Disable nginx module conditionally

ehsan.mahdavi · 2016-11-02T00:17:36+00:00

Hey!I have had a weird problem with my lua code. My code buffers entire webpage, inserts a few lines inside buffered html and then returns the page.As a user...

Disable nginx module conditionally

ehsan.mahdavi

Hi,

First of all, I have never used lua!!!

I have a problem using Modsecurity with Nginx, and someone suggested that the lua can help. So am sending this email, may some one please help.

While using nginx as a reverse proxy with modsecurity to harden the security of a bunch of web sites, according to here modsecurity consumes cpu and makes intolerable delays when a client attempts to download a large file. There is still no stable remedy for this.

The modsecurity module for nginx is enabled using this directive: ModSecurity On.

Am wondering if it is possible to check upstream response length (may be with nginx $upstream_response_length variable ) and disable this module for such responses.

Someone here suggested that I might be able to do so using lua.

Is it possible to disable modsecurity (Like ModSecurity Off ) after checking the mentioned variable? If not, what about discarding any nginx processes after checking this variable and continue sending the file to the clients?

BEST REGARDS

rpaprocki

Hi,

Sent from my iPhone

On Nov 1, 2016, at 09:17, Ehsan Mahdavi <ehsan....@gmail.com> wrote:

Hi,
First of all, I have never used lua!!!
I have a problem using Modsecurity with Nginx, and someone suggested that the lua can help. So am sending this email, may some one please help.

While using nginx as a reverse proxy with modsecurity to harden the security of a bunch of web sites, according to here modsecurity consumes cpu and makes intolerable delays when a client attempts to download a large file. There is still no stable remedy for this.

This issue for for ModSecurity 2.8, which does not have good support for Nginx. You should use the new libmodsecurity and connector for Nginx (https://github.com/SpiderLabs/ModSecurity/tree/v3/master and https://github.com/SpiderLabs/ModSecurity-nginx). This issue you noted above does not exist with the current Nginx connector. Do not try to use the old ModSecurity on nginx.

The modsecurity module for nginx is enabled using this directive: ModSecurity On.
Am wondering if it is possible to check upstream response length (may be with nginx $upstream_response_length variable ) and disable this module for such responses.

Someone here suggested that I might be able to do so using lua.

Is it possible to disable modsecurity (Like ModSecurity Off ) after checking the mentioned variable? If not, what about discarding any nginx processes after checking this variable and continue sending the file to the clients?

This would not be possible to do, lua-nginx-module cannot interact with other modules in this manner. Your best bet is going to be to use the libmodsecurity project as mentioned above. Alternatively, if you do want to convert to OpenResty, have a look at https://github.com/p0pr0ck5/lua-resty-waf, which offers a ModSecurity-like engine for OpenResty directly.

ehsan.mahdavi

Thanks for your response.

Unfortunately libmodsecurity is still a disaster.

Best Regards

On Tuesday, November 1, 2016 at 8:43:22 PM UTC+3:30, rpaprocki wrote:

Hi,

Sent from my iPhone
On Nov 1, 2016, at 09:17, Ehsan Mahdavi <ehsan....@gmail.com> wrote:

Hi,
First of all, I have never used lua!!!
I have a problem using Modsecurity with Nginx, and someone suggested that the lua can help. So am sending this email, may some one please help.

While using nginx as a reverse proxy with modsecurity to harden the security of a bunch of web sites, according to here modsecurity consumes cpu and makes intolerable delays when a client attempts to download a large file. There is still no stable remedy for this.

This issue for for ModSecurity 2.8, which does not have good support for Nginx. You should use the new libmodsecurity and connector for Nginx (https://github.com/SpiderLabs/ModSecurity/tree/v3/master and https://github.com/SpiderLabs/ModSecurity-nginx). This issue you noted above does not exist with the current Nginx connector. Do not try to use the old ModSecurity on nginx.

The modsecurity module for nginx is enabled using this directive: ModSecurity On.
Am wondering if it is possible to check upstream response length (may be with nginx $upstream_response_length variable ) and disable this module for such responses.

Someone here suggested that I might be able to do so using lua.

Is it possible to disable modsecurity (Like ModSecurity Off ) after checking the mentioned variable? If not, what about discarding any nginx processes after checking this variable and continue sending the file to the clients?

This would not be possible to do, lua-nginx-module cannot interact with other modules in this manner. Your best bet is going to be to use the libmodsecurity project as mentioned above. Alternatively, if you do want to convert to OpenResty, have a look at https://github.com/p0pr0ck5/lua-resty-waf, which offers a ModSecurity-like engine for OpenResty directly.