From 72c4ffa8b55122f7b686fca1ffeba18659a8296b Mon Sep 17 00:00:00 2001 From: MRoci Date: Wed, 15 May 2019 14:34:00 +0200 Subject: [PATCH 1/2] add modsecurity-snippet key --- docs/user-guide/nginx-configuration/configmap.md | 5 +++++ internal/ingress/controller/config/config.go | 3 +++ rootfs/etc/nginx/template/nginx.tmpl | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index 84a10c87b..2516461cf 100755 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -35,6 +35,7 @@ The following table shows a configuration option's name, type, and the default v |[enable-access-log-for-default-backend](#enable-access-log-for-default-backend)|bool|"false"| |[error-log-path](#error-log-path)|string|"/var/log/nginx/error.log"| |[enable-modsecurity](#enable-modsecurity)|bool|"false"| +|[modsecurity-snippet](#modsecurity-snippet)|string|""| |[enable-owasp-modsecurity-crs](#enable-owasp-modsecurity-crs)|bool|"false"| |[client-header-buffer-size](#client-header-buffer-size)|string|"1k"| |[client-header-timeout](#client-header-timeout)|int|60| @@ -221,6 +222,10 @@ Enables the modsecurity module for NGINX. _**default:**_ is disabled Enables the OWASP ModSecurity Core Rule Set (CRS). _**default:**_ is disabled +## modsecurity-snippet + +Adds custom rules to modsecurity section of nginx configration + ## client-header-buffer-size Allows to configure a custom buffer size for reading client request header. diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index 3a0bb3fd8..8dffc6970 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -133,6 +133,9 @@ type Configuration struct { // By default this is disabled EnableOWASPCoreRules bool `json:"enable-owasp-modsecurity-crs"` + // ModSecuritySnippet adds custom rules to modsecurity section of nginx configuration + ModsecuritySnippet string `json:"modsecurity-snippet"` + // ClientHeaderBufferSize allows to configure a custom buffer // size for reading client request header // http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index f2c266c02..2a7890d90 100755 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -143,6 +143,10 @@ http { {{ if $all.Cfg.EnableOWASPCoreRules }} modsecurity_rules_file /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf; + {{ else if (not (empty $all.Cfg.ModsecuritySnippet)) }} + modsecurity_rules ' + {{ $all.Cfg.ModsecuritySnippet }} + '; {{ end }} {{ end }} From 1ee081ccc805a0e12705223efc6fcf4269ccbe6c Mon Sep 17 00:00:00 2001 From: MRoci Date: Wed, 15 May 2019 16:07:42 +0200 Subject: [PATCH 2/2] test modsecurity-snippet --- test/e2e/settings/modsecurity_snippet.go | 42 ++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 test/e2e/settings/modsecurity_snippet.go diff --git a/test/e2e/settings/modsecurity_snippet.go b/test/e2e/settings/modsecurity_snippet.go new file mode 100644 index 000000000..399002f5e --- /dev/null +++ b/test/e2e/settings/modsecurity_snippet.go @@ -0,0 +1,42 @@ +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package settings + +import ( + "strings" + + . "github.com/onsi/ginkgo" + + "k8s.io/ingress-nginx/test/e2e/framework" +) + +var _ = framework.IngressNginxDescribe("Modsecurity Snippet", func() { + f := framework.NewDefaultFramework("modsecurity-snippet") + + It("should add value of modsecurity-snippet setting to nginx config", func() { + modsecSnippet := "modsecurity-snippet" + expectedComment := "# modsecurity snippet" + + f.UpdateNginxConfigMapData("enable-modsecurity", "true") + f.UpdateNginxConfigMapData(modsecSnippet, expectedComment) + + f.WaitForNginxConfiguration( + func(cfg string) bool { + return strings.Contains(cfg, expectedComment) + }) + }) +})