|
| 1 | +--- |
| 2 | +title: 'ModSecurity-nginx connector - new release: v1.0.4' |
| 3 | +date: '2025-05-21T00:00:00+02:00' |
| 4 | +author: airween |
| 5 | +--- |
| 6 | + |
| 7 | +The OWASP ModSecurity team is pleased to announce the release of ModSecurity-nginx connector version 1.0.4. This version includes a mixture of new features and bug fixes. |
| 8 | + |
| 9 | +<!--more--> |
| 10 | + |
| 11 | +The previous version has been released almost three years ago, and meanwhile some important features were added to the connector. |
| 12 | + |
| 13 | +##### Contributors: |
| 14 | + |
| 15 | +@brandonpayton, @theseion, @liudongmiao, @eduar-hte, @airween |
| 16 | + |
| 17 | +#### Major changes: |
| 18 | + |
| 19 | +* added a workflow for Github CI (@theseion, @airween) |
| 20 | +* added Windows port (@eduar-hte) |
| 21 | +* fix recovery context after internal redirect (@liudongmiao, @airween) |
| 22 | +* set correct hostname in log produced by nginx (@airween) |
| 23 | + |
| 24 | +#### Important change in the log format |
| 25 | + |
| 26 | +Please note that there was an important change in log format. |
| 27 | + |
| 28 | +Old behavior: if ModSecurity determines a positive rule match it (generally) produces log entries. The problem is that the `[hostname]` field contains the server's IP address - i.e., the address of the server ModSecurity is running on, which isn't helpful information: |
| 29 | + |
| 30 | +``` |
| 31 | +ModSecurity: Warning. ... [hostname "18.19.20.21"] [uri "/xmlrpc.php"]... |
| 32 | +``` |
| 33 | + |
| 34 | +At the end of the line, nginx (and not ModSecurity) puts other fields, like `[server]` and `[host]`, but unfortunately those can be truncated if the other parts of line are too long (e.g., the `[data]` field from ModSecurity, or the `[request]` field from nginx), because **nginx truncates the log line after 2048 bytes**. |
| 35 | + |
| 36 | +Here is the new logformat: |
| 37 | +``` |
| 38 | +ModSecurity: Warning. ... [hostname "foobar.com"] [uri "/"] ... |
| 39 | +``` |
| 40 | + |
| 41 | +The `[hostname]` field now contains the `Host` field from the request, or if it does not exist, the virtual host's context name (`server`). This change ensures that the `[hostname]` field contains helpful information and that the host information will no longer be truncated from long log lines. |
| 42 | + |
| 43 | +The other advantage of this patch that now the fields will be the same as in mod_security2, so parsing the lines will (hopefully) be easier. Remember to update your log parsers to accomodate for this change. |
| 44 | + |
| 45 | +Ervin Hegedüs |
0 commit comments