GithubHelp home page GithubHelp logo

Comments (14)

k8s-ci-robot avatar k8s-ci-robot commented on August 23, 2024

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

from ingress-nginx.

longwuyuan avatar longwuyuan commented on August 23, 2024

/remove-kind bug
/kind support

  • Your issue description is not markdown formatted
  • The controller pod's kubectl describe is absent
  • Much of the info asked in a new issue template is absent
  • You have not specified what document are you following for using custom modsec rules

So fix that issue description and see if you get comments based on useful data (if any)

from ingress-nginx.

konmedia-devops avatar konmedia-devops commented on August 23, 2024

@longwuyuan Thank you for your feedback. I updated format and content of the issue description.

from ingress-nginx.

longwuyuan avatar longwuyuan commented on August 23, 2024

The error visible is

must have an ID. File: 0x7f791d3180f0 at line: 1

does your file have ID ?

from ingress-nginx.

konmedia-devops avatar konmedia-devops commented on August 23, 2024

@longwuyuan Yes. The error message refers to the rule id, as I understand it. All rules in the file have a rule id, and the same ruleset works, if I put it in the modsecurity-snippet inside the ingress instance. That's why I assume that the file is not readable.

from ingress-nginx.

longwuyuan avatar longwuyuan commented on August 23, 2024

If you follow documentation, I can understand what you are trying and work with you.

for example follow these

But this is a absolute requirement

  • Show the error of insufficient size

Next show the volume mounted but do not use the custom-rules. I want to see the volumes only

And then I too can debug the actual error of not being able to use the custom-rulesets from a volume

I can join a meet.jit.si session. We can sync on slack

from ingress-nginx.

konmedia-devops avatar konmedia-devops commented on August 23, 2024

@longwuyuan Thank you. I will prepare and get back to you.

from ingress-nginx.

longwuyuan avatar longwuyuan commented on August 23, 2024

thank you

from ingress-nginx.

longwuyuan avatar longwuyuan commented on August 23, 2024

/triage needs-information

from ingress-nginx.

konmedia-devops avatar konmedia-devops commented on August 23, 2024

@longwuyuan Thanks for your help. I try to answer your questions beforehand:

https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#enable-modsecurity
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#enable-owasp-modsecurity-crs
And only then come to this one
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#modsecurity-snippet

I followed the documentation and configured modsecurity like explained in these docs.

But this is a absolute requirement

Show the error of insufficient size

Failed to save resource: admission webhook "validate.nginx.ingress.kubernetes.io" denied the request:
-------------------------------------------------------------------------------
Error: exit status 1
2024/07/16 09:47:21 [emerg] 2357#2357: too long parameter, probably missing terminating "'" character in /tmp/nginx/nginx-cfg939531444:3640
nginx: [emerg] too long parameter, probably missing terminating "'" character in /tmp/nginx/nginx-cfg939531444:3640
nginx: configuration file /tmp/nginx/nginx-cfg939531444 test failed

As described in owasp-modsecurity/ModSecurity-nginx#210, nginx has a line limit of 4096 bytes in the configuration file: https://github.com/nginx/nginx/blob/master/src/core/ngx_conf_file.c
As the modsecurity-snippet is include within single quotes, a long snippet exceeds this line length.

Next show the volume mounted but do not use the custom-rules. I want to see the volumes only

...
    spec:
      volumes:
        - name: webhook-cert
          secret:
            secretName: ingress-nginx-admission
            defaultMode: 420
        - name: modsecurity-config-custom-default-ruleset-volume
          configMap:
            name: ingress-nginx-controller
            defaultMode: 420
        - name: modsecurity-config-custom-extended-ruleset-volume
          configMap:
            name: ingress-nginx-controller
            defaultMode: 420
        - name: modsecurity-config-custom-rule-removals-volume
          configMap:
            name: ingress-nginx-controller
            defaultMode: 420
    containers:
      - volumeMounts:
            - name: webhook-cert
              readOnly: true
              mountPath: /usr/local/certificates/
            - name: modsecurity-config-custom-default-ruleset-volume
              mountPath: /etc/modsecurity-rules/default.conf
              subPath: custom-default-ruleset
            - name: modsecurity-config-custom-extended-ruleset-volume
              mountPath: /etc/modsecurity-rules/extended.conf
              subPath: custom-extended-ruleset
            - name: modsecurity-config-custom-rule-removals-volume
              mountPath: /etc/modsecurity-rules/removals.conf
              subPath: custom-rule-removals
...

And then I too can debug the actual error of not being able to use the custom-rulesets from a volume

I can join a meet.jit.si session. We can sync on slack

Great. How can I reach you?

from ingress-nginx.

longwuyuan avatar longwuyuan commented on August 23, 2024

I am on Kubernetes Slack in the ingress-nginx-users channel

from ingress-nginx.

konmedia-devops avatar konmedia-devops commented on August 23, 2024

@longwuyuan

I am on Kubernetes Slack in the ingress-nginx-users channel

I need an invitation, right? Sry, I am not familiar with Slack...

from ingress-nginx.

longwuyuan avatar longwuyuan commented on August 23, 2024

channel ingress-nginx
slack kubernetes.slack.com
registration slack.kubernetes.io

from ingress-nginx.

konmedia-devops avatar konmedia-devops commented on August 23, 2024

Problem could be resolved. My rulesets still contained the escaping \ for the quotation marks, that are necessary in the modsecurity-snippet.

from ingress-nginx.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.