Join the community today
Register Now

Beta Branch update inc/mod_security.inc fix for GeoIP2 conflict in 123.09beta01

Discussion in 'Centmin Mod Github Commits' started by eva2000, May 1, 2019.

  1. eva2000

    eva2000 Administrator Staff Member

    42,312
    9,557
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,724
    Local Time:
    6:30 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    update inc/mod_security.inc fix for GeoIP2 conflict in 123.09beta01

    - Follow up to bugs discussed on April 30/May 1, 2019 in thread at https://community.centminmod.com/threads/update-prep-for-modsecurity-v3-0.12453/
    - GeoIP2 Nginx module compilation conflicts with modsecurity v3 nginx connector module builds as modsecurity picks up GeoIP2's routine installed libmaxminddb library to build against but fails to properly find libmaxminddb libraries so fails to install modsecurity v3 nginx connector module. Prior to this commit update, the work around was to add a new variable NGINX_MODSECURITY_MAXMIND='n' to disable modsecurity v3 nginx connector from building with libmaxminddb and use GeoIP legacy library instead which works https://community.centminmod.com/th...n-modsecurity-variable-in-123-09beta01.17369/.
    - This update has a fix for using modsecurity v3 nginx connector with libmaxminddb now, so you can try it via setting NGINX_MODSECURITY_MAXMIND='y' along with NGINX_MODSECURITY='y' in persistent config file /etc/centminmod/custom_config.inc prior to centmin.sh menu option 4 nginx recompiles.

    Fix configuration for modsecurity v3 nginx connector module compile into Nginx using libmaxminddb instead of GeoIP legacy library
    Code (Text):
    ModSecurity -  for Linux
    
     Mandatory dependencies
       + libInjection                                  ....v3.9.2-30-gbf234eb
       + SecLang tests                                 ....5d85f36
    
     Optional dependencies
       + GeoIP/MaxMind                                 ....found
         * (MaxMind) v1.3.2
            -lmaxminddb  , -DWITH_MAXMIND -I/usr/local/include
         * (GeoIP) v1.6.12
            -lGeoIP  , -I/usr/include/
       + LibCURL                                       ....found v7.64.1
         -lcurl,  -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
       + YAJL                                          ....found v2.0.4
         -lyajl  , -DWITH_YAJL
       + LMDB                                          ....disabled
       + LibXML2                                       ....found v2.9.9
         -lxml2 -lz -llzma -lm -ldl, -I/usr/include/libxml2 -DWITH_LIBXML2
       + SSDEEP                                        ....found
         -lfuzzy -L/usr/lib64/, -DWITH_SSDEEP -I/usr/include
       + LUA                                           ....found v501
         -lluajit-5.1 -L/usr/local/lib/, -DWITH_LUA -DWITH_LUA_5_1 -I/usr/include
    
     Other Options
       + Test Utilities                                ....enabled
       + SecDebugLog                                   ....enabled
       + afl fuzzer                                    ....disabled
       + library examples                              ....enabled
       + Building parser                               ....disabled
       + Treating pm operations as critical section    ....disabled
    

    Example install for modsecurity v3 nginx connector.

    Enable nginx modsecurity module via NGINX_MODSECURITY='y' set in persistent config file /etc/centminmod/custom_config.inc BEFORE running centmin.sh menu option 4 to recompile Nginx 1.15.12

    dynamic modules load include file /usr/local/nginx/conf/dynamic-modules.conf contents
    Code (Text):
    # place custom load_module lines in this dynamic-modules-includes.conf
    # file so that they persistent i.e. for manually dropped in dynamic modules
    include /usr/local/nginx/conf/dynamic-modules-includes.conf;
    load_module "modules/ngx_http_image_filter_module.so";
    load_module "modules/ngx_http_headers_more_filter_module.so";
    load_module "modules/ndk_http_module.so";
    load_module "modules/ngx_http_set_misc_module.so";
    load_module "modules/ngx_http_echo_module.so";
    load_module "modules/ngx_http_fancyindex_module.so";
    load_module "modules/ngx_http_vhost_traffic_status_module.so";
    load_module "modules/ngx_pagespeed.so";
    load_module "modules/ngx_http_brotli_filter_module.so";
    load_module "modules/ngx_http_brotli_static_module.so";
    load_module "modules/ngx_http_geoip2_module.so";
    load_module "modules/ngx_http_modsecurity_module.so";
    

    nginx dynamic modules themselves installed at /usr/local/nginx/modules where modsecurity dynamic nginx module = ngx_http_modsecurity_module.so
    Code (Text):
    ls -lah /usr/local/nginx/modules | grep -v .old
    total 41M
    drwxr-xr-x.  2 root root 4.0K Apr 30 16:24 .
    drwxr-xr-x. 14 root root 4.0K Apr 30 12:27 ..
    -rwxr-xr-x   1 root root 104K Apr 30 16:24 ndk_http_module.so
    -rwxr-xr-x   1 root root  97K Apr 30 16:24 ngx_http_brotli_filter_module.so
    -rwxr-xr-x   1 root root  90K Apr 30 16:24 ngx_http_brotli_static_module.so
    -rwxr-xr-x   1 root root 532K Apr 30 16:24 ngx_http_echo_module.so
    -rwxr-xr-x   1 root root 114K Apr 30 16:24 ngx_http_fancyindex_module.so
    -rwxr-xr-x   1 root root 103K Apr 30 16:24 ngx_http_geoip2_module.so
    -rwxr-xr-x   1 root root 222K Apr 30 16:24 ngx_http_headers_more_filter_module.so
    -rwxr-xr-x   1 root root 107K Apr 30 16:24 ngx_http_image_filter_module.so
    -rwxr-xr-x   1 root root 291K Apr 30 16:24 ngx_http_modsecurity_module.so
    -rwxr-xr-x   1 root root 643K Apr 30 16:24 ngx_http_set_misc_module.so
    -rwxr-xr-x   1 root root 781K Apr 30 16:24 ngx_http_vhost_traffic_status_module.so
    -rwxr-xr-x   1 root root  18M Apr 30 16:24 ngx_pagespeed.so
    -rwxr-xr-x   1 root root  76K Apr 30 16:24 ngx_stream_geoip2_module.so
    

    in virtual.conf main hostname
    Code (Text):
        modsecurity on;
        modsecurity_rules_file /usr/local/nginx/modsec/main.conf;
    

    contents of /usr/local/nginx/modsec/main.conf
    Code (Text):
    # Edit to set SecRuleEngine On
    Include "/usr/local/nginx/modsec/modsecurity.conf"
    
    # OWASP CRS v3 rules
    Include "/usr/local/nginx/owasp-modsecurity-crs-3.1.0/crs-setup.conf"
    Include "/usr/local/nginx/owasp-modsecurity-crs-3.1.0/rules/*.conf"
    
    # Basic test rule
    SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
    

    directory contents for /usr/local/nginx/modsec
    Code (Text):
    ls -lah /usr/local/nginx/modsec
    total 88K
    drwxr-xr-x   2 root root 4.0K Apr 30 12:21 .
    drwxr-xr-x. 14 root root 4.0K Apr 30 12:27 ..
    -rw-r--r--   1 root root  327 Apr 30 10:39 main.conf
    -rw-r--r--   1 root root  10K Apr 30 10:39 modsecurity.conf
    -rw-r--r--   1 root root  10K Apr 30 12:21 modsecurity.conf-recommended
    -rw-r--r--   1 root root  52K Apr 30 10:39 unicode.mapping
    

    directory contents for /usr/local/nginx/owasp-modsecurity-crs-3.1.0
    Code (Text):
    ls -lah /usr/local/nginx/owasp-modsecurity-crs-3.1.0/
    total 212K
    drwxrwxr-x   6 root root 4.0K Apr 30 12:27 .
    drwxr-xr-x. 14 root root 4.0K Apr 30 12:27 ..
    -rw-rw-r--   1 root root  51K Nov 12 03:26 CHANGES
    -rw-rw-r--   1 root root 7.5K Nov 12 03:26 CONTRIBUTING.md
    -rw-rw-r--   1 root root 2.2K Nov 12 03:26 CONTRIBUTORS.md
    -rw-r--r--   1 root root  33K Apr 30 12:27 crs-setup.conf
    -rw-rw-r--   1 root root  33K Nov 12 03:26 crs-setup.conf.example
    drwxrwxr-x   3 root root 4.0K Nov 12 03:26 documentation
    drwxrwxr-x   2 root root 4.0K Nov 12 03:26 .github
    -rw-rw-r--   1 root root  374 Nov 12 03:26 .gitignore
    -rw-rw-r--   1 root root  176 Nov 12 03:26 .gitmodules
    -rw-rw-r--   1 root root  17K Nov 12 03:26 INSTALL
    -rw-rw-r--   1 root root 2.8K Nov 12 03:26 KNOWN_BUGS
    -rw-rw-r--   1 root root  12K Nov 12 03:26 LICENSE
    -rw-rw-r--   1 root root 2.4K Nov 12 03:26 README.md
    drwxrwxr-x   2 root root 4.0K Nov 12 03:26 rules
    -rw-rw-r--   1 root root 1.1K Nov 12 03:26 .travis.yml
    drwxrwxr-x  13 root root 4.0K Nov 12 03:26 util
    



    Continue reading...

    123.09beta01 branch
     
  2. eva2000

    eva2000 Administrator Staff Member

    42,312
    9,557
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,724
    Local Time:
    6:30 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    FYI, now that above bug has been fixed, can re-enable libmaxminddb library support via NGINX_MODSECURITY_MAXMIND='y' default setting for modsecurity v3 nginx connector module compilations (latest Centmin Mod 123.09beta01 update has this) when NGINX_MODSECURITY='y' is set in persistent config file /etc/centminmod/custom_config.inc prior to centmin.sh menu option 4 nginx recompiles.
     
  3. eva2000

    eva2000 Administrator Staff Member

    42,312
    9,557
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,724
    Local Time:
    6:30 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x