Skip to content

Modsec phases and Nginx phases pratice #298

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Rockybilly opened this issue Feb 15, 2023 · 3 comments
Closed

Modsec phases and Nginx phases pratice #298

Rockybilly opened this issue Feb 15, 2023 · 3 comments

Comments

@Rockybilly
Copy link

I am trying to create an nginx server, that uses modsecurity-nginx. But has only this specific purpose.

Return 403 if modsec applies the distruptive action 'deny', return 200 every other time, no body.

This has these two solutions (open to other suggestions).

  • Solution 1:
location / {
        modsecurity on;
        modsecurity_rules '';
        return 200;
}
  • Solution 2:
location @return200  {
        return 200;
}

location / {
        modsecurity on;
        modsecurity_rules '';
        try_files FAKE_NON_EXISTENT @return200;
}

The difference between the two is, return immediately, is a REWRITE phase directive, would this skip some of the ModSec phases?
try_files is PreContent phase, so more time given to the request before it ends? How do these correspond to ModSec processing phases?
@martinhsv
Copy link
Contributor

Hello @Rockybilly ,

I don't really follow what you are trying to do.

But a redirect to a different location block where ModSecurity is not active can result in less processing of the request by ModSecurity in the original location block. One way to see what is happening is to enable the ModSecurity debug log (at the highest level of 9).

@Rockybilly
Copy link
Author

Okay it wasn't about moving to a different location that does not include modsecurity, so my example was a bit wrong.

I guess this is more clear.

modsecurity on;
modsecurity_rules '';

location @return200  {
        return 200;
}

location / {
        try_files FAKE_NON_EXISTENT @return200;
}

But let's say I have some modsec rules that does body checking. try_files directive is after the content phase, return is in the rewrite phase(before content). Would this prevent the body checking from happening (because of early finish of the request)?

@martinhsv
Copy link
Contributor

Have you tried it to see what happens?

I have never used the nginx try_files directive before and so cannot speak directly to that.

There are at least some expected behaviours in nginx that can result in a redirected POST request being transformed into a GET request ... which could, of course, affect body processing in that subsequent block. See, for example: #152 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Rockybilly @martinhsv