DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix definition order of modsecurity directives for controller to match PR 5315 (#6940) (#7323)

Browse source 
* Fix definition order of modsecurity directives for controller to match PR 5315

* Add a test
This commit is contained in:
Kyle Michel 2021-07-06 22:24:43 -04:00 committed by GitHub
parent a064337621
commit 12a2a6d0e0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 82 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -149,14 +149,16 @@ http {
{{ if $all.Cfg.EnableModsecurity }} {{ if $all.Cfg.EnableModsecurity }}
modsecurity on; modsecurity on;
{{ if (not (empty $all.Cfg.ModsecuritySnippet)) }}
modsecurity_rules '
{{ $all.Cfg.ModsecuritySnippet }}
';
{{ end }}
modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf; modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;
{{ if $all.Cfg.EnableOWASPCoreRules }} {{ if $all.Cfg.EnableOWASPCoreRules }}
modsecurity_rules_file /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf; modsecurity_rules_file /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf;
{{ else if (not (empty $all.Cfg.ModsecuritySnippet)) }}
modsecurity_rules '
{{ $all.Cfg.ModsecuritySnippet }}
';
{{ end }} {{ end }}
{{ end }} {{ end }}

76
test/e2e/annotations/modsecurity.go
View file

@ -216,4 +216,80 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
Expect(). Expect().
Status(http.StatusForbidden) Status(http.StatusForbidden)
}) })
ginkgo.It("should enable modsecurity when enable-owasp-modsecurity-crs is set to true", func() {
host := "modsecurity.foo.com"
nameSpace := f.Namespace
snippet := `SecRuleEngine On
SecRequestBodyAccess On
SecAuditEngine RelevantOnly
SecAuditLogParts ABIJDEFHZ
SecAuditLog /dev/stdout
SecAuditLogType Serial
SecRule REQUEST_HEADERS:User-Agent \"block-ua\" \"log,deny,id:107,status:403,msg:\'UA blocked\'\"`
annotations := map[string]string{
"nginx.ingress.kubernetes.io/modsecurity-snippet": snippet,
}
ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
f.SetNginxConfigMapData(map[string]string{
"enable-modsecurity": "true",
"enable-owasp-modsecurity-crs": "true",
})
f.WaitForNginxServer(host,
func(server string) bool {
return strings.Contains(server, "SecRuleEngine On")
})
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("User-Agent", "block-ua").
Expect().
Status(http.StatusForbidden)
})
ginkgo.It("should enable modsecurity through the config map", func() {
host := "modsecurity.foo.com"
nameSpace := f.Namespace
snippet := `SecRequestBodyAccess On
SecAuditEngine RelevantOnly
SecAuditLogParts ABIJDEFHZ
SecAuditLog /dev/stdout
SecAuditLogType Serial
SecRule REQUEST_HEADERS:User-Agent \"block-ua\" \"log,deny,id:107,status:403,msg:\'UA blocked\'\"`
annotations := map[string]string{
"nginx.ingress.kubernetes.io/modsecurity-snippet": snippet,
}
ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
expectedComment := "SecRuleEngine On"
f.SetNginxConfigMapData(map[string]string{
"enable-modsecurity": "true",
"enable-owasp-modsecurity-crs": "true",
"modsecurity-snippet": expectedComment,
})
f.WaitForNginxServer(host,
func(server string) bool {
return true
})
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("User-Agent", "block-ua").
Expect().
Status(http.StatusForbidden)
})
}) })