Skip to content

ngx_http_modsecurity_module.so is not binary compatible (FreeBSD) #199

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
djkerya opened this issue May 12, 2020 · 11 comments
Closed

ngx_http_modsecurity_module.so is not binary compatible (FreeBSD) #199

djkerya opened this issue May 12, 2020 · 11 comments
Assignees
@zimmerle

Comments

@djkerya
Copy link

djkerya commented May 12, 2020

This is like #159

I have same problem:

nginx: [emerg] module "/usr/local/libexec/nginx/ngx_http_modsecurity_module.so" is not binary compatible in /usr/local/etc/nginx/nginx.conf:3

FreeBSD 11.3-RELEASE-p7
nginx-1.18.0_2,2 (also tried 1.16 before)
modsecurity3-3.0.4
modsecurity3-nginx-1.0.1
nginx -V

nginx version: nginx/1.18.0
built with OpenSSL 1.1.1g 21 Apr 2020
TLS SNI support enabled
configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --with-ld-opt='-L /usr/local/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=www --group=www --modules-path=/usr/local/libexec/nginx --with-file-aio --with-google_perftools_module --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --with-http_v2_module --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-pcre --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-cc-opt='-DNGX_HAVE_INET6=0 -I /usr/local/include' --without-mail_imap_module --without-mail_pop3_module --without-mail_smtp_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-stream=dynamic

if i set modsecurity option in nginx port parameters i got segfault:
gdb nginx nginx.core

GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...(no debugging symbols found)...
Core was generated by `nginx -t'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libthr.so.3...(no debugging symbols found)...done.
Loaded symbols for /lib/libthr.so.3
Reading symbols from /lib/libcrypt.so.5...(no debugging symbols found)...done.
Loaded symbols for /lib/libcrypt.so.5
Reading symbols from /usr/local/lib/libmodsecurity.so.3...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libmodsecurity.so.3
Reading symbols from /usr/local/lib/libpcre.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libpcre.so.1
Reading symbols from /usr/local/lib/libssl.so.11...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libssl.so.11
Reading symbols from /usr/local/lib/libcrypto.so.11...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libcrypto.so.11
Reading symbols from /lib/libz.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/libz.so.6
Reading symbols from /usr/local/lib/libprofiler.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libprofiler.so.0
Reading symbols from /lib/libc.so.7...(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.7
Reading symbols from /usr/local/lib/libcurl.so.4...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libcurl.so.4
Reading symbols from /usr/local/lib/libGeoIP.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libGeoIP.so.1
Reading symbols from /usr/lib/librt.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/librt.so.1
Reading symbols from /usr/local/lib/libxml2.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libxml2.so.2
Reading symbols from /usr/lib/liblzma.so.5...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/liblzma.so.5
Reading symbols from /usr/local/lib/libmaxminddb.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libmaxminddb.so.0
Reading symbols from /usr/local/lib/libyajl.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libyajl.so.2
Reading symbols from /usr/local/lib/gcc9/libstdc++.so.6...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/gcc9/libstdc++.so.6
Reading symbols from /lib/libm.so.5...(no debugging symbols found)...done.
Loaded symbols for /lib/libm.so.5
Reading symbols from /usr/local/lib/gcc9/libgcc_s.so.1...Error while reading shared library symbols:
Dwarf Error: wrong version in compilation unit header (is 4, should be 2) [in module /usr/local/lib/gcc9/libgcc_s.so.1]
Reading symbols from /usr/lib/libexecinfo.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libexecinfo.so.1
Reading symbols from /usr/lib/libc++.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libc++.so.1
Reading symbols from /lib/libcxxrt.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib/libcxxrt.so.1
Reading symbols from /usr/local/lib/libnghttp2.so.14...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libnghttp2.so.14
Reading symbols from /usr/local/lib/libidn2.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libidn2.so.0
Reading symbols from /lib/libelf.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libelf.so.2
Reading symbols from /usr/local/lib/libunistring.so.2...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/libunistring.so.2
Reading symbols from /libexec/ld-elf.so.1...(no debugging symbols found)...done.
Loaded symbols for /libexec/ld-elf.so.1
#0 0x0000000804490110 in vtable for __cxxabiv1::__si_class_type_info () from /lib/libcxxrt.so.1
(gdb)

If i choose modsecurity 2 port option i got :
unknown directive "modsecurity"
@zimmerle zimmerle self-assigned this May 12, 2020
@zimmerle
Copy link
Contributor

Are you able to generate a different loadable module to Nginx?

@djkerya
Copy link
Author

djkerya commented May 13, 2020 via email

@fzipi
Copy link

fzipi commented May 13, 2020

I'm building it using our own poudriere and it is working fine.

@djkerya
Copy link
Author

djkerya commented May 13, 2020 via email

@djkerya
Copy link
Author

djkerya commented May 14, 2020 via email

@zimmerle
Copy link
Contributor

Thank you @djkerya. I am going to close the issue. Please share your findings.

@FloGatt
Copy link

FloGatt commented Apr 28, 2021

Is there any update on this? Nearly one year later, the problem is still the same.

@FloGatt
Copy link

FloGatt commented Apr 28, 2021 

# service nginx restart
Performing sanity check on nginx configuration:
nginx: [emerg] module "/usr/local/etc/nginx/modules/ngx_http_modsecurity_module.so" is not binary compatible in /usr/local/etc/nginx/nginx.conf:16
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed

# nginx -V
nginx version: nginx/1.18.0
built with OpenSSL 1.1.1k-freebsd  25 Mar 2021
TLS SNI support enabled
configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --with-ld-opt='-L /usr/local/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=www --group=www --with-compat --modules-path=/usr/local/libexec/nginx --with-file-aio --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --with-http_v2_module --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-pcre --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --without-mail_imap_module --without-mail_pop3_module --without-mail_smtp_module --with-mail_ssl_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-mail=dynamic --with-stream=dynamic

# pkg info modsecurity3-nginx-1.0.1_1
modsecurity3-nginx-1.0.1_1
Name           : modsecurity3-nginx
Version        : 1.0.1_1
Installed on   : Wed Apr 28 10:49:03 2021 CEST
Origin         : security/modsecurity3-nginx
Architecture   : FreeBSD:13:amd64
Prefix         : /usr/local
Categories     : security www
Licenses       : APACHE20
Maintainer     : [email protected]
WWW            : https://github.com/SpiderLabs/ModSecurity-nginx
Comment        : Instruction detection and prevention engine / nginx Wrapper
Shared Libs required:
	libmodsecurity.so.3
Annotations    :
	FreeBSD_version: 1300139
	repo_type      : binary
	repository     : FreeBSD
Flat size      : 25.2KiB
Description    :
The ModSecurity-nginx connector is the connection point between Nginx and libmodsecurity
(ModSecurity v3). Said another way, this project provides a communication channel between Nginx
and libmodsecurity. This connector is required to use LibModSecurity with Nginx.

The ModSecurity-nginx connector takes the form of an Nginx module.
The module simply serves as a layer of communication between Nginx and ModSecurity.

Notice that this project depends on libmodsecurity rather than ModSecurity (version 2.9 or less).

WWW: https://github.com/SpiderLabs/ModSecurity-nginx

@xzenor
Copy link

xzenor commented Feb 21, 2022

For what it's worth.. it's still broken with modsecurity3-nginx-1.0.2_1 and modsecurity3-3.0.5 on FreeBSD-13

@pengliaoye
Copy link

i have same problem in freebsd12. with

modsecurity3-nginx-1.0.2_1
nginx-full-1.20.2_7,2
modsecurity3-3.0.5

@martinhsv
Copy link
Contributor

Note that this issue was closed more than 20 months ago due to the report that:

i tried to compile nginx + modsecurity from scratch and it worked fine.

I have never installed on FreeBSD myself, but perhaps have a look at the comment at the end of the issue linked at the beginning of this one ( #159 ): the nginx connector is not required by new nginx versions.

Also of interest may be the web page linked in that other issue (the page is gone, but it is available in wayback machine) :
https://web.archive.org/web/*/https://alfaexploit.com/readArticle/345

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zimmerle zimmerle

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@zimmerle @pengliaoye @fzipi @FloGatt @djkerya @xzenor @martinhsv