8282
8383ngx_addon_name=ngx_http_modsecurity_module
8484
85+ # We must place ngx_http_modsecurity_module after ngx_http_gzip_filter_module
86+ # in load order list to be able to read response body before it gets compressed
87+ # (for filter modules later initialization means earlier execution).
88+ #
89+ # Nginx implements load ordering only for dynamic modules and only a BEFORE part
90+ # of "ngx_module_order". So we list all of the modules that come after
91+ # ngx_http_gzip_filter_module as a BEFORE dependency for
92+ # ngx_http_modsecurity_module.
93+ #
94+ # For static compilation HTTP_FILTER_MODULES will be patched later.
95+
96+ modsecurity_dependency=" ngx_http_postpone_filter_module \
97+ ngx_http_ssi_filter_module \
98+ ngx_http_charset_filter_module \
99+ ngx_http_xslt_filter_module \
100+ ngx_http_image_filter_module \
101+ ngx_http_sub_filter_module \
102+ ngx_http_addition_filter_module \
103+ ngx_http_gunzip_filter_module \
104+ ngx_http_userid_filter_module \
105+ ngx_http_headers_filter_module \
106+ ngx_http_copy_filter_module"
107+
108+
85109if test -n " $ngx_module_link " ; then
86110 ngx_module_type=HTTP_FILTER
87111 ngx_module_name=" $ngx_addon_name "
@@ -98,7 +122,12 @@ if test -n "$ngx_module_link"; then
98122 ngx_module_libs=" $ngx_feature_libs "
99123 ngx_module_incs=" $ngx_feature_path "
100124
101- ngx_module_order=" ngx_http_chunked_filter_module ngx_http_v2_filter_module $ngx_module_name ngx_http_range_header_filter_module"
125+ ngx_module_order=" ngx_http_chunked_filter_module \
126+ ngx_http_v2_filter_module \
127+ ngx_http_range_header_filter_module \
128+ ngx_http_gzip_filter_module \
129+ $ngx_module_name \
130+ $modsecurity_dependency " ;
102131
103132 . auto/module
104133else
128157
129158#
130159# Nginx does not provide reliable way to introduce our module into required
131- # place in static ($ngx_module_link=ADDON) compilation mode, so we should
160+ # place in static ($ngx_module_link=ADDON) compilation mode, so we must
132161# explicitly update module "ordering rules".
133162#
134- # Default runtime location of ngx_http_modsecurity_module is right before
135- # ngx_http_chunked_filter_module, but in case if ngx_http_v2_filter_module is
136- # compiled in, we should put our module before ngx_http_v2_filter_module in
137- # order to support SecRules processing for HTTP/2.0 requests.
138- #
139163if [ " $ngx_module_link " != DYNAMIC ] ; then
140- pre_module=' ngx_http_chunked_filter_module'
141- if [ " $HTTP_V2 " = " YES" ; then
142- pre_module=' ngx_http_v2_filter_module'
164+ # Reposition modsecurity module to satisfy $modsecurity_dependency
165+ # (this mimics dependency resolution made by ngx_add_module() function
166+ # though less optimal in terms of computational complexity).
167+ modules=
168+ found=
169+ for module in $HTTP_FILTER_MODULES ; do
170+ # skip our module name from the original list
171+ if [ " $module " = " $ngx_addon_name " ; then
172+ continue
173+ fi
174+ if [ -z " ${found} " ; then
175+ for item in $modsecurity_dependency ; do
176+ if [ " $module " = " $item " ; then
177+ modules=" ${modules} $ngx_addon_name "
178+ found=1
179+ break
180+ fi
181+ done
182+ fi
183+ modules=" ${modules} $module "
184+ done
185+ if [ -z " ${found} " ; then
186+ # This must never happen since ngx_http_copy_filter_module must be in HTTP_FILTER_MODULES
187+ # and we stated dependency on it in $modsecurity_dependency
188+ echo " $0 : error: cannot reposition modsecurity module in HTTP_FILTER_MODULES list"
189+ exit 1
143190 fi
144- HTTP_FILTER_MODULES=` echo $HTTP_FILTER_MODULES | \
145- sed -E " s/$ngx_addon_name / /g" | \
146- sed -E " s/$pre_module /$pre_module $ngx_addon_name /g" `
191+ HTTP_FILTER_MODULES=" ${modules} "
147192fi
0 commit comments