +--------------------------- 2 files changed, 1 insertion(+), 28 deletions(-) diff --git a/src/ngx_http_coraza_common.h b/src/ngx_http_coraza_common.h index 86e39f7..2d6f6a6 100644 --- a/src/ngx_http_coraza_common.h +++ b/src/ngx_http_coraza_common.h @@ -107,7 +107,6 @@ extern ngx_module_t ngx_http_coraza_module; /* ngx_http_coraza_module.c */ ngx_int_t ngx_http_coraza_process_intervention (coraza_transaction_t *transaction, ngx_http_request_t *r, ngx_int_t early_log); ngx_http_coraza_ctx_t *ngx_http_coraza_create_ctx(ngx_http_request_t *r); -char *ngx_str_to_char(ngx_str_t a, ngx_pool_t *p); /* ngx_http_coraza_body_filter.c */ ngx_int_t ngx_http_coraza_body_filter_init(void); diff --git a/src/ngx_http_coraza_module.c b/src/ngx_http_coraza_module.c index 83fc77f..73f9d37 100644 --- a/src/ngx_http_coraza_module.c +++ b/src/ngx_http_coraza_module.c @@ -39,32 +39,6 @@ static char *ngx_http_coraza_merge_conf(ngx_conf_t *cf, void *parent, void *chil static void ngx_http_coraza_cleanup_instance(void *data); static void ngx_http_coraza_cleanup_rules(void *data); -/* - * ngx_string's are not null-terminated in common case, so we need to convert - * them into null-terminated ones before passing to CORAZA - */ -ngx_inline ngx_int_t ngx_str_to_char(ngx_str_t a, char* res, ngx_pool_t *p) -{ - char *res = NULL; - - if (a.len == 0) - { - return NGX_OK; - } - - str = ngx_pnalloc(p, a.len + 1); - if (str == NULL) - { - dd("failed to allocate memory to convert space ngx_string to C string"); - /* We already returned NULL for an empty string, so return -1 here to indicate allocation error */ - return (char *)-1; - } - ngx_memcpy(str, a.data, a.len); - str[a.len] = '\0'; - - return str; -} - ngx_inline ngx_int_t ngx_http_coraza_process_intervention(coraza_transaction_t *transaction, ngx_http_request_t *r, ngx_int_t early_log) { @@ -559,7 +533,7 @@ ngx_http_coraza_merge_conf(ngx_conf_t *cf, void *parent, void *child) #if defined(CORAZA_DDEBUG) && (CORAZA_DDEBUG) ngx_http_core_loc_conf_t *clcf = ngx_http_conf_get_module_loc_conf(cf, ngx_http_core_module); dd("merging loc config [%s] - parent: '%p' child: '%p'", - ngx_str_to_char(clcf->name, cf->pool), parent, + clcf->name.data, parent, child); #endif int rules; From 03afec0383589e6150c599645730481372e756b9 Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Wed, 9 Mar 2022 18:22:38 -0300 Subject: [PATCH 03/10] fix error Signed-off-by: Felipe Zipitria --- .github/workflows/build.yml | 38 +++-- .github/workflows/stale.yml | 38 ++--- .gitignore | 2 +- Dockerfile | 147 +++++++++++------- config | 72 ++++----- coraza.conf | 5 + ngx-modsec.stp => ngx-coraza.stp | 4 +- src/ngx_http_coraza_common.h | 2 + src/ngx_http_coraza_module.c | 30 ++-- src/ngx_http_coraza_pre_access.c | 6 +- src/ngx_http_coraza_rewrite.c | 54 ++++--- src/ngx_http_coraza_utils.c | 32 ++++ {tests => t}/README.md | 0 .../coraza-config-auditlog.t | 0 .../coraza-config-custom-error-page.t | 0 .../coraza-config-debuglog.t | 0 .../coraza-config-merge.t | 0 .../modsecurity-config.t => t/coraza-config.t | 0 tests/modsecurity-h2.t => t/coraza-h2.t | 0 .../coraza-proxy-h2.t | 0 tests/modsecurity-proxy.t => t/coraza-proxy.t | 0 .../coraza-request-body-h2.t | 0 .../coraza-request-body.t | 0 .../coraza-response-body.t | 0 .../coraza-scoring.t | 0 .../coraza-transaction-id.t | 0 tests/modsecurity.t => t/coraza.t | 0 {tests => t}/nginx-tests-cvt.pl | 0 28 files changed, 267 insertions(+), 163 deletions(-) create mode 100644 coraza.conf rename ngx-modsec.stp => ngx-coraza.stp (77%) create mode 100644 src/ngx_http_coraza_utils.c rename {tests => t}/README.md (100%) rename tests/modsecurity-config-auditlog.t => t/coraza-config-auditlog.t (100%) rename tests/modsecurity-config-custom-error-page.t => t/coraza-config-custom-error-page.t (100%) rename tests/modsecurity-config-debuglog.t => t/coraza-config-debuglog.t (100%) rename tests/modsecurity-config-merge.t => t/coraza-config-merge.t (100%) rename tests/modsecurity-config.t => t/coraza-config.t (100%) rename tests/modsecurity-h2.t => t/coraza-h2.t (100%) rename tests/modsecurity-proxy-h2.t => t/coraza-proxy-h2.t (100%) rename tests/modsecurity-proxy.t => t/coraza-proxy.t (100%) rename tests/modsecurity-request-body-h2.t => t/coraza-request-body-h2.t (100%) rename tests/modsecurity-request-body.t => t/coraza-request-body.t (100%) rename tests/modsecurity-response-body.t => t/coraza-response-body.t (100%) rename tests/modsecurity-scoring.t => t/coraza-scoring.t (100%) rename tests/modsecurity-transaction-id.t => t/coraza-transaction-id.t (100%) rename tests/modsecurity.t => t/coraza.t (100%) rename {tests => t}/nginx-tests-cvt.pl (100%) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b741945..6c5cb3b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -57,9 +57,9 @@ jobs: - name: Install dependencies with apt run: | sudo add-apt-repository universe - sudo apt-get update - sudo apt-get -y \ - --fix-missing install \ + sudo apt-get -qq update + sudo apt-get -y -qq \ + --fix-missing --no-install-recommends install \ gcc make \ libxml2-dev \ libxslt-dev \ @@ -89,26 +89,28 @@ jobs: - name: Configure compilation of dynamic module run: | - ls -l cd ${{ github.workspace }}/nginx-${{ matrix.nginx_version }} ./configure \ --with-compat \ --add-dynamic-module=${{ github.workspace }}/ \ --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' \ --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' \ - --prefix=/usr/share/nginx \ + --prefix=/etc/nginx \ + --sbin-path=/usr/sbin/nginx \ --conf-path=/etc/nginx/nginx.conf \ --http-log-path=/var/log/nginx/access.log \ --error-log-path=/var/log/nginx/error.log \ --lock-path=/var/lock/nginx.lock \ --pid-path=/run/nginx.pid \ --modules-path=/usr/lib/nginx/modules \ - --http-client-body-temp-path=/var/lib/nginx/body \ - --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \ - --http-proxy-temp-path=/var/lib/nginx/proxy \ - --http-scgi-temp-path=/var/lib/nginx/scgi \ - --http-uwsgi-temp-path=/var/lib/nginx/uwsgi \ + --http-client-body-temp-path=/var/cache/nginx/client_temp \ + --http-proxy-temp-path=/var/cache/nginx/proxy_temp \ + --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \ + --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \ + --http-scgi-temp-path=/var/cache/nginx/scgi_temp \ --with-debug \ + --with-file-aio \ + --with-threads \ --with-http_ssl_module \ --with-http_stub_status_module \ --with-http_realip_module \ @@ -126,10 +128,22 @@ jobs: --with-http_xslt_module=dynamic \ --with-stream=dynamic - - name: Compile dynamic module - run: | + - name: Compile dynamic module and install nginx + run: | cd ${{ github.workspace }}/nginx-${{ matrix.nginx_version }} make modules + make + sudo make install + + - name: Run tests + run: | + wget http://hg.nginx.org/nginx-tests/archive/tip.tar.gz + tar xzf tip.tar.gz + cd nginx-tests-* + cp ../t/* . + export TEST_NGINX_BINARY=/usr/sbin/nginx + export TEST_NGINX_GLOBALS="load_module \"/usr/lib/nginx/modules/ngx_http_coraza_module.so\";" + prove . -t coraza*.t - name: Upload a Build Artifact uses: actions/upload-artifact@v2 diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index f04c548..a8cd9e1 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -1,19 +1,19 @@ -#name: "Close stale issues" -#on: -# schedule: -# - cron: "0 0 * * *" -# -#jobs: -# stale: -# runs-on: ubuntu-latest -# steps: -# - uses: actions/stale@v3 -# with: -# repo-token: ${{ secrets.GITHUB_TOKEN }} -# stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days' -# stale-pr-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days' -# stale-issue-label: 'no-issue-activity' -# stale-pr-label: 'no-pr-activity' -# exempt-issue-label: 'nostale,work-in-progress' -# days-before-stale: 30 -# days-before-close: 5 +name: "Close stale issues" +on: + schedule: + - cron: "0 0 * * *" + +jobs: + stale: + runs-on: ubuntu-latest + steps: + - uses: actions/stale@v3 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days' + stale-pr-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days' + stale-issue-label: 'no-issue-activity' + stale-pr-label: 'no-pr-activity' + exempt-issue-label: 'nostale,work-in-progress' + days-before-stale: 30 + days-before-close: 5 diff --git a/.gitignore b/.gitignore index dbe9c82..1d74e21 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -.vscode/ \ No newline at end of file +.vscode/ diff --git a/Dockerfile b/Dockerfile index b4f19a8..8c0c071 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,56 +1,91 @@ -FROM ubuntu:latest - -RUN apt-get update \ - && apt install -y wget build-essential libpcre++-dev git-core libtool openssl libssl-dev zlib1g-dev\ - && wget http://nginx.org/download/nginx-1.22.0.tar.gz \ - && tar -xvzf nginx-1.22.0.tar.gz -WORKDIR /nginx-1.22.0 - -RUN wget https://go.dev/dl/go1.19.linux-amd64.tar.gz && \ - tar -C /usr/local -xzf go1.19.linux-amd64.tar.gz - -ENV PATH="$PATH:/usr/local/go/bin" -ENV CPPFLAGS="-DPNG_ARM_NEON_OPT=0" -COPY . coraza - -RUN git clone https://github.com/corazawaf/libcoraza && \ - cd libcoraza && \ - ./build.sh && \ - ./configure && \ - make && \ - make install - -RUN ./configure \ - --with-compat \ - --add-module=/nginx-1.22.0/coraza/ \ - --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' \ - --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' \ - --prefix=/usr/share/nginx \ - --conf-path=/etc/nginx/nginx.conf \ - --http-log-path=/var/log/nginx/access.log \ - --error-log-path=/var/log/nginx/error.log \ - --lock-path=/var/lock/nginx.lock \ - --pid-path=/run/nginx.pid \ - --modules-path=/usr/lib/nginx/modules \ - --http-client-body-temp-path=/var/lib/nginx/body \ - --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \ - --http-proxy-temp-path=/var/lib/nginx/proxy \ - --http-scgi-temp-path=/var/lib/nginx/scgi \ - --http-uwsgi-temp-path=/var/lib/nginx/uwsgi \ - --with-debug \ - --with-http_ssl_module \ - --with-http_stub_status_module \ - #--with-http_realip_module \ - --with-http_auth_request_module \ - --with-http_v2_module \ - #--with-http_dav_module \ - --with-http_slice_module \ - --with-threads \ - --with-http_addition_module \ - #--with-http_geoip_module=dynamic \ - --with-http_gunzip_module \ - #--with-http_gzip_static_module \ - #--with-http_image_filter_module=dynamic \ - --with-http_sub_module \ - #--with-http_xslt_module=dynamic \ - --with-stream=dynamic \ No newline at end of file +FROM golang as go-builder + +ARG libcoraza_version=master + +# For latest build deps, see https://github.com/nginxinc/docker-nginx/blob/master/mainline/alpine/Dockerfile +RUN set -eux; \ + apt-get update -qq; \ + apt-get install -qq --no-install-recommends \ + autoconf \ + automake \ + libtool \ + gcc \ + bash \ + make + +COPY ./libcoraza /tmp/master + +RUN set -eux; \ + #wget https://github.com/corazawaf/libcoraza/tarball/master -O /tmp/master; \ + #tar -xvf /tmp/master; \ + #cd corazawaf-libcoraza-*; \ + cd /tmp/master; \ + ./build.sh; \ + ./configure; \ + make; \ + make V=1 install + +FROM nginx:stable as ngx-coraza + +COPY --from=go-builder /usr/local/include/coraza /usr/local/include/coraza +COPY --from=go-builder /usr/local/lib/libcorazacore.a /usr/local/lib +COPY --from=go-builder /usr/local/lib/libcorazautils.a /usr/local/lib +COPY --from=go-builder /usr/local/lib/libcorazacore.so /usr/local/lib +COPY --from=go-builder /usr/local/lib/libcorazautils.so /usr/local/lib + +# For latest build deps, see https://github.com/nginxinc/docker-nginx/blob/master/mainline/alpine/Dockerfile +RUN set -eux; \ + apt-get update -qq; \ + apt-get install -qq --no-install-recommends \ + gcc \ + gnupg1 \ + ca-certificates \ + libc-dev \ + make \ + openssl \ + curl \ + gnupg \ + wget \ + libpcre3 libpcre3-dev \ + zlib1g-dev + +COPY . /usr/src/coraza-nginx + +# Download sources +RUN set -eux; \ + curl "http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" -o - | tar zxC /usr/src -f -; + # Reuse same cli arguments as the nginx:alpine image used to build + +RUN CONFARGS=$(nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p');\ + cd /usr/src/nginx-$NGINX_VERSION; \ + ./configure --with-compat "$CONFARGS" --add-dynamic-module=/usr/src/coraza-nginx; \ + make modules; \ + mkdir -p /usr/lib/nginx/modules; \ + find objs/*.so -print; \ + cp objs/ngx_*.so /usr/lib/nginx/modules + +FROM nginx:stable + +RUN sed -i -e "s|events {|load_module \"/usr/lib/nginx/modules/ngx_http_coraza_module.so\";\n\nevents {|" /etc/nginx/nginx.conf; + +COPY ./coraza.conf /etc/nginx/conf.d/coraza.conf +COPY --from=ngx-coraza /usr/lib/nginx/modules/ /usr/lib/nginx/modules/ +COPY --from=go-builder /usr/local/lib/libcorazacore.so /usr/local/lib +COPY --from=go-builder /usr/local/lib/libcorazautils.so /usr/local/lib + +RUN ldconfig -v + +COPY ./t /tmp/t + +RUN set -eux; \ + apt-get update -qq; \ + apt-get install -qq --no-install-recommends curl perl; \ + curl http://hg.nginx.org/nginx-tests/archive/tip.tar.gz -o tip.tar.gz; \ + tar xzf tip.tar.gz; \ + cd nginx-tests-*; \ + cp /tmp/t/* . ;\ + export TEST_NGINX_BINARY=/usr/sbin/nginx; \ + export TEST_NGINX_GLOBALS="load_module \"/usr/lib/nginx/modules/ngx_http_coraza_module.so\";"; \ + prove . -t coraza*.t + +>>>>>>> db83d99 (fix error) diff --git a/config b/config index d28a3d9..a2c380c 100644 --- a/config +++ b/config @@ -10,38 +10,39 @@ ngx_addon_name="ngx_http_coraza_module" coraza_dependency="ngx_http_postpone_filter_module \ - ngx_http_ssi_filter_module \ - ngx_http_charset_filter_module \ - ngx_http_sub_filter_module \ - ngx_http_addition_filter_module \ - ngx_http_gunzip_filter_module \ - ngx_http_userid_filter_module \ - ngx_http_headers_filter_module \ - ngx_http_copy_filter_module" + ngx_http_ssi_filter_module \ + ngx_http_charset_filter_module \ + ngx_http_xslt_filter_module \ + ngx_http_image_filter_module \ + ngx_http_sub_filter_module \ + ngx_http_addition_filter_module \ + ngx_http_gunzip_filter_module \ + ngx_http_userid_filter_module \ + ngx_http_headers_filter_module \ + ngx_http_copy_filter_module" if test -n "$ngx_module_link"; then ngx_module_type=HTTP_FILTER ngx_module_name="$ngx_addon_name" ngx_module_srcs="$ngx_addon_dir/src/ngx_http_coraza_module.c \ - $ngx_addon_dir/src/ngx_http_coraza_pre_access.c \ - $ngx_addon_dir/src/ngx_http_coraza_header_filter.c \ - $ngx_addon_dir/src/ngx_http_coraza_body_filter.c \ - $ngx_addon_dir/src/ngx_http_coraza_log.c \ - $ngx_addon_dir/src/ngx_http_coraza_rewrite.c \ - " + $ngx_addon_dir/src/ngx_http_coraza_pre_access.c \ + $ngx_addon_dir/src/ngx_http_coraza_header_filter.c \ + $ngx_addon_dir/src/ngx_http_coraza_body_filter.c \ + $ngx_addon_dir/src/ngx_http_coraza_log.c \ + $ngx_addon_dir/src/ngx_http_coraza_rewrite.c \ + $ngx_addon_dir/src/ngx_http_coraza_utils.c \ + " ngx_module_deps="$ngx_addon_dir/src/ddebug.h \ - $ngx_addon_dir/src/ngx_http_coraza_common.h \ - " ngx_module_libs="-lcoraza" ngx_module_incs="-L/usr/local/lib" - ngx_module_order="ngx_http_chunked_filter_module \ - ngx_http_v2_filter_module \ - ngx_http_range_header_filter_module \ - ngx_http_gzip_filter_module \ - $ngx_module_name \ - $coraza_dependency"; + ngx_module_order="ngx_http_chunked_filter_module \ + ngx_http_v2_filter_module \ + ngx_http_range_header_filter_module \ + ngx_http_gzip_filter_module \ + $ngx_module_name \ + $coraza_dependency"; . auto/module else @@ -52,19 +53,18 @@ else CORE_LIBS="$CORE_LIBS $ngx_feature_libs" HTTP_FILTER_MODULES="$HTTP_FILTER_MODULES ngx_http_coraza_module" - NGX_ADDON_SRCS="\ - $NGX_ADDON_SRCS \ - $ngx_addon_dir/src/ngx_http_coraza_module.c \ - $ngx_addon_dir/src/ngx_http_coraza_pre_access.c \ - $ngx_addon_dir/src/ngx_http_coraza_header_filter.c \ - $ngx_addon_dir/src/ngx_http_coraza_body_filter.c \ - $ngx_addon_dir/src/ngx_http_coraza_log.c \ - $ngx_addon_dir/src/ngx_http_coraza_rewrite.c \ - " + NGX_ADDON_SRCS="$NGX_ADDON_SRCS \ + $ngx_addon_dir/src/ngx_http_coraza_module.c \ + $ngx_addon_dir/src/ngx_http_coraza_pre_access.c \ + $ngx_addon_dir/src/ngx_http_coraza_header_filter.c \ + $ngx_addon_dir/src/ngx_http_coraza_body_filter.c \ + $ngx_addon_dir/src/ngx_http_coraza_log.c \ + $ngx_addon_dir/src/ngx_http_coraza_rewrite.c \ + $ngx_addon_dir/src/ngx_http_coraza_utils.c \ + " - NGX_ADDON_DEPS="\ - $NGX_ADDON_DEPS \ - $ngx_addon_dir/src/ddebug.h \ - $ngx_addon_dir/src/ngx_http_coraza_common.h \ - " + NGX_ADDON_DEPS="$NGX_ADDON_DEPS \ + $ngx_addon_dir/src/ddebug.h \ + $ngx_addon_dir/src/ngx_http_coraza_common.h \ + " fi diff --git a/coraza.conf b/coraza.conf new file mode 100644 index 0000000..9bf4971 --- /dev/null +++ b/coraza.conf @@ -0,0 +1,5 @@ +coraza on; +coraza_rules 'SecRuleEngine On + SecRule ARGS "@streq whee" "id:10,phase:2" + SecRule ARGS "@streq whee" "id:11,phase:2" + '; diff --git a/ngx-modsec.stp b/ngx-coraza.stp similarity index 77% rename from ngx-modsec.stp rename to ngx-coraza.stp index 8c5fa65..29b8a73 100755 --- a/ngx-modsec.stp +++ b/ngx-coraza.stp @@ -6,12 +6,12 @@ global rules_phase # Rules -probe process("/usr/local/lib/libcoraza.so.3").function("evaluate@rule.cc*") +probe process("/usr/local/lib/libcoraza.so").function("evaluate@rule.cc*") { begin_rule = gettimeofday_us(); } -probe process("/usr/local/lib/libcoraza.so.3").function("evaluate@rule.cc*").return +probe process("/usr/local/lib/libcoraza.so").function("evaluate@rule.cc*").return { elapsed_rule = gettimeofday_us() - begin_rule rules[$this->m_ruleId] <<< elapsed_rule diff --git a/src/ngx_http_coraza_common.h b/src/ngx_http_coraza_common.h index 2d6f6a6..bebdaf7 100644 --- a/src/ngx_http_coraza_common.h +++ b/src/ngx_http_coraza_common.h @@ -126,5 +126,7 @@ ngx_int_t ngx_http_coraza_pre_access_handler(ngx_http_request_t *r); /* ngx_http_coraza_rewrite.c */ ngx_int_t ngx_http_coraza_rewrite_handler(ngx_http_request_t *r); +/* ngx_http_coraza_utils.c */ +ngx_int_t ngx_str_to_char(ngx_str_t a, char *str, ngx_pool_t *p); #endif /* _ngx_http_coraza_COMMON_H_INCLUDED_ */ diff --git a/src/ngx_http_coraza_module.c b/src/ngx_http_coraza_module.c index 73f9d37..c7b5c11 100644 --- a/src/ngx_http_coraza_module.c +++ b/src/ngx_http_coraza_module.c @@ -142,7 +142,9 @@ void ngx_http_coraza_cleanup(void *data) ctx = (ngx_http_coraza_ctx_t *)data; - coraza_free_transaction(ctx->coraza_transaction); + if (coraza_free_transaction(ctx->coraza_transaction) != NGX_OK) { + dd("cleanup -- transaction free failed: %d", res); + }; } ngx_inline ngx_http_coraza_ctx_t * @@ -199,15 +201,20 @@ char * ngx_conf_set_rules(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { int res; - char *rules; + char *rules = NULL; ngx_str_t *value; - char *error; + char *error = NULL; ngx_http_coraza_conf_t *mcf = conf; ngx_http_coraza_main_conf_t *mmcf; value = cf->args->elts; - res = coraza_rules_add(mcf->waf, (char *)value[1].data, &error); + if (ngx_str_to_char(value[1], rules, cf->pool) != NGX_OK) { + dd("Failed to get the rules"); + return NGX_CONF_ERROR; + } + + res = coraza_rules_add(mcf->waf, rules, &error); if (res < 0) { @@ -225,15 +232,20 @@ char * ngx_conf_set_rules_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { int res; - char *rules_set; + char *rules_set = NULL; ngx_str_t *value; - char **error; + char **error = NULL; ngx_http_coraza_conf_t *mcf = conf; ngx_http_coraza_main_conf_t *mmcf; value = cf->args->elts; - res = coraza_rules_add(mcf->waf, (char *)value[1].data, &error); + if (ngx_str_to_char(value[1], rules_set, cf->pool) != NGX_OK) { + dd("Failed to get the rules_file"); + return NGX_CONF_ERROR; + } + + res = coraza_rules_add(mcf->waf, rules_set, error); if (res < 0) { @@ -554,11 +566,11 @@ ngx_http_coraza_merge_conf(ngx_conf_t *cf, void *parent, void *child) dd("CHILD RULES"); coraza_rules_dump(c->rules_set); #endif - rules = coraza_rules_merge(c->waf, p->waf, &error); + rules = coraza_rules_merge(c->waf, p->waf, error); if (rules < 0) { - return error; + return *error; } #if defined(CORAZA_DDEBUG) && (CORAZA_DDEBUG) diff --git a/src/ngx_http_coraza_pre_access.c b/src/ngx_http_coraza_pre_access.c index 8ef6abf..e533ff2 100644 --- a/src/ngx_http_coraza_pre_access.c +++ b/src/ngx_http_coraza_pre_access.c @@ -138,6 +138,7 @@ ngx_http_coraza_pre_access_handler(ngx_http_request_t *r) { int ret = 0; int already_inspected = 0; + char *file_name = NULL; dd("request body is ready to be processed"); @@ -156,8 +157,7 @@ ngx_http_coraza_pre_access_handler(ngx_http_request_t *r) if (r->request_body->temp_file != NULL) { ngx_str_t file_path = r->request_body->temp_file->file.name; - const char *file_name = ngx_str_to_char(file_path, r->pool); - if (file_name == (char*)-1) { + if (ngx_str_to_char(file_path, file_name, r->pool) != NGX_OK) { return NGX_HTTP_INTERNAL_SERVER_ERROR; } /* @@ -166,7 +166,7 @@ ngx_http_coraza_pre_access_handler(ngx_http_request_t *r) */ dd("request body inspection: file -- %s", file_name); - coraza_request_body_from_file(ctx->coraza_transaction, (char*)file_name); + coraza_request_body_from_file(ctx->coraza_transaction, file_name); already_inspected = 1; } else { diff --git a/src/ngx_http_coraza_rewrite.c b/src/ngx_http_coraza_rewrite.c index 3526fc9..87179db 100644 --- a/src/ngx_http_coraza_rewrite.c +++ b/src/ngx_http_coraza_rewrite.c @@ -25,6 +25,12 @@ ngx_http_coraza_rewrite_handler(ngx_http_request_t *r) { ngx_http_coraza_ctx_t *ctx; ngx_http_coraza_conf_t *mcf; + ngx_str_t ngx_server_addr; + char *client_addr = NULL; + char *server_addr = NULL; + char *uri = NULL; + char *method = NULL; + char *http_version = NULL; mcf = ngx_http_get_module_loc_conf(r, ngx_http_coraza_module); if (mcf == NULL || mcf->enable != 1) { @@ -43,12 +49,9 @@ ngx_http_coraza_rewrite_handler(ngx_http_request_t *r) int ret = 0; ngx_connection_t *connection = r->connection; - /** - * FIXME: We may want to use struct sockaddr instead of addr_text. - * - */ - ngx_str_t addr_text = connection->addr_text; + ngx_str_t addr_text = connection->addr_text; + ctx = ngx_http_coraza_create_ctx(r); dd("ctx was NULL, creating new context: %p", ctx); @@ -68,28 +71,31 @@ ngx_http_coraza_rewrite_handler(ngx_http_request_t *r) */ int client_port = ngx_inet_get_port(connection->sockaddr); int server_port = ngx_inet_get_port(connection->local_sockaddr); - - const char *client_addr = ngx_str_to_char(addr_text, r->pool); - if (client_addr == (char*)-1) { + + u_char addr[NGX_SOCKADDR_STRLEN]; + ngx_server_addr.len = NGX_SOCKADDR_STRLEN; + ngx_server_addr.data = addr; + if (ngx_connection_local_sockaddr(r->connection, &ngx_server_addr, 0) != NGX_OK) { return NGX_HTTP_INTERNAL_SERVER_ERROR; } - ngx_str_t s; - u_char addr[NGX_SOCKADDR_STRLEN]; - s.len = NGX_SOCKADDR_STRLEN; - s.data = addr; - if (ngx_connection_local_sockaddr(r->connection, &s, 0) != NGX_OK) { + if (ngx_str_to_char(addr_text, client_addr, r->pool) != NGX_OK) { return NGX_HTTP_INTERNAL_SERVER_ERROR; } - const char *server_addr = ngx_str_to_char(s, r->pool); - if (server_addr == (char*)-1) { + if (ngx_str_to_char(ngx_server_addr, server_addr, r->pool) != NGX_OK) { return NGX_HTTP_INTERNAL_SERVER_ERROR; - } + } + /* FIXME: addr_text here is an nginx str that might be a path if + * this is a unix socket. Because of this, using the socket + * structure might be better + */ ret = coraza_process_connection(ctx->coraza_transaction, - (char *)client_addr, client_port, - (char *)server_addr, server_port); + client_addr, + client_port, + server_addr, + server_port); if (ret != 1){ dd("Was not able to extract connection information."); } @@ -109,7 +115,6 @@ ngx_http_coraza_rewrite_handler(ngx_http_request_t *r) return ret; } - const char *http_version; switch (r->http_version) { case NGX_HTTP_VERSION_9 : http_version = "0.9"; @@ -130,16 +135,15 @@ ngx_http_coraza_rewrite_handler(ngx_http_request_t *r) break; } - const char *n_uri = ngx_str_to_char(r->unparsed_uri, r->pool); - const char *n_method = ngx_str_to_char(r->method_name, r->pool); - if (n_uri == (char*)-1 || n_method == (char*)-1) { + if (ngx_str_to_char(r->unparsed_uri, uri, r->pool) != NGX_OK) { + dd("uri is of length zero"); return NGX_HTTP_INTERNAL_SERVER_ERROR; } - if (n_uri == NULL) { - dd("uri is of length zero"); + if (ngx_str_to_char(r->method_name, method, r->pool) != NGX_OK) { return NGX_HTTP_INTERNAL_SERVER_ERROR; } - coraza_process_uri(ctx->coraza_transaction, (char *)n_uri, (char *)n_method, (char *)http_version); + + coraza_process_uri(ctx->coraza_transaction, uri, method, http_version); dd("Processing intervention with the transaction information filled in (uri, method and version)"); ret = ngx_http_coraza_process_intervention(ctx->coraza_transaction, r, 1); diff --git a/src/ngx_http_coraza_utils.c b/src/ngx_http_coraza_utils.c new file mode 100644 index 0000000..e9be865 --- /dev/null +++ b/src/ngx_http_coraza_utils.c @@ -0,0 +1,32 @@ +#include "ddebug.h" +#include "ngx_http_coraza_common.h" + +/* + * ngx_string's are not null-terminated in common case, so we need to convert + * them into null-terminated ones before passing to CORAZA + */ +ngx_int_t +ngx_str_to_char(ngx_str_t a, char *str, ngx_pool_t *p) +{ + if (str) { + free(str); + str = NULL; + } + + if (a.len == 0) + { + return NGX_OK; + } + + str = ngx_pnalloc(p, a.len + 1); + if (str == NULL) + { + dd("failed to allocate memory to convert space ngx_string to C string"); + /* We already returned NULL for an empty string, so return -1 here to indicate allocation error */ + return NGX_ERROR; + } + ngx_memcpy(str, a.data, a.len); + str[a.len] = '\0'; + + return NGX_OK; +} diff --git a/tests/README.md b/t/README.md similarity index 100% rename from tests/README.md rename to t/README.md diff --git a/tests/modsecurity-config-auditlog.t b/t/coraza-config-auditlog.t similarity index 100% rename from tests/modsecurity-config-auditlog.t rename to t/coraza-config-auditlog.t diff --git a/tests/modsecurity-config-custom-error-page.t b/t/coraza-config-custom-error-page.t similarity index 100% rename from tests/modsecurity-config-custom-error-page.t rename to t/coraza-config-custom-error-page.t diff --git a/tests/modsecurity-config-debuglog.t b/t/coraza-config-debuglog.t similarity index 100% rename from tests/modsecurity-config-debuglog.t rename to t/coraza-config-debuglog.t diff --git a/tests/modsecurity-config-merge.t b/t/coraza-config-merge.t similarity index 100% rename from tests/modsecurity-config-merge.t rename to t/coraza-config-merge.t diff --git a/tests/modsecurity-config.t b/t/coraza-config.t similarity index 100% rename from tests/modsecurity-config.t rename to t/coraza-config.t diff --git a/tests/modsecurity-h2.t b/t/coraza-h2.t similarity index 100% rename from tests/modsecurity-h2.t rename to t/coraza-h2.t diff --git a/tests/modsecurity-proxy-h2.t b/t/coraza-proxy-h2.t similarity index 100% rename from tests/modsecurity-proxy-h2.t rename to t/coraza-proxy-h2.t diff --git a/tests/modsecurity-proxy.t b/t/coraza-proxy.t similarity index 100% rename from tests/modsecurity-proxy.t rename to t/coraza-proxy.t diff --git a/tests/modsecurity-request-body-h2.t b/t/coraza-request-body-h2.t similarity index 100% rename from tests/modsecurity-request-body-h2.t rename to t/coraza-request-body-h2.t diff --git a/tests/modsecurity-request-body.t b/t/coraza-request-body.t similarity index 100% rename from tests/modsecurity-request-body.t rename to t/coraza-request-body.t diff --git a/tests/modsecurity-response-body.t b/t/coraza-response-body.t similarity index 100% rename from tests/modsecurity-response-body.t rename to t/coraza-response-body.t diff --git a/tests/modsecurity-scoring.t b/t/coraza-scoring.t similarity index 100% rename from tests/modsecurity-scoring.t rename to t/coraza-scoring.t diff --git a/tests/modsecurity-transaction-id.t b/t/coraza-transaction-id.t similarity index 100% rename from tests/modsecurity-transaction-id.t rename to t/coraza-transaction-id.t diff --git a/tests/modsecurity.t b/t/coraza.t similarity index 100% rename from tests/modsecurity.t rename to t/coraza.t diff --git a/tests/nginx-tests-cvt.pl b/t/nginx-tests-cvt.pl similarity index 100% rename from tests/nginx-tests-cvt.pl rename to t/nginx-tests-cvt.pl From 190f3f5a27c5f1d47d3ef9422e9dfa20e5c7af80 Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Mon, 6 Nov 2023 17:30:08 +0100 Subject: [PATCH 04/10] chore: update docs Signed-off-by: Felipe Zipitria --- .github/workflows/build.yml | 6 +++--- Dockerfile | 19 ++++++------------- README.md | 2 +- build.sh | 29 +++++++++++++++++++++++++++++ t/coraza-config-merge.t | 8 ++++---- 5 files changed, 43 insertions(+), 21 deletions(-) create mode 100644 build.sh diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 6c5cb3b..db0249f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -16,7 +16,7 @@ jobs: libcoraza_version: master strategy: matrix: - nginx_version: ['1.22.0'] + nginx_version: ['1.24.0'] # The type of runner that the job will run on os: [ubuntu-20.04] @@ -67,9 +67,9 @@ jobs: libgeoip-dev - name: Set up Go - uses: actions/setup-go@v2 + uses: actions/setup-go@v4 with: - go-version: ^1.17.7 + go-version: ^1.19.x - name: Configure environment run: | diff --git a/Dockerfile b/Dockerfile index 8c0c071..16f1f4f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,13 +13,10 @@ RUN set -eux; \ bash \ make -COPY ./libcoraza /tmp/master - RUN set -eux; \ - #wget https://github.com/corazawaf/libcoraza/tarball/master -O /tmp/master; \ - #tar -xvf /tmp/master; \ - #cd corazawaf-libcoraza-*; \ - cd /tmp/master; \ + wget https://github.com/corazawaf/libcoraza/tarball/master -O /tmp/master; \ + tar -xvf /tmp/master; \ + cd corazawaf-libcoraza-*; \ ./build.sh; \ ./configure; \ make; \ @@ -28,10 +25,8 @@ RUN set -eux; \ FROM nginx:stable as ngx-coraza COPY --from=go-builder /usr/local/include/coraza /usr/local/include/coraza -COPY --from=go-builder /usr/local/lib/libcorazacore.a /usr/local/lib -COPY --from=go-builder /usr/local/lib/libcorazautils.a /usr/local/lib -COPY --from=go-builder /usr/local/lib/libcorazacore.so /usr/local/lib -COPY --from=go-builder /usr/local/lib/libcorazautils.so /usr/local/lib +COPY --from=go-builder /usr/local/lib/libcoraza.a /usr/local/lib +COPY --from=go-builder /usr/local/lib/libcoraza.so /usr/local/lib # For latest build deps, see https://github.com/nginxinc/docker-nginx/blob/master/mainline/alpine/Dockerfile RUN set -eux; \ @@ -70,8 +65,7 @@ RUN sed -i -e "s|events {|load_module \"/usr/lib/nginx/modules/ngx_http_coraza_m COPY ./coraza.conf /etc/nginx/conf.d/coraza.conf COPY --from=ngx-coraza /usr/lib/nginx/modules/ /usr/lib/nginx/modules/ -COPY --from=go-builder /usr/local/lib/libcorazacore.so /usr/local/lib -COPY --from=go-builder /usr/local/lib/libcorazautils.so /usr/local/lib +COPY --from=go-builder /usr/local/lib/libcoraza.so /usr/local/lib RUN ldconfig -v @@ -88,4 +82,3 @@ RUN set -eux; \ export TEST_NGINX_GLOBALS="load_module \"/usr/lib/nginx/modules/ngx_http_coraza_module.so\";"; \ prove . -t coraza*.t ->>>>>>> db83d99 (fix error) diff --git a/README.md b/README.md index a9002d0..7eae0eb 100644 --- a/README.md +++ b/README.md @@ -108,7 +108,7 @@ server { root /var/www/html/opts; coraza_rules ' SecRuleEngine On - SecDebugLog /tmp/modsec_debug.log + SecDebugLog /tmp/coraza_debug.log SecDebugLogLevel 9 SecRuleRemoveById 10 '; diff --git a/build.sh b/build.sh new file mode 100644 index 0000000..940bc15 --- /dev/null +++ b/build.sh @@ -0,0 +1,29 @@ +#!/bin/bash + +NGINX_VERSION=1.18.0 + +mkdir ~/src + +set -eux; \ + curl "http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" -o - | tar zxC ~/src -f -; + +# Pre-reqs: +# diffstat libpcre2-16-0 libpcre2-32-0 libpcre2-dev libpcre2-posix2 quilt +# geoip-bin libbsd-dev libedit-dev libfontconfig1-dev libfreetype-dev libfreetype6-dev libgd-dev libgeoip-dev libgeoip1 +# libice-dev libice6 libjbig-dev libjpeg-dev libjpeg-turbo8-dev libjpeg8-dev liblzma-dev libncurses-dev libnetaddr-ip-perl +# libpng-dev libpthread-stubs0-dev libsm-dev libsm6 libtiff-dev libtiffxx5 libvpx-dev libvpx6 libx11-dev libxau-dev libxcb1-dev +# libxdmcp-dev libxpm-dev libxslt1-dev libxt-dev libxt6 x11-common x11proto-core-dev x11proto-dev xorg-sgml-doctools xtrans-dev + +TEST_NGINX_BINARY=/usr/sbin/nginx +TEST_NGINX_GLOBALS="load_module \"/usr/lib/nginx/modules/ngx_http_coraza_module.so\";" +TEST_NGINX_MODULES=/usr/lib/nginx/modules + +export TEST_NGINX_BINARY TEST_NGINX_GLOBALS TEST_NGINX_MODULES + +CONFARGS=$(nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p');\ + cd ~/src/nginx-$NGINX_VERSION; \ + ./configure --with-compat "${CONFARGS}" --add-dynamic-module=/vagrant/; \ + make modules; \ + sudo mkdir -p /usr/lib/nginx/modules; \ + find objs/*.so -print; \ + sudo cp objs/ngx_*.so /usr/lib/nginx/modules diff --git a/t/coraza-config-merge.t b/t/coraza-config-merge.t index 51a1d66..64f079b 100644 --- a/t/coraza-config-merge.t +++ b/t/coraza-config-merge.t @@ -53,7 +53,7 @@ http { proxy_pass http://127.0.0.1:%%PORT_8081%%; } - location /modsec-disabled { + location /coraza-disabled { coraza_rules ' SecRuleEngine Off '; @@ -84,7 +84,7 @@ http { location /server { coraza off; - location /server/modsec-disabled { + location /server/coraza-disabled { proxy_pass http://127.0.0.1:%%PORT_8082%%; } @@ -162,12 +162,12 @@ $t->plan(10); like(http_get_body('/', 'GOOD BODY'), qr/TEST-OK-IF-YOU-SEE-THIS/, "http level defaults, pass"); like(http_get_body('/', 'VERY BAD BODY'), qr/^HTTP.*403/, "http level defaults, block"); -like(http_get_body('/modsec-disabled', 'VERY BAD BODY'), qr/TEST-OK-IF-YOU-SEE-THIS/, "location override for SecRuleEngine, pass"); +like(http_get_body('/coraza-disabled', 'VERY BAD BODY'), qr/TEST-OK-IF-YOU-SEE-THIS/, "location override for SecRuleEngine, pass"); like(http_get_body('/nobodyaccess', 'VERY BAD BODY'), qr/TEST-OK-IF-YOU-SEE-THIS/, "location override for SecRequestBodyAccess, pass"); like(http_get_body('/bodylimitprocesspartial', 'BODY' x 33), qr/TEST-OK-IF-YOU-SEE-THIS/, "location override for SecRequestBodyLimitAction, pass"); like(http_get_body('/bodylimitincreased', 'BODY' x 64), qr/TEST-OK-IF-YOU-SEE-THIS/, "location override for SecRequestBodyLimit, pass"); -like(http_get_body('/server/modsec-disabled', 'VERY BAD BODY'), qr/TEST-OK-IF-YOU-SEE-THIS/, "server override for SecRuleEngine, pass"); +like(http_get_body('/server/coraza-disabled', 'VERY BAD BODY'), qr/TEST-OK-IF-YOU-SEE-THIS/, "server override for SecRuleEngine, pass"); like(http_get_body('/server/nobodyaccess', 'VERY BAD BODY'), qr/TEST-OK-IF-YOU-SEE-THIS/, "server override for SecRequestBodyAccess, pass"); like(http_get_body('/server/bodylimitprocesspartial', 'BODY' x 33), qr/TEST-OK-IF-YOU-SEE-THIS/, "server override for SecRequestBodyLimitAction, pass"); like(http_get_body('/server/bodylimitincreased', 'BODY' x 64), qr/TEST-OK-IF-YOU-SEE-THIS/, "server override for SecRequestBodyLimit, pass"); From b0c6a2731c3d18b96aa930467b01ad5324ed7f8e Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Thu, 9 Nov 2023 14:50:16 +0100 Subject: [PATCH 05/10] fix: update dockerfile Signed-off-by: Felipe Zipitria --- Dockerfile | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 16f1f4f..bd1dd6d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang as go-builder +FROM --platform=$BUILDPLATFORM golang as go-builder ARG libcoraza_version=master @@ -51,12 +51,13 @@ RUN set -eux; \ curl "http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" -o - | tar zxC /usr/src -f -; # Reuse same cli arguments as the nginx:alpine image used to build -RUN CONFARGS=$(nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p');\ +RUN set -eux; \ + CONFARGS=$(nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p');\ cd /usr/src/nginx-$NGINX_VERSION; \ ./configure --with-compat "$CONFARGS" --add-dynamic-module=/usr/src/coraza-nginx; \ make modules; \ mkdir -p /usr/lib/nginx/modules; \ - find objs/*.so -print; \ + find objs/*.so -print; \ cp objs/ngx_*.so /usr/lib/nginx/modules FROM nginx:stable From 5e0078dd4709eeec83c1d8e39ff1a22c4e463f7b Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Thu, 9 Nov 2023 14:58:52 +0100 Subject: [PATCH 06/10] chore: update gha versions Signed-off-by: Felipe Zipitria --- .github/workflows/build.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index db0249f..673eaee 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,16 +18,16 @@ jobs: matrix: nginx_version: ['1.24.0'] # The type of runner that the job will run on - os: [ubuntu-20.04] + os: [ubuntu-22.04] # Steps represent a sequence of tasks that will be executed as part of the job steps: - name: "Checkout repo" - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Grab nginx source, from cache if possible, or from web - name: Grab nginx-${{ matrix.nginx_version }} cache - uses: actions/cache@v2 + uses: actions/cache@v3 id: cache-nginx with: path: nginx-${{ matrix.nginx_version }} @@ -41,7 +41,7 @@ jobs: # Grab libcoraza - name: Grab libcoraza-${{ env.libcoraza_version }} cache - uses: actions/cache@v2 + uses: actions/cache@v3 id: cache-pcre with: path: libcoraza-${{ env.libcoraza_version }} @@ -69,7 +69,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v4 with: - go-version: ^1.19.x + go-version: ^1.21.x - name: Configure environment run: | From 624f360aa4889202a87d9863ca198e86e5d22564 Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Thu, 9 Nov 2023 15:00:27 +0100 Subject: [PATCH 07/10] chore: remove unused files Signed-off-by: Felipe Zipitria --- CHANGES | 62 --------------------------------------------------------- 1 file changed, 62 deletions(-) delete mode 100644 CHANGES diff --git a/CHANGES b/CHANGES deleted file mode 100644 index 7e8b892..0000000 --- a/CHANGES +++ /dev/null @@ -1,62 +0,0 @@ -v1.0.2 - 2021-Jun-02 --------------------- - - - Fix auditlog in case of internal redirect - [Issue #90 - @AirisX, @defanator] - - Fix nginx sends response without headers - [Issue #238 - @airween, @defanator] - - Fix nginx not clearing body cache (caused by incomplete fix for #187) - [Issue #216 - @krewi1, @martinhsv] - - Fix config setting not respected: client_body_in_file_only on - [Issue #187 - @martinhsv] - - Fix audit_log not generated for disruptive actions - [Issue #170, #2220, #2237 - @victorhora] - - Exit more gracefully if uri length is zero - [@martinhsv] - -v1.0.1 - 2019-Dec-16 --------------------- - - - Fixed obtaining of server_addr - [Issue #167, #168 - @defanator] - - Avoid processing of subrequests initiated by the error_page - [Issue #76, #164, #165 - @defanator] - - Tests: extend request body tests - [Issue #142,#143 - @defanator] - - Added basic tests over HTTP/2 - [Issue #145 - @defanator] - - Module configuration refactoring - [Issue #139 - @defanator] - - Restore r->write_event_handler after reading request body - [Issue #131 - @defanator] - - Increase log level for disruptive actions to "error" - [Issue #112 - @victorhora] - - Support for generating transaction ID in nginx - [Issue #126 - @defanator] - - Extend request body tests with ARGS_POST case - [Issue #124 - @defanator] - - Fix tests after 42a472a change in library - [Issue #122 - @defanator] - - Fix processing of response body when gzip compression is enabled - [Issue #107 - @turchanov] - - Fixed processing of response body chunks in - ngx_http_coraza_body_filter. - [Issue #105 - @turchanov, @defanator] - - Fix incorrect handling of request/response body data chain of ngx_buf_t - buffers - [Issue #104 - @turchanov, @defanator] - - Pool pointer is now handled in ngx_http_coraza_config_cleanup - [Issue #87 - @AirisX, @defanator, @zimmerle] - - Fix memory leak in intervention processing - [Issue #100 - @defanator] - - Emit connector version in error log - [Issue #88 - @defanator] - - Fixed memory leak on config cleanup. - [Issue #80 - @AirisX, @defanator] - - -v1.0.0 - 2017-Dec-20 --------------------- - - - First version of Coraza-nginx connector - From 4e8621eaf0cf2529ad03ca6a82d2ffa542816247 Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Thu, 9 Nov 2023 15:03:31 +0100 Subject: [PATCH 08/10] fix: update header comment Signed-off-by: Felipe Zipitria --- src/ddebug.h | 10 +++++++++- src/ngx_http_coraza_body_filter.c | 7 +------ src/ngx_http_coraza_common.h | 8 +------- src/ngx_http_coraza_header_filter.c | 6 +----- src/ngx_http_coraza_log.c | 5 ----- src/ngx_http_coraza_module.c | 12 ------------ src/ngx_http_coraza_pre_access.c | 7 +------ src/ngx_http_coraza_rewrite.c | 7 +------ src/ngx_http_coraza_utils.c | 10 ++++++++++ 9 files changed, 24 insertions(+), 48 deletions(-) diff --git a/src/ddebug.h b/src/ddebug.h index 6e1fa95..8ee3ded 100644 --- a/src/ddebug.h +++ b/src/ddebug.h @@ -1,4 +1,12 @@ - +/* + * Coraza connector for nginx + * + * You may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + */ // From: https://raw.githubusercontent.com/openresty/lua-nginx-module/master/src/ddebug.h diff --git a/src/ngx_http_coraza_body_filter.c b/src/ngx_http_coraza_body_filter.c index 7acd81d..22b9e3b 100644 --- a/src/ngx_http_coraza_body_filter.c +++ b/src/ngx_http_coraza_body_filter.c @@ -1,16 +1,11 @@ /* - * Coraza connector for nginx, http://www.coraza.io/ - * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/) + * Coraza connector for nginx * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * - * If any of the files related to licensing are missing or if you have any - * other questions related to licensing please contact Trustwave Holdings, Inc. - * directly using the email address security@coraza.io. - * */ #include "ngx_http_coraza_common.h" diff --git a/src/ngx_http_coraza_common.h b/src/ngx_http_coraza_common.h index bebdaf7..01166c2 100644 --- a/src/ngx_http_coraza_common.h +++ b/src/ngx_http_coraza_common.h @@ -1,19 +1,13 @@ /* - * Coraza connector for nginx, http://www.coraza.io/ - * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/) + * Coraza connector for nginx * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * - * If any of the files related to licensing are missing or if you have any - * other questions related to licensing please contact Trustwave Holdings, Inc. - * directly using the email address security@coraza.io. - * */ - #ifndef _ngx_http_coraza_COMMON_H_INCLUDED_ #define _ngx_http_coraza_COMMON_H_INCLUDED_ diff --git a/src/ngx_http_coraza_header_filter.c b/src/ngx_http_coraza_header_filter.c index 9f27200..87f2feb 100644 --- a/src/ngx_http_coraza_header_filter.c +++ b/src/ngx_http_coraza_header_filter.c @@ -1,5 +1,5 @@ /* - * Coraza connector for nginx, http://www.modsecurity.org/ + * Coraza connector for nginx * Copyright (c) 2022 Coraza author and contributors (https://www.coraza.io/) * Based on ModSecurity connector for nginx, http://www.modsecurity.org/ * @@ -8,10 +8,6 @@ * * http://www.apache.org/licenses/LICENSE-2.0 * - * If any of the files related to licensing are missing or if you have any - * other questions related to licensing please contact Trustwave Holdings, Inc. - * directly using the email address security@coraza.io. - * */ diff --git a/src/ngx_http_coraza_log.c b/src/ngx_http_coraza_log.c index 1a71d0d..354f014 100644 --- a/src/ngx_http_coraza_log.c +++ b/src/ngx_http_coraza_log.c @@ -1,16 +1,11 @@ /* * Coraza connector for nginx, http://www.coraza.io/ - * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/) * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * - * If any of the files related to licensing are missing or if you have any - * other questions related to licensing please contact Trustwave Holdings, Inc. - * directly using the email address security@coraza.io. - * */ diff --git a/src/ngx_http_coraza_module.c b/src/ngx_http_coraza_module.c index c7b5c11..dba9542 100644 --- a/src/ngx_http_coraza_module.c +++ b/src/ngx_http_coraza_module.c @@ -1,23 +1,11 @@ /* * Coraza connector for nginx, http://www.coraza.io/ * - * Based on Coraza's connector. - * - * Coraza nginx connector - * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/) - * - * Coraza nginx connector - * Copyright (c) 2022 Coraza - * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * - * If any of the files related to licensing are missing or if you have any - * other questions related to licensing please contact Trustwave Holdings, Inc. - * directly using the email address security@CORAZA.org. - * */ #ifndef CORAZA_DDEBUG diff --git a/src/ngx_http_coraza_pre_access.c b/src/ngx_http_coraza_pre_access.c index e533ff2..1c009e3 100644 --- a/src/ngx_http_coraza_pre_access.c +++ b/src/ngx_http_coraza_pre_access.c @@ -1,16 +1,11 @@ /* - * CORAZA connector for nginx, http://www.CORAZA.org/ - * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/) + * Coraza connector for nginx * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * - * If any of the files related to licensing are missing or if you have any - * other questions related to licensing please contact Trustwave Holdings, Inc. - * directly using the email address security@CORAZA.org. - * */ #ifndef CORAZA_DDEBUG diff --git a/src/ngx_http_coraza_rewrite.c b/src/ngx_http_coraza_rewrite.c index 87179db..8f3cbe5 100644 --- a/src/ngx_http_coraza_rewrite.c +++ b/src/ngx_http_coraza_rewrite.c @@ -1,16 +1,11 @@ /* - * Coraza connector for nginx, http://www.coraza.io/ - * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/) + * Coraza connector for nginx * * You may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * - * If any of the files related to licensing are missing or if you have any - * other questions related to licensing please contact Trustwave Holdings, Inc. - * directly using the email address security@coraza.io. - * */ #ifndef CORAZA_DDEBUG diff --git a/src/ngx_http_coraza_utils.c b/src/ngx_http_coraza_utils.c index e9be865..05b31b9 100644 --- a/src/ngx_http_coraza_utils.c +++ b/src/ngx_http_coraza_utils.c @@ -1,3 +1,13 @@ +/* + * Coraza connector for nginx + * + * You may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + */ + #include "ddebug.h" #include "ngx_http_coraza_common.h" From 7e5b81249592db74fe1e14edb51346cc185d53d8 Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Thu, 9 Nov 2023 15:06:21 +0100 Subject: [PATCH 09/10] fix: config syntax Signed-off-by: Felipe Zipitria --- config | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/config b/config index a2c380c..3285298 100644 --- a/config +++ b/config @@ -19,7 +19,7 @@ coraza_dependency="ngx_http_postpone_filter_module \ ngx_http_gunzip_filter_module \ ngx_http_userid_filter_module \ ngx_http_headers_filter_module \ - ngx_http_copy_filter_module" + ngx_http_copy_filter_module"; if test -n "$ngx_module_link"; then @@ -31,11 +31,11 @@ if test -n "$ngx_module_link"; then $ngx_addon_dir/src/ngx_http_coraza_body_filter.c \ $ngx_addon_dir/src/ngx_http_coraza_log.c \ $ngx_addon_dir/src/ngx_http_coraza_rewrite.c \ - $ngx_addon_dir/src/ngx_http_coraza_utils.c \ - " - ngx_module_deps="$ngx_addon_dir/src/ddebug.h \ - ngx_module_libs="-lcoraza" - ngx_module_incs="-L/usr/local/lib" + $ngx_addon_dir/src/ngx_http_coraza_utils.c"; + + ngx_module_deps="$ngx_addon_dir/src/ddebug.h"; + ngx_module_libs="-lcoraza" + ngx_module_incs="-L/usr/local/lib" ngx_module_order="ngx_http_chunked_filter_module \ ngx_http_v2_filter_module \ @@ -60,11 +60,9 @@ else $ngx_addon_dir/src/ngx_http_coraza_body_filter.c \ $ngx_addon_dir/src/ngx_http_coraza_log.c \ $ngx_addon_dir/src/ngx_http_coraza_rewrite.c \ - $ngx_addon_dir/src/ngx_http_coraza_utils.c \ - " + $ngx_addon_dir/src/ngx_http_coraza_utils.c"; NGX_ADDON_DEPS="$NGX_ADDON_DEPS \ $ngx_addon_dir/src/ddebug.h \ - $ngx_addon_dir/src/ngx_http_coraza_common.h \ - " + $ngx_addon_dir/src/ngx_http_coraza_common.h"; fi From 1c4c6993f38afe347948bd191eb609e6be0656f0 Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Thu, 9 Nov 2023 15:30:26 +0100 Subject: [PATCH 10/10] docs: update README Signed-off-by: Felipe Zipitria --- README.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/README.md b/README.md index 7eae0eb..a41fe85 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,13 @@ +⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️ +THIS MODULE IS NOT PRODUCTION READY +⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️ + +👉 YOU CANNOT CREATE ISSUES HERE, BUT YOU CAN CREATE PULL REQUESTS FIXING PROBLEMS 👈 + +🙏 DO NOT CREATE PULL REQUESTS TO COMPLAIN ABOUT THINGS NOT WORKING. THIS IS EXPERIMENTAL AND NO WORK IS BEING DONE HERE. + +👉YOU ARE WELCOME TO WORK ON IT AND SEND PULL REQUESTS! 👈 + [![Compile module](https://github.com/corazawaf/coraza-nginx/actions/workflows/build.yml/badge.svg)](https://github.com/corazawaf/coraza-nginx/actions/workflows/build.yml) # Coraza NGINX Connector @@ -6,6 +16,8 @@ The coraza-nginx connector is the connection point between nginx and libcoraza. # Compilation +If you have any doubts, please read the [GitHub build Action](https://github.com/corazawaf/coraza-nginx/blob/master/.github/workflows/build.yml) for additional information. + Before compile this software make sure that you have libcoraza installed. You can download it from the [libcoraza git repository](https://github.com/corazawaf/libcoraza). For information pertaining to the compilation and installation of libcoraza please consult the documentation provided along with it.