setvar from haproxy

[jvinolas]

Hi,

I'm using this in front of a wordpress and a nextcloud. I would like to apply custom application exclusions depending on the subdomain. I see from crs-setup.conf:

# It is recommended if you run multiple web applications on your site to limit
# the effects of the exclusion to only the path where the excluded webapp
# resides using a rule similar to the following example:
# SecRule REQUEST_URI "@beginsWith /wordpress/" setvar:tx.crs_exclusions_wordpress=1

And if I activate it like it is it the modsecurity fails. I assume that this is the rule that should go at apache vhost when using it with modsecurity.

Is there any way we could set subdomain acl in haproxy and setvar to one exclusion or another prior to sending it to modsecurity container using this spoa?

Or maybe the only option is to create one modsecurity container and one spoa config for each application?

Thanks.

[GMartinez-Sisti]

Hi @jvinolas! Can you share the modesecurity error? This will be very helpful to understand what's happening.

[jvinolas]

I've just tried uncommenting this lines as the crs-setup.conf says (I'm not sure if it should work like this):

# It is recommended if you run multiple web applications on your site to limit
# the effects of the exclusion to only the path where the excluded webapp
# resides using a rule similar to the following example:
SecRule REQUEST_URI "@beginsWith /wordpress/" setvar:tx.crs_exclusions_wordpress=1

# SecRule SERVER_NAME "@beginsWith nextcloud." setvar:tx.crs_exclusions_nextcloud=1
#
# Modify and uncomment this rule to select which application:
#
SecAction \
"id:900130,\
 phase:1,\
 nolog,\
 pass,\
 t:none,\
 setvar:tx.crs_exclusions_cpanel=1,\
 setvar:tx.crs_exclusions_drupal=1,\
 setvar:tx.crs_exclusions_dokuwiki=1,\
 setvar:tx.crs_exclusions_nextcloud=1,\
 setvar:tx.crs_exclusions_wordpress=1,\
 setvar:tx.crs_exclusions_xenforo=1"

And then restarting the modsecurity-spoa container fails:

Using options: <default>
Using config files:
  - /etc/modsecurity/modsecurity.conf
  - /etc/modsecurity/owasp-modsecurity-crs.conf
1642764789.204153 [00] ModSecurity load configuration failed.

I've also set up DebugLogLevel to 3, 9... without any increase in log messages.

[GMartinez-Sisti]

I've had the same issue, the debug mode doesn't give you more information when the configuration fails to load.

Just to rule out, can you try to enclose the setvar values with single quotes?

SecAction \
"id:900130,\
 phase:1,\
 nolog,\
 pass,\
 t:none,\
 setvar:'tx.crs_exclusions_cpanel=1',\
 setvar:'tx.crs_exclusions_drupal=1',\
 setvar:'tx.crs_exclusions_dokuwiki=1',\
 setvar:'tx.crs_exclusions_nextcloud=1',\
 setvar:'tx.crs_exclusions_wordpress=1',\
 setvar:'tx.crs_exclusions_xenforo=1'"

[jvinolas]

Didn't work either. Neither appying to SecRule:

SecRule REQUEST_URI "@beginsWith /wordpress/" setvar:'tx.crs_exclusions_wordpress=1'

[GMartinez-Sisti]

Can you check this please #4 (comment)

I'm using a custom config file that is loaded after the default ones and that way it works. Pls let me know 🤞

[jvinolas]

I tried to put the rule everywhere within owasp-modsecurity-crs.conf but it fails always:

SecRule SERVER_NAME "@beginsWith nextcloud." setvar:tx.crs_exclusions_nextcloud=1

[jvinolas]

Also with single and double quoted setvar parameter, but no success.

[GMartinez-Sisti]

I'm not sure how you're testing, I just tried with the previous config and modsecurity didn't complain.

Create a custom file with override config:

# cat custom.conf
SecAction \
    "id:900130,\
    phase:1,\
    nolog,\
    pass,\
    t:none,\
    setvar:'tx.crs_exclusions_cpanel=1',\
    setvar:'tx.crs_exclusions_drupal=1',\
    setvar:'tx.crs_exclusions_dokuwiki=1',\
    setvar:'tx.crs_exclusions_nextcloud=1',\
    setvar:'tx.crs_exclusions_wordpress=1',\
    setvar:'tx.crs_exclusions_xenforo=1'"

Load modsecurity with override file in the end:

# /start.sh -d -- /etc/modsecurity/modsecurity.conf /etc/modsecurity/owasp-modsecurity-crs.conf /custom.conf
Using options: -d
Using config files:
  - /etc/modsecurity/modsecurity.conf
  - /etc/modsecurity/owasp-modsecurity-crs.conf
  - /custom.conf
1642781423.399942 [00] ModSecurity for nginx (STABLE)/2.9.5 (http://www.modsecurity.org/) configured.
1642781423.399988 [00] ModSecurity: APR compiled version="1.7.0"; loaded version="1.7.0"
1642781423.400000 [00] ModSecurity: PCRE compiled version="8.44 "; loaded version="8.44 2020-02-12"
1642781423.400010 [00] ModSecurity: YAJL compiled version="2.1.0"
1642781423.400017 [00] ModSecurity: LIBXML compiled version="2.9.12"
1642781423.400066 [00] ModSecurity: StatusEngine call: "2.9.5,nginx,1.7.0/1.7.0,8.44/8.44 2020-02-12,(null),2.9.12,5c"
1642781424.079216 [00] ModSecurity: StatusEngine call successfully sent. For more information visit: http://status.modsecurity.org/
1642781424.082651 [00] Worker 01 initialized
1642781424.082772 [00] Worker 02 initialized
1642781424.082838 [01] Worker ready to process client messages
1642781424.082931 [03] Worker ready to process client messages
1642781424.082961 [02] Worker ready to process client messages
1642781424.082898 [00] Worker 03 initialized
1642781424.084310 [00] Worker 04 initialized
1642781424.084345 [04] Worker ready to process client messages
1642781424.085684 [05] Worker ready to process client messages
1642781424.085716 [00] Worker 05 initialized
1642781424.086644 [00] Worker 06 initialized
1642781424.088022 [00] Worker 07 initialized
1642781424.088351 [00] Worker 08 initialized
1642781424.088386 [08] Worker ready to process client messages
1642781424.088422 [00] Worker 09 initialized
1642781424.089063 [00] Worker 10 initialized
1642781424.089260 [00] Server is ready [fragmentation=false - pipelining=false - async=false - debug=true - max-frame-size=16384]
1642781424.089431 [10] Worker ready to process client messages
1642781424.089629 [09] Worker ready to process client messages
1642781424.089981 [07] Worker ready to process client messages
1642781424.090133 [06] Worker ready to process client messages

[jvinolas]

It works! Thanks a lot!