DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

disable modsecurity on error page (#8202)

Browse source 
* disable modsecurity on error page

* fix modsecurity error pages test

* fix variable in nginx template

* disable modsecurity on all internal locations

* fix pipeline checks for gofmt

Signed-off-by: Florian Michel <florianmichel@hotmail.de>
This commit is contained in:
Florian Michel 2022-05-04 17:29:51 +02:00 committed by GitHub
parent 3230638160
commit ee50e38b44
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 27 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
internal/ingress/controller/template/template.go
View file

@ -1277,15 +1277,17 @@ func proxySetHeader(loc interface{}) string {
// buildCustomErrorDeps is a utility function returning a struct wrapper with // buildCustomErrorDeps is a utility function returning a struct wrapper with
// the data required to build the 'CUSTOM_ERRORS' template // the data required to build the 'CUSTOM_ERRORS' template
func buildCustomErrorDeps(upstreamName string, errorCodes []int, enableMetrics bool) interface{} { func buildCustomErrorDeps(upstreamName string, errorCodes []int, enableMetrics bool, modsecurityEnabled bool) interface{} {
return struct { return struct {
UpstreamName string UpstreamName string
ErrorCodes []int ErrorCodes []int
EnableMetrics bool EnableMetrics bool
ModsecurityEnabled bool
}{ }{
UpstreamName: upstreamName, UpstreamName: upstreamName,
ErrorCodes: errorCodes, ErrorCodes: errorCodes,
EnableMetrics: enableMetrics, EnableMetrics: enableMetrics,
ModsecurityEnabled: modsecurityEnabled,
} }
} }

20
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -656,7 +656,7 @@ http {
{{ $cfg.ServerSnippet }} {{ $cfg.ServerSnippet }}
{{ end }} {{ end }}
{{ template "CUSTOM_ERRORS" (buildCustomErrorDeps "upstream-default-backend" $cfg.CustomHTTPErrors $all.EnableMetrics) }} {{ template "CUSTOM_ERRORS" (buildCustomErrorDeps "upstream-default-backend" $cfg.CustomHTTPErrors $all.EnableMetrics $cfg.EnableModsecurity) }}
} }
## end server {{ $server.Hostname }} ## end server {{ $server.Hostname }}
@ -872,11 +872,17 @@ stream {
{{/* definition of templates to avoid repetitions */}} {{/* definition of templates to avoid repetitions */}}
{{ define "CUSTOM_ERRORS" }} {{ define "CUSTOM_ERRORS" }}
{{ $enableMetrics := .EnableMetrics }} {{ $enableMetrics := .EnableMetrics }}
{{ $modsecurityEnabled := .ModsecurityEnabled }}
{{ $upstreamName := .UpstreamName }} {{ $upstreamName := .UpstreamName }}
{{ range $errCode := .ErrorCodes }} {{ range $errCode := .ErrorCodes }}
location @custom_{{ $upstreamName }}_{{ $errCode }} { location @custom_{{ $upstreamName }}_{{ $errCode }} {
internal; internal;
# Ensure that modsecurity will not run on custom error pages or they might be blocked
{{ if $modsecurityEnabled }}
modsecurity off;
{{ end }}
proxy_intercept_errors off; proxy_intercept_errors off;
proxy_set_header X-Code {{ $errCode }}; proxy_set_header X-Code {{ $errCode }};
@ -1015,7 +1021,7 @@ stream {
{{ end }} {{ end }}
{{ range $errorLocation := (buildCustomErrorLocationsPerServer $server) }} {{ range $errorLocation := (buildCustomErrorLocationsPerServer $server) }}
{{ template "CUSTOM_ERRORS" (buildCustomErrorDeps $errorLocation.UpstreamName $errorLocation.Codes $all.EnableMetrics) }} {{ template "CUSTOM_ERRORS" (buildCustomErrorDeps $errorLocation.UpstreamName $errorLocation.Codes $all.EnableMetrics $all.Cfg.EnableModsecurity) }}
{{ end }} {{ end }}
{{ buildMirrorLocations $server.Locations }} {{ buildMirrorLocations $server.Locations }}
@ -1048,6 +1054,11 @@ stream {
opentracing_propagate_context; opentracing_propagate_context;
{{ end }} {{ end }}
# Ensure that modsecurity will not run on an internal location as this is not accessible from outside
{{ if $all.Cfg.EnableModsecurity }}
modsecurity off;
{{ end }}
{{ if $externalAuth.AuthCacheKey }} {{ if $externalAuth.AuthCacheKey }}
set $tmp_cache_key '{{ $server.Hostname }}{{ $authPath }}{{ $externalAuth.AuthCacheKey }}'; set $tmp_cache_key '{{ $server.Hostname }}{{ $authPath }}{{ $externalAuth.AuthCacheKey }}';
set $cache_key ''; set $cache_key '';
@ -1158,6 +1169,11 @@ stream {
add_header Set-Cookie $auth_cookie; add_header Set-Cookie $auth_cookie;
# Ensure that modsecurity will not run on an internal location as this is not accessible from outside
{{ if $all.Cfg.EnableModsecurity }}
modsecurity off;
{{ end }}
return 302 {{ buildAuthSignURL $externalAuth.SigninURL $externalAuth.SigninURLRedirectParam }}; return 302 {{ buildAuthSignURL $externalAuth.SigninURL $externalAuth.SigninURLRedirectParam }};
} }
{{ end }} {{ end }}