Upgrade OWASP_MODSECURITY_CRS_VERSION 3.3.5 to 4.4.0 and update docs (#11548)

Signed-off-by: jessebot <jessebot@linux.com>
Co-authored-by: jessebot <jessebot@linux.com>

docs/user-guide/third-party-addons/modsecurity.md

@@ -14,3 +14,97 @@ The default `Serial` value in SecAuditLogType can impact performance.
 The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.
 The directory `/etc/nginx/owasp-modsecurity-crs` contains the [OWASP ModSecurity Core Rule Set repository](https://github.com/coreruleset/coreruleset).
 Using `enable-owasp-modsecurity-crs: "true"` we enable the use of the rules.
+
+## Supported annotations
+
+For more info on supported annotations, please see [annotations/#modsecurity](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#modsecurity)
+
+## Example of using ModSecurity with plugins via the helm chart
+
+Suppose you have a ConfigMap that contains the contents of the [nextcloud-rule-exclusions plugin](https://github.com/coreruleset/nextcloud-rule-exclusions-plugin/blob/main/plugins/nextcloud-rule-exclusions-before.conf) like this:
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: modsecurity-plugins
+data:
+  empty-after.conf: |
+    # no data
+  empty-before.conf: |
+    # no data
+  empty-config.conf: |
+    # no data
+  nextcloud-rule-exclusions-before.conf:
+    # this is just a snippet
+    # find the full file at https://github.com/coreruleset/nextcloud-rule-exclusions-plugin
+    #
+    # [ File Manager ]
+    # The web interface uploads files, and interacts with the user.
+    SecRule REQUEST_FILENAME "@contains /remote.php/webdav" \
+        "id:9508102,\
+        phase:1,\
+        pass,\
+        t:none,\
+        nolog,\
+        ver:'nextcloud-rule-exclusions-plugin/1.2.0',\
+        ctl:ruleRemoveById=920420,\
+        ctl:ruleRemoveById=920440,\
+        ctl:ruleRemoveById=941000-942999,\
+        ctl:ruleRemoveById=951000-951999,\
+        ctl:ruleRemoveById=953100-953130,\
+        ctl:ruleRemoveByTag=attack-injection-php"
+```
+
+If you're using the helm chart, you can pass in the following parameters in your `values.yaml`:
+
+```yaml
+controller:
+  config:
+    # Enables Modsecurity
+    enable-modsecurity: "true"
+
+    # Update ModSecurity config and rules
+    modsecurity-snippet: |
+      # this enables the mod security nextcloud plugin
+      Include /etc/nginx/owasp-modsecurity-crs/plugins/nextcloud-rule-exclusions-before.conf
+
+      # this enables the default OWASP Core Rule Set
+      Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf
+
+      # Enable prevention mode. Options: DetectionOnly,On,Off (default is DetectionOnly)
+      SecRuleEngine On
+
+      # Enable scanning of the request body
+      SecRequestBodyAccess On
+
+      # Enable XML and JSON parsing
+      SecRule REQUEST_HEADERS:Content-Type "(?:text|application(?:/soap\+|/)|application/xml)/" \
+        "id:200000,phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
+
+      SecRule REQUEST_HEADERS:Content-Type "application/json" \
+        "id:200001,phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
+
+      # Reject if larger (we could also let it pass with ProcessPartial)
+      SecRequestBodyLimitAction Reject
+
+      # Send ModSecurity audit logs to the stdout (only for rejected requests)
+      SecAuditLog /dev/stdout
+
+      # format the logs in JSON
+      SecAuditLogFormat JSON
+
+      # could be On/Off/RelevantOnly
+      SecAuditEngine RelevantOnly
+
+  # Add a volume for the plugins directory
+  extraVolumes:
+    - name: plugins
+      configMap:
+        name: modsecurity-plugins
+
+  # override the /etc/nginx/enable-owasp-modsecurity-crs/plugins with your ConfigMap
+  extraVolumeMounts:
+    - name: plugins
+      mountPath: /etc/nginx/owasp-modsecurity-crs/plugins
+```

images/nginx-1.25/rootfs/build.sh

@@ -41,8 +41,8 @@ export MODSECURITY_VERSION=v1.0.3
 # Check for recent changes: https://github.com/SpiderLabs/ModSecurity/compare/v3.0.8...v3/master
 export MODSECURITY_LIB_VERSION=v3.0.12
 
-# Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v3.3.5...main
+# Check for recent changes: https://github.com/coreruleset/coreruleset/compare/v3.3.5...v4.0/main
-export OWASP_MODSECURITY_CRS_VERSION=v3.3.5
+export OWASP_MODSECURITY_CRS_VERSION=v4.4.0
 
 # Check for recent changes: https://github.com/openresty/lua-nginx-module/compare/b5d1688ae722538ba4dc8a7ec08820a08abfb93d...master
 export LUA_NGX_VERSION=b5d1688ae722538ba4dc8a7ec08820a08abfb93d
@@ -181,7 +181,7 @@ apk add \
   c-ares-dev \
   re2-dev \
   grpc-dev \
-  protobuf-dev 
+  protobuf-dev
 
 # apk add -X http://dl-cdn.alpinelinux.org/alpine/edge/testing opentelemetry-cpp-dev
 
@@ -388,17 +388,13 @@ mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rules/REQUEST-900-E
 mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
 cd ..
 
-# OWASP CRS v3 rules
+# OWASP CRS v4 rules
 echo "
 Include /etc/nginx/owasp-modsecurity-crs/crs-setup.conf
 Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
 Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-901-INITIALIZATION.conf
-Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
-Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
 Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-905-COMMON-EXCEPTIONS.conf
-Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf
 Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf
-Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-912-DOS-PROTECTION.conf
 Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf
 Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
 Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-921-PROTOCOL-ATTACK.conf
@@ -407,7 +403,7 @@ Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-930-APPLICATION-ATTACK-LF
 Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
 Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
 Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf
-Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-NODEJS.conf
+Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-934-APPLICATION-ATTACK-GENERIC.conf
 Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
 Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
 Include /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
@@ -418,6 +414,7 @@ Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-951-DATA-LEAKAGES-SQL.co
 Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
 Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf
 Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-954-DATA-LEAKAGES-IIS.conf
+Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-955-WEB-SHELLS.conf
 Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-959-BLOCKING-EVALUATION.conf
 Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf
 Include /etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf