You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The OWASP ModSecurity team is pleased to announce the release of versions of ModSecurity-nginx connector, 1.0.4. This version includes a mixture of new features and bug fixes.
7
+
The OWASP ModSecurity team is pleased to announce the release of ModSecurity-nginx connector version 1.0.4. This version includes a mixture of new features and bug fixes.
8
8
9
9
<!--more-->
10
10
11
-
The latest release was almost three years ago, meanwhile some relevant features were added to the connector.
11
+
The previous version has been released almost three years ago, and meanwhile some important features were added to the connector.
12
12
13
13
##### Contributors:
14
14
@@ -19,27 +19,27 @@ The latest release was almost three years ago, meanwhile some relevant features
19
19
* added a workflow for Github CI (@theseion, @airween)
20
20
* added Windows port (@eduar-hte)
21
21
* fix recovery context after internal redirect (@liudongmiao, @airween)
22
-
* set correct hostname in log produced by Nginx (@airween)
22
+
* set correct hostname in log produced by nginx (@airween)
23
23
24
-
#### Important change in log format
24
+
#### Important change in the log format
25
25
26
-
Please note that there was an important change in logformat. Here is the explanation what changed.
27
-
Old behavior: if ModSecurity catches an attack then it produces log entries. The problem is that the `[hostname]` field contains the server's IP address - which carries no information at all:
26
+
Please note that there was an important change in log format.
27
+
28
+
Old behavior: if ModSecurity determines a positive rule match it (generally) produces log entries. The problem is that the `[hostname]` field contains the server's IP address - i.e., the address of the server ModSecurity is running on, which isn't helpful information:
At the end of the line, Nginx (and not ModSecurity) puts other fields, like server and host, but unfortunately those can be truncated if the other parts of line are too long, eg. [data] field by ModSecurity, or request field by Nginx, because **Nginx truncates the log line after 2048 bytes**.
34
-
35
-
The other advantage of this patch that now the fields will be the same as in case of mod_security2, so parsing the lines (hopefully) will be easier.
34
+
At the end of the line, nginx (and not ModSecurity) puts other fields, like `[server]` and `[host]`, but unfortunately those can be truncated if the other parts of line are too long (e.g., the `[data]` field from ModSecurity, or the `[request]` field from nginx), because **nginx truncates the log line after 2048 bytes**.
Please take a look at the `[hostname]` field, now it contains the `Hostname` field from the request, or if it does not exists then the virtual host's context name (`server`). Don't forget to align your log processor!
41
+
The `[hostname]` field now contains the `Host` field from the request, or if it does not exist, the virtual host's context name (`server`). This change ensures that the `[hostname]` field contains helpful information and that the host information will no longer be truncated from long log lines.
42
+
43
+
The other advantage of this patch that now the fields will be the same as in mod_security2, so parsing the lines will (hopefully) be easier. Remember to update your log parsers to accomodate for this change.
0 commit comments