From 1494b2591b057cf490b89a5658ffc9f3dfbaa78c Mon Sep 17 00:00:00 2001 From: Fatih USTA Date: Wed, 13 Aug 2025 15:43:45 +0300 Subject: [PATCH 1/3] added disable error log support modified old PR https://github.com/owasp-modsecurity/ModSecurity-nginx/pull/327 Signed-off-by: Fatih USTA --- src/ngx_http_modsecurity_common.h | 1 + src/ngx_http_modsecurity_module.c | 26 ++++++++++++++++++++++---- 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/src/ngx_http_modsecurity_common.h b/src/ngx_http_modsecurity_common.h index a4687e8..634949e 100644 --- a/src/ngx_http_modsecurity_common.h +++ b/src/ngx_http_modsecurity_common.h @@ -118,6 +118,7 @@ typedef struct { void *rules_set; ngx_flag_t enable; + ngx_flag_t disable_error_log; #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS) ngx_flag_t sanity_checks_enabled; #endif diff --git a/src/ngx_http_modsecurity_module.c b/src/ngx_http_modsecurity_module.c index e8a5f4b..28c7228 100644 --- a/src/ngx_http_modsecurity_module.c +++ b/src/ngx_http_modsecurity_module.c @@ -146,6 +146,7 @@ ngx_http_modsecurity_process_intervention (Transaction *transaction, ngx_http_re intervention.log = NULL; intervention.disruptive = 0; ngx_http_modsecurity_ctx_t *ctx = NULL; + ngx_http_modsecurity_conf_t *mcf; dd("processing intervention"); @@ -160,12 +161,19 @@ ngx_http_modsecurity_process_intervention (Transaction *transaction, ngx_http_re return 0; } - log = intervention.log; - if (intervention.log == NULL) { - log = "(no log message was specified)"; + mcf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity_module); + if (mcf == NULL) { + return NGX_HTTP_INTERNAL_SERVER_ERROR; } - ngx_log_error(NGX_LOG_ERR, (ngx_log_t *)r->connection->log, 0, "%s", log); + // logging to nginx error log can be disable by setting `modsecurity_disable_error_log` to on + if (!mcf->disable_error_log) { + log = intervention.log; + if (intervention.log == NULL) { + log = "(no log message was specified)"; + } + ngx_log_error(NGX_LOG_ERR, (ngx_log_t *)r->connection->log, 0, "%s", log); + } if (intervention.log != NULL) { free(intervention.log); @@ -513,6 +521,14 @@ static ngx_command_t ngx_http_modsecurity_commands[] = { 0, NULL }, + { + ngx_string("modsecurity_disable_error_log"), + NGX_HTTP_LOC_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_MAIN_CONF|NGX_CONF_FLAG, + ngx_conf_set_flag_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_modsecurity_conf_t, disable_error_log), + NULL + }, ngx_null_command }; @@ -724,6 +740,7 @@ ngx_http_modsecurity_create_conf(ngx_conf_t *cf) conf->rules_set = msc_create_rules_set(); conf->pool = cf->pool; conf->transaction_id = NGX_CONF_UNSET_PTR; + conf->disable_error_log = NGX_CONF_UNSET; #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS) conf->sanity_checks_enabled = NGX_CONF_UNSET; #endif @@ -763,6 +780,7 @@ ngx_http_modsecurity_merge_conf(ngx_conf_t *cf, void *parent, void *child) ngx_conf_merge_value(c->enable, p->enable, 0); ngx_conf_merge_ptr_value(c->transaction_id, p->transaction_id, NULL); + ngx_conf_merge_value(c->disable_error_log, p->disable_error_log, 0); #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS) ngx_conf_merge_value(c->sanity_checks_enabled, p->sanity_checks_enabled, 0); #endif From 0d5875728b9effc2a451e303fce3ac53455dd890 Mon Sep 17 00:00:00 2001 From: Fatih USTA Date: Wed, 13 Aug 2025 22:31:44 +0300 Subject: [PATCH 2/3] added modsecurity_disable_error_log test cases Signed-off-by: Fatih USTA --- .github/nginx/nginx.conf | 13 +++++++++++++ .github/workflows/test.yml | 24 +++++++++++++++++++++++- 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/.github/nginx/nginx.conf b/.github/nginx/nginx.conf index 0ac7802..82085c0 100644 --- a/.github/nginx/nginx.conf +++ b/.github/nginx/nginx.conf @@ -74,5 +74,18 @@ http { } } + server { + listen 80; + server_name modsecurity_disable_error_log; + + modsecurity on; + modsecurity_disable_error_log on; + modsecurity_rules_file /home/runner/work/ModSecurity-nginx/ModSecurity-nginx/ModSecurity-nginx/.github/nginx/modsecurity.conf; + root /usr/local/nginx/html/; + + location / { + try_files $uri /index.html; + } + } } diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 9841dd1..f26630e 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -140,6 +140,28 @@ jobs: echo "FAIL" exit 1 fi + - name: Check attack log vhost 2 (modsecurity_disable_error_log off(default)) + run: | + if ( grep -q "modsectest2" /usr/local/nginx/logs/error.log ); then + echo "OK" + else + echo "FAIL" + exit 1 + fi + - name: Check attack log vhost 3 (modsecurity_disable_error_log on) + run: | + status=$(curl -sSo /dev/null -w %{http_code} -I -X GET -H "Host: modsecurity_disable_error_log" "http://localhost/?q=attack") + if [ "${status}" == "403" ]; then + if ( grep -q "modsecurity_disable_error_log" /usr/local/nginx/logs/error.log ); then + echo "FAIL" + exit 1 + else + echo "OK" + fi + else + echo "FAIL" + exit 1 + fi - name: Start Nginx with redir run: | sudo killall nginx @@ -320,4 +342,4 @@ jobs: md temp set TEMP=temp set TEST_NGINX_BINARY=..\objs\nginx.exe - prove modsecurity*.t \ No newline at end of file + prove modsecurity*.t From 585dc82d55023af0f800dba2847337f65349e80d Mon Sep 17 00:00:00 2001 From: Fatih USTA Date: Thu, 14 Aug 2025 08:03:30 +0300 Subject: [PATCH 3/3] directive changed as modsecurity_use_error_log - tests are changed with new directive name - nginx.conf updated with new directive name - added doc Signed-off-by: Fatih USTA --- .github/nginx/nginx.conf | 4 ++-- .github/workflows/test.yml | 8 ++++---- README.md | 9 +++++++++ src/ngx_http_modsecurity_common.h | 2 +- src/ngx_http_modsecurity_module.c | 12 ++++++------ 5 files changed, 22 insertions(+), 13 deletions(-) diff --git a/.github/nginx/nginx.conf b/.github/nginx/nginx.conf index 82085c0..cf6a6ad 100644 --- a/.github/nginx/nginx.conf +++ b/.github/nginx/nginx.conf @@ -76,10 +76,10 @@ http { server { listen 80; - server_name modsecurity_disable_error_log; + server_name modsecurity_use_error_log_off; modsecurity on; - modsecurity_disable_error_log on; + modsecurity_use_error_log off; modsecurity_rules_file /home/runner/work/ModSecurity-nginx/ModSecurity-nginx/ModSecurity-nginx/.github/nginx/modsecurity.conf; root /usr/local/nginx/html/; diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f26630e..0126847 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -140,7 +140,7 @@ jobs: echo "FAIL" exit 1 fi - - name: Check attack log vhost 2 (modsecurity_disable_error_log off(default)) + - name: Check attack log vhost 2 (modsecurity_use_error_log on(default)) run: | if ( grep -q "modsectest2" /usr/local/nginx/logs/error.log ); then echo "OK" @@ -148,11 +148,11 @@ jobs: echo "FAIL" exit 1 fi - - name: Check attack log vhost 3 (modsecurity_disable_error_log on) + - name: Check attack log vhost 3 (modsecurity_use_error_log off) run: | - status=$(curl -sSo /dev/null -w %{http_code} -I -X GET -H "Host: modsecurity_disable_error_log" "http://localhost/?q=attack") + status=$(curl -sSo /dev/null -w %{http_code} -I -X GET -H "Host: modsecurity_use_error_log_off" "http://localhost/?q=attack") if [ "${status}" == "403" ]; then - if ( grep -q "modsecurity_disable_error_log" /usr/local/nginx/logs/error.log ); then + if ( grep -q "modsecurity_use_error_log_off" /usr/local/nginx/logs/error.log ); then echo "FAIL" exit 1 else diff --git a/README.md b/README.md index d638a0c..a93e5df 100644 --- a/README.md +++ b/README.md @@ -175,6 +175,15 @@ using the same unique identificator. String can contain variables. +modsecurity_use_error_log +----------- +**syntax:** *modsecurity_use_error_log on | off* + +**context:** *http, server, location* + +**default:** *on* + +Turns on or off ModSecurity error log functionality. # Contributing diff --git a/src/ngx_http_modsecurity_common.h b/src/ngx_http_modsecurity_common.h index 634949e..0ddcc2f 100644 --- a/src/ngx_http_modsecurity_common.h +++ b/src/ngx_http_modsecurity_common.h @@ -118,7 +118,7 @@ typedef struct { void *rules_set; ngx_flag_t enable; - ngx_flag_t disable_error_log; + ngx_flag_t use_error_log; #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS) ngx_flag_t sanity_checks_enabled; #endif diff --git a/src/ngx_http_modsecurity_module.c b/src/ngx_http_modsecurity_module.c index 28c7228..25509fb 100644 --- a/src/ngx_http_modsecurity_module.c +++ b/src/ngx_http_modsecurity_module.c @@ -166,8 +166,8 @@ ngx_http_modsecurity_process_intervention (Transaction *transaction, ngx_http_re return NGX_HTTP_INTERNAL_SERVER_ERROR; } - // logging to nginx error log can be disable by setting `modsecurity_disable_error_log` to on - if (!mcf->disable_error_log) { + // logging to nginx error log can be disable by setting `modsecurity_use_error_log` to off + if (mcf->use_error_log) { log = intervention.log; if (intervention.log == NULL) { log = "(no log message was specified)"; @@ -522,11 +522,11 @@ static ngx_command_t ngx_http_modsecurity_commands[] = { NULL }, { - ngx_string("modsecurity_disable_error_log"), + ngx_string("modsecurity_use_error_log"), NGX_HTTP_LOC_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_MAIN_CONF|NGX_CONF_FLAG, ngx_conf_set_flag_slot, NGX_HTTP_LOC_CONF_OFFSET, - offsetof(ngx_http_modsecurity_conf_t, disable_error_log), + offsetof(ngx_http_modsecurity_conf_t, use_error_log), NULL }, ngx_null_command @@ -740,7 +740,7 @@ ngx_http_modsecurity_create_conf(ngx_conf_t *cf) conf->rules_set = msc_create_rules_set(); conf->pool = cf->pool; conf->transaction_id = NGX_CONF_UNSET_PTR; - conf->disable_error_log = NGX_CONF_UNSET; + conf->use_error_log = NGX_CONF_UNSET; #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS) conf->sanity_checks_enabled = NGX_CONF_UNSET; #endif @@ -780,7 +780,7 @@ ngx_http_modsecurity_merge_conf(ngx_conf_t *cf, void *parent, void *child) ngx_conf_merge_value(c->enable, p->enable, 0); ngx_conf_merge_ptr_value(c->transaction_id, p->transaction_id, NULL); - ngx_conf_merge_value(c->disable_error_log, p->disable_error_log, 0); + ngx_conf_merge_value(c->use_error_log, p->use_error_log, 1); #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS) ngx_conf_merge_value(c->sanity_checks_enabled, p->sanity_checks_enabled, 0); #endif