This is an automated email from the ASF dual-hosted git repository.
kichan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 54b42b11a5 Update modsecurity example that leverages lua plugin
(#11985)
54b42b11a5 is described below
commit 54b42b11a54d80a98190584a3e3518625d7a0f38
Author: Kit Chan <[email protected]>
AuthorDate: Sun Feb 9 15:00:00 2025 -0800
Update modsecurity example that leverages lua plugin (#11985)
* Update README.md
* Update example.conf
* Update owasp.conf
---
example/plugins/lua-api/modsecurity/README.md | 23 +++++++---------
example/plugins/lua-api/modsecurity/example.conf | 4 +--
example/plugins/lua-api/modsecurity/owasp.conf | 34 ++----------------------
3 files changed, 13 insertions(+), 48 deletions(-)
diff --git a/example/plugins/lua-api/modsecurity/README.md
b/example/plugins/lua-api/modsecurity/README.md
index 71798ee88e..1ba5658647 100644
--- a/example/plugins/lua-api/modsecurity/README.md
+++ b/example/plugins/lua-api/modsecurity/README.md
@@ -1,14 +1,14 @@
Integrating ATS with ModSecurity V3 using LuaJIT and FFI
====
-Open source WAF for [Apache Traffic Server](http://trafficserver.apache.org/).
+Open source WAF for ATS
Tested with the following
====
- - ModSecurity v3.0.6
- - ATS 9.1.1
+ - ModSecurity v3.0.13
+ - ATS 10.0.2
-How to Use
+How to Install the Example
====
- Copy all lua files to `/usr/local/var/lua`
- Put the example modsecurity rule file (`example.conf`) to
`/usr/local/var/modsecurity` , readable by the ATS process
@@ -23,14 +23,14 @@ tslua.so --enable-reload
/usr/local/var/lua/ats-luajit-modsecurity.lua /usr/loca
Contents/Rules inside example.conf
====
- deny any request with query parameter of `testparam=test2` with a 403
status response
- - return any request with query parameter of `testparam=test1` with 301
redirect response to https://www.yahoo.com/
+ - return any request with query parameter of `testparam=test1` with 301
redirect response to https://www.example.com/
- override any response with header `test` equal to `1` with a 403 status
response
- - override any response with header `test` equal to `2` with a 301 redirect
response to https://www.yahoo.com/
+ - override any response with header `test` equal to `2` with a 301 redirect
response to https://www.example.com/
- write debug log out to `/tmp/debug.log`
Working with CRS
====
- - Go [here](https://github.com/coreruleset/coreruleset) and download release
v3.3.2
+ - Go [here](https://github.com/coreruleset/coreruleset) and download release
v4.10.0
- Uncompress the contents and copy `crs-setup.conf.example` to
`/usr/local/var/modsecurity` and rename it to `crs-setup.conf`
- Copy all files in `rules` directory to `/usr/local/var/modsecurity/rules`
- Copy `owasp.conf` in this repository to `/usr/local/var/modsecurity`
@@ -40,11 +40,7 @@ Working with CRS
tslua.so --enable-reload /usr/local/var/lua/ats-luajit-modsecurity.lua
/usr/local/var/modsecurity/owasp.conf
```
- - The following example curl command against your server should get a status
403 Forbidden response
-
-```
-curl -v -H "User-Agent: Nikto" 'http://<your server>/'
-```
+ - To test, run a request with "User-Agent: Nikto" header. And it should
trigger the default action to log warning message to traffic.out
Extra Notes with CRS
====
@@ -56,8 +52,7 @@ SecDebugLog /tmp/debug.log
SecDebugLogLevel 9
```
-- Rule ID 910100 in REQUEST-910-IP-REPUTATION.conf in `rules` directory
requires GeoIP and have to be commented out if you do not built the modsecurity
library with it.
-- We use `SecRuleRemoveById` inside `owasp.conf` to remove rules checking for
request and response body. This trick can be used to remove other rules that
does not apply well in some situations
+- We can use `SecRuleRemoveById` inside `owasp.conf` to remove rules. E.g
those checking for request and response body. This trick can be used to remove
other rules that does not apply well in some situations
TODOs/Limitations
diff --git a/example/plugins/lua-api/modsecurity/example.conf
b/example/plugins/lua-api/modsecurity/example.conf
index 36eb7818c2..5e37508618 100644
--- a/example/plugins/lua-api/modsecurity/example.conf
+++ b/example/plugins/lua-api/modsecurity/example.conf
@@ -23,6 +23,6 @@ SecDebugLog /tmp/debug.log
SecDebugLogLevel 9
SecRule ARGS:testparam "@contains test2" "id:1234,deny,status:403"
-SecRule ARGS:testparam "@contains test1"
"id:1235,status:301,redirect:https://www.yahoo.com/";
+SecRule ARGS:testparam "@contains test1"
"id:1235,status:301,redirect:https://www.example.com/";
SecRule RESPONSE_HEADERS:test "@contains 1" "id:1236,phase:3,deny,status:403"
-SecRule RESPONSE_HEADERS:test "@contains 2"
"id:1237,phase:3,status:301,redirect:https://www.yahoo.com/";
+SecRule RESPONSE_HEADERS:test "@contains 2"
"id:1237,phase:3,status:301,redirect:https://www.example.com/";
diff --git a/example/plugins/lua-api/modsecurity/owasp.conf
b/example/plugins/lua-api/modsecurity/owasp.conf
index 98d74ac5f4..95f835a828 100644
--- a/example/plugins/lua-api/modsecurity/owasp.conf
+++ b/example/plugins/lua-api/modsecurity/owasp.conf
@@ -31,35 +31,5 @@ SecRuleEngine On
Include "crs-setup.conf"
Include "rules/*.conf"
-# Remove rules checking response body
-SecRuleRemoveById 950130
-SecRuleRemoveById 950140
-SecRuleRemoveById 951100
-SecRuleRemoveById 951110
-SecRuleRemoveById 951120
-SecRuleRemoveById 951130
-SecRuleRemoveById 951140
-SecRuleRemoveById 951150
-SecRuleRemoveById 951160
-SecRuleRemoveById 951170
-SecRuleRemoveById 951180
-SecRuleRemoveById 951190
-SecRuleRemoveById 951200
-SecRuleRemoveById 951210
-SecRuleRemoveById 951220
-SecRuleRemoveById 951230
-SecRuleRemoveById 951240
-SecRuleRemoveById 951250
-SecRuleRemoveById 951260
-SecRuleRemoveById 952100
-SecRuleRemoveById 952110
-SecRuleRemoveById 953100
-SecRuleRemoveById 953110
-SecRuleRemoveById 953120
-SecRuleRemoveById 954100
-SecRuleRemoveById 954110
-SecRuleRemoveById 954120
-SecRuleRemoveById 954130
-
-# Remove rules checking request body
-SecRuleRemoveById 920240
+# E.g Remove rules by Id
+#SecRuleRemoveById 920240
