Join the community today
Register Now

Beta Branch update prep for ModSecurity v3.0

Discussion in 'Centmin Mod Github Commits' started by eva2000, Aug 5, 2017.

  1. EckyBrazzz

    EckyBrazzz Active Member

    786
    156
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +289
    Local Time:
    6:43 AM
    1.17.x Cluster
    10.3.x Cluster & Redis
    Code:
     Do you want to update your local Centmin Mod Git code ? [y/n]: y
    
    Updating Current Centmin Mod code branch via git
     cd /usr/local/src/centminmod
     git stash
     git pull
     chmod +x centmin.sh
    No local changes to save
    Updating 56a7a13..eb6d40c
    Fast-forward
     inc/mod_security.inc | 25 +++++++++++++++++--------
     1 file changed, 17 insertions(+), 8 deletions(-)
    
    ##################### IMPORTANT #####################
     To complete update
    ##################### IMPORTANT #####################
     run:
    
      cd /usr/local/src/centminmod
    
     before invoking centmin.sh again
    ##################### IMPORTANT #####################
    
    [11:11][[email protected] ~]# centmin
    /usr/local/src/centminmod ~
    Hmmmm, updated.... Confusing when working both at the same time haha.
     
  2. eva2000

    eva2000 Administrator Staff Member

    42,393
    9,572
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,752
    Local Time:
    7:43 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    made 1 more update to modsecurity routine, so 1 more cmupdate run ;) :LOL:

    from nginx_upgrade.log config check output during modsecurity install
    Code (Text):
    ModSecurity -  for Linux
    
     Mandatory dependencies
       + libInjection                                  ....v3.9.2-30-gbf234eb
       + SecLang tests                                 ....5d85f36
    
     Optional dependencies
       + GeoIP/MaxMind                                 ....found 
          * (GeoIP) v1.6.12
             -lGeoIP  , -I/usr/include/ 
       + LibCURL                                       ....found v7.64.1 
          -lcurl,  -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
       + YAJL                                          ....found v2.0.4
          -lyajl  , -DWITH_YAJL 
       + LMDB                                          ....disabled
       + LibXML2                                       ....found v2.9.9
          -lxml2 -lz -llzma -lm -ldl, -I/usr/include/libxml2 -DWITH_LIBXML2
       + SSDEEP                                        ....found 
          -lfuzzy -L/usr/lib64/, -DWITH_SSDEEP -I/usr/include
       + LUA                                           ....found v501
          -lluajit-5.1 -L/usr/local/lib/, -DWITH_LUA -DWITH_LUA_5_1 -I/usr/include
    
     Other Options
       + Test Utilities                                ....enabled
       + SecDebugLog                                   ....enabled
       + afl fuzzer                                    ....disabled
       + library examples                              ....enabled
       + Building parser                               ....disabled
       + Treating pm operations as critical section    ....disabled
    
     
  3. EckyBrazzz

    EckyBrazzz Active Member

    786
    156
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +289
    Local Time:
    6:43 AM
    1.17.x Cluster
    10.3.x Cluster & Redis
    Well, part one is done.

    Set
    Code:
    NGINX_MODSECURITY='y'           # https://community.centminmod.com/threads/update-prep-for-modsecurity-v3-0.12453/
    But still missing in /usr/local/nginx/conf/dynamic-modules.conf
    Code (Text):
    # place custom load_module lines in this dynamic-modules-includes.conf
    # file so that they persistent i.e. for manually dropped in dynamic modules
    include /usr/local/nginx/conf/dynamic-modules-includes.conf;
    load_module "modules/ngx_http_image_filter_module.so";
    load_module "modules/ngx_http_headers_more_filter_module.so";
    load_module "modules/ndk_http_module.so";
    load_module "modules/ngx_http_set_misc_module.so";
    load_module "modules/ngx_http_echo_module.so";
    load_module "modules/ngx_http_fancyindex_module.so";
    load_module "modules/ngx_pagespeed.so";
    load_module "modules/ngx_http_brotli_filter_module.so";
    load_module "modules/ngx_http_brotli_static_module.so";
    load_module "modules/ngx_http_geoip2_module.so";
    

    Although don't understand why
    Code:
    include /usr/local/nginx/conf/dynamic-modules-includes.conf;
    is again in the /usr/local/nginx/conf/dynamic-modules.conf, but could be my wrong understanding of nginx.

    Some output:

    Code:
    [11:26][[email protected] ~]# cmupdate
    No local changes to save
    Already up-to-date.
    [11:26][[email protected] ~]# nano /usr/local/nginx/conf/dynamic-modules.conf
    [11:31][[email protected] ~]# nano /usr/local/nginx/conf/dynamic-modules.conf
    [11:35][[email protected] ~]# ls -lah /usr/local/nginx/modules | grep -v .old
    total 39M
    drwxr-xr-x.  2 root root 4.0K Apr 30 11:20 .
    drwxr-xr-x. 13 root root  205 Apr 30 09:11 ..
    -rwxr-xr-x   1 root root  99K Apr 30 11:20 ndk_http_module.so
    -rwxr-xr-x   1 root root  92K Apr 30 11:20 ngx_http_brotli_filter_module.so
    -rwxr-xr-x   1 root root  86K Apr 30 11:20 ngx_http_brotli_static_module.so
    -rwxr-xr-x   1 root root 527K Apr 30 11:20 ngx_http_echo_module.so
    -rwxr-xr-x   1 root root 105K Apr 30 11:20 ngx_http_fancyindex_module.so
    -rwxr-xr-x   1 root root  94K Apr 30 11:20 ngx_http_geoip2_module.so
    -rwxr-xr-x   1 root root 217K Apr 30 11:20 ngx_http_headers_more_filter_module.so
    -rwxr-xr-x   1 root root 103K Apr 30 11:20 ngx_http_image_filter_module.so
    -rwxr-xr-x   1 root root 634K Apr 30 11:20 ngx_http_set_misc_module.so
    -rwxr-xr-x   1 root root  18M Apr 30 11:20 ngx_pagespeed.so
    -rwxr-xr-x   1 root root  71K Apr 30 11:20 ngx_stream_geoip2_module.so
    [11:35][[email protected] ~]# nano /usr/local/nginx/modsec/main.conf
    [11:36][[email protected] ~]# ls -lah /usr/local/nginx/modsec
    total 68K
    drwxr-xr-x   2 root root  70 Apr 30 09:11 .
    drwxr-xr-x. 13 root root 205 Apr 30 09:11 ..
    -rw-r--r--   1 root root 327 Apr 30 09:11 main.conf
    -rw-r--r--   1 root root 10K Apr 30 09:11 modsecurity.conf
    -rw-r--r--   1 root root 52K Apr 30 09:11 unicode.mapping
    [11:37][[email protected] ~]# 
     
  4. eva2000

    eva2000 Administrator Staff Member

    42,393
    9,572
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,752
    Local Time:
    7:43 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    those are 2 different files if you check their names closely, one inside the other is so that you can edit that inner include file to manually load a dynamic module that you have already compiled i.e. on a staging/build server and just drop into your live centmin mod nginx servers :) so live may need a dynamic nginx module but you don't want to compile it on live server. You can setup identical cpu model based staging test server with centmin mod and build nginx with the dynamic module and just copy the *.so module over and setup the load module line manually in the inner include file which persistents on centmin mod nginx recompiles

    so for file /usr/local/nginx/conf/dynamic-modules.conf which is included in /usr/local/nginx/conf/nginx.conf has contents including an inner include file = /usr/local/nginx/conf/dynamic-modules-includes.conf. In this inner include file /usr/local/nginx/conf/dynamic-modules-includes.conf you can manually setup your own load_module lines to load your own *.so which will not get overwritten by centmin.sh menu option 4 nginx recompiles :)
    Code (Text):
    # place custom load_module lines in this dynamic-modules-includes.conf
    # file so that they persistent i.e. for manually dropped in dynamic modules
    include /usr/local/nginx/conf/dynamic-modules-includes.conf;
    load_module "modules/ngx_http_image_filter_module.so";
    load_module "modules/ngx_http_headers_more_filter_module.so";
    load_module "modules/ndk_http_module.so";
    load_module "modules/ngx_http_set_misc_module.so";
    load_module "modules/ngx_http_echo_module.so";
    load_module "modules/ngx_http_fancyindex_module.so";
    load_module "modules/ngx_pagespeed.so";
    load_module "modules/ngx_http_brotli_filter_module.so";
    load_module "modules/ngx_http_brotli_static_module.so";
    load_module "modules/ngx_http_geoip2_module.so";
    


    what's contents of your persistent config file at /etc/centminmod/custom_config.inc ? maybe you have some variable conflict which is disabling NGINX_MODSECURITY='y'

    output from command
    Code (Text):
    cat /etc/centminmod/custom_config.inc
     
  5. EckyBrazzz

    EckyBrazzz Active Member

    786
    156
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +289
    Local Time:
    6:43 AM
    1.17.x Cluster
    10.3.x Cluster & Redis
    Code:
    Your post in the thread update prep for ModSecurity v3.0 was edited. Reason: i removed your log as it showed other domains vhosts at end of routines
    Just wanted to delete the post.... Thanks, your quick.
     
    • Like Like x 1
  6. EckyBrazzz

    EckyBrazzz Active Member

    786
    156
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +289
    Local Time:
    6:43 AM
    1.17.x Cluster
    10.3.x Cluster & Redis
    Yup, still no go aera...
    So here is my /etc/centminmod/custom_config.inc
    Code (Text):
    MARCH_TARGETNATIVE='n'
    
    #------nginx
    NGINX_DYNAMICTLS='y'
    NGINX_HPACK='y'
    NGINX_LIBBROTLI='y'
    NGXDYNAMIC_BROTLI='y'
    NGINX_MODSECURITY='y'           # https://community.centminmod.com/threads/update-prep-for-modsecurity-v3-0.12453/
    
    AUTOTUNE_CLIENTMAXBODY='y'      # auto tune client_max_body_size option in nginx.conf
    
    NGINX_GEOIPTWOLITE='y'
    NGXDYNAMIC_GEOIPTWOLITE='y'
    
    #------nginx pagespeed
    NGINX_PAGESPEED='y'
    NGINX_PAGESPEEDGITMASTER='n'
    NGXDYNAMIC_NGXPAGESPEED='y'
    
    #------mariadb
    
    #------php
    PHP_PGO='y'
    STRIPPHP='y'                    # set 'y' to strip PHP binary to reduce size
    PHP_INSTALL='y'                 # Install PHP /w Fast Process Manager
    PHP_MEMCACHE='y'                # memcache PHP extension
    PHP_PATCH='y'                   # Apply PHP patches if they exist
    PHPIONCUBE='y'                  #
    MEMCACHED_INSTALL='y'           # Install Memcached
    PHPREDIS='n'                    # redis PHP extension install
    
    
    #------Open SSL
    DISABLE_TLSONEZERO_PROTOCOL='y' # disable TLS 1.0 protocol by default industry is moving to deprecate for security
    NOSOURCEOPENSSL='n'             # set to 'y' to disable OpenSSL source compile for system default YUM package setup
    OPENSSL_TLSONETHREE='y'         # whether OpenSSL 1.1.1 builds enable TLSv1.3
    
    LETSENCRYPT_DETECT='y'
    
    #-----GCC Compilers
    GCCINTEL_PHP='y'                # enable PHP-FPM GCC compiler with Intel cpu optimizations
    DEVTOOLSET_PHP='y'              # use devtoolset GCC for GCCINTEL_PHP='y'
    
     
  7. eva2000

    eva2000 Administrator Staff Member

    42,393
    9,572
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,752
    Local Time:
    7:43 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    strange should have modsecurity installed as nothing in persistent config file seems would cause conflicts.

    you are running cmupdate BEFORE centmin.sh menu option 4 right ?
     
  8. eva2000

    eva2000 Administrator Staff Member

    42,393
    9,572
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,752
    Local Time:
    7:43 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    at end of centmin.sh menu option 4 recompile of nginx you should get a list of logs and one is the nginx_upgrade.log i.e.
    Code (Text):
    log files saved at /root/centminlogs
    -rw-r--r--  1 root root  576 Apr 30 12:09 patch_opensslpatches_300419-120902.log
    -rw-r--r--  1 root root   43 Apr 30 12:09 centminmod_opensslinstalltime_300419-120902.log
    -rw-r--r--  1 root root 2.5K Apr 30 12:10 patch_patchnginx_300419-120902.log
    -rw-r--r--  1 root root 9.2K Apr 30 12:10 nginx-configure-300419-120902.log
    -rw-r--r--  1 root root  31K Apr 30 12:11 nginx_autoconf.err.300419-120902.log
    -rw-r--r--  1 root root 2.2M Apr 30 12:11 centminmod_123.09beta01.b143_300419-120902_nginx_upgrade.log
    

    located at /root/centminlogs/centminmod_123.09beta01.b143_300419-120902_nginx_upgrade.log - you can post the contents again like before via gist.github.com or pastebin.com, but can remove your site nginx vhost names from the end of the log.
     
  9. eva2000

    eva2000 Administrator Staff Member

    42,393
    9,572
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,752
    Local Time:
    7:43 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    also post output for nginx-configure-300419-120902.log log with your own timestamp i.e.
    Code (Text):
    cat /root/centminlogs/nginx-configure-300419-120902.log
    ./configure --with-ld-opt="-Wl,-E -L/usr/local/zlib-cf/lib -L/usr/local/lib -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/zlib-cf/lib:/usr/local/lib" --with-cc-opt="-I/usr/local/zlib-cf/include -I/usr/local/include -m64 -march=native -DTCP_FASTOPEN=23 -g -O3 -Wno-error=strict-aliasing -fstack-protector-strong -flto -fuse-ld=gold --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wimplicit-fallthrough=0 -fcode-hoisting -Wno-cast-function-type -Wno-format-extra-args -Wp,-D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations" --sbin-path=/usr/local/sbin/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --build=300419-121011-centos7 --with-compat --with-http_stub_status_module --with-http_secure_link_module --add-dynamic-module=../nginx-module-vts --with-libatomic --with-http_gzip_static_module --add-dynamic-module=../ngx_brotli --add-dynamic-module=../incubator-pagespeed-ngx-1.13.35.2-stable --with-http_sub_module --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_geoip_module --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_preread_module --with-threads --with-stream --with-stream_ssl_module --with-http_realip_module --add-dynamic-module=../ngx-fancyindex-0.4.2 --add-module=../ngx_cache_purge-2.5 --add-dynamic-module=../ngx_devel_kit-0.3.0 --add-dynamic-module=../set-misc-nginx-module-0.32 --add-dynamic-module=../echo-nginx-module-0.61 --add-module=../redis2-nginx-module-0.15 --add-module=../ngx_http_redis-0.3.7 --add-module=../memc-nginx-module-0.18 --add-module=../srcache-nginx-module-0.31 --add-dynamic-module=../headers-more-nginx-module-0.33 --with-pcre-jit --with-zlib=../zlib-cloudflare-1.3.0 --with-http_ssl_module --with-http_v2_module --with-openssl=../openssl-1.1.1b --with-openssl-opt="enable-ec_nistp_64_gcc_128 enable-tls1_3" --add-dynamic-module=../ModSecurity-nginx
    checking for OS
     + Linux 3.10.0-957.12.1.el7.x86_64 x86_64
    checking for C compiler ... found
     + using GNU C compiler
     + gcc version: 9.1.0 20190426 (prerelease) (GCC)
    checking for gcc -pipe switch ... found
    checking for --with-ld-opt="-Wl,-E -L/usr/local/zlib-cf/lib -L/usr/local/lib -ljemalloc -Wl,-z,relro -Wl,-rpath,/usr/local/zlib-cf/lib:/usr/local/lib" ... found
    checking for -Wl,-E switch ... found
    checking for gcc builtin atomic operations ... found
    checking for C99 variadic macros ... found
    checking for gcc variadic macros ... found
    checking for gcc builtin 64 bit byteswap ... found
    checking for unistd.h ... found
    checking for inttypes.h ... found
    checking for limits.h ... found
    checking for sys/filio.h ... not found
    checking for sys/param.h ... found
    checking for sys/mount.h ... found
    checking for sys/statvfs.h ... found
    checking for crypt.h ... found
    checking for Linux specific features
    checking for epoll ... found
    checking for EPOLLRDHUP ... found
    checking for EPOLLEXCLUSIVE ... not found
    checking for O_PATH ... found
    checking for sendfile() ... found
    checking for sendfile64() ... found
    checking for sys/prctl.h ... found
    checking for prctl(PR_SET_DUMPABLE) ... found
    checking for prctl(PR_SET_KEEPCAPS) ... found
    checking for capabilities ... found
    checking for crypt_r() ... found
    checking for sys/vfs.h ... found
    checking for nobody group ... found
    checking for poll() ... found
    checking for /dev/poll ... not found
    checking for kqueue ... not found
    checking for crypt() ... not found
    checking for crypt() in libcrypt ... found
    checking for F_READAHEAD ... not found
    checking for posix_fadvise() ... found
    checking for O_DIRECT ... found
    checking for F_NOCACHE ... not found
    checking for directio() ... not found
    checking for statfs() ... found
    checking for statvfs() ... found
    checking for dlopen() ... not found
    checking for dlopen() in libdl ... found
    checking for sched_yield() ... found
    checking for sched_setaffinity() ... found
    checking for SO_SETFIB ... not found
    checking for SO_REUSEPORT ... found
    checking for SO_ACCEPTFILTER ... not found
    checking for SO_BINDANY ... not found
    checking for IP_TRANSPARENT ... found
    checking for IP_BINDANY ... not found
    checking for IP_BIND_ADDRESS_NO_PORT ... not found
    checking for IP_RECVDSTADDR ... not found
    checking for IP_SENDSRCADDR ... not found
    checking for IP_PKTINFO ... found
    checking for IPV6_RECVPKTINFO ... found
    checking for TCP_DEFER_ACCEPT ... found
    checking for TCP_KEEPIDLE ... found
    checking for TCP_FASTOPEN ... found
    checking for TCP_INFO ... found
    checking for accept4() ... found
    checking for eventfd() ... found
    checking for int size ... 4 bytes
    checking for long size ... 8 bytes
    checking for long long size ... 8 bytes
    checking for void * size ... 8 bytes
    checking for uint32_t ... found
    checking for uint64_t ... found
    checking for sig_atomic_t ... found
    checking for sig_atomic_t size ... 4 bytes
    checking for socklen_t ... found
    checking for in_addr_t ... found
    checking for in_port_t ... found
    checking for rlim_t ... found
    checking for uintptr_t ... uintptr_t found
    checking for system byte ordering ... little endian
    checking for size_t size ... 8 bytes
    checking for off_t size ... 8 bytes
    checking for time_t size ... 8 bytes
    checking for AF_INET6 ... found
    checking for setproctitle() ... not found
    checking for pread() ... found
    checking for pwrite() ... found
    checking for pwritev() ... found
    checking for sys_nerr ... found
    checking for localtime_r() ... found
    checking for clock_gettime(CLOCK_MONOTONIC) ... found
    checking for posix_memalign() ... found
    checking for memalign() ... found
    checking for mmap(MAP_ANON|MAP_SHARED) ... found
    checking for mmap("/dev/zero", MAP_SHARED) ... found
    checking for System V shared memory ... found
    checking for POSIX semaphores ... not found
    checking for POSIX semaphores in libpthread ... found
    checking for struct msghdr.msg_control ... found
    checking for ioctl(FIONBIO) ... found
    checking for struct tm.tm_gmtoff ... found
    checking for struct dirent.d_namlen ... not found
    checking for struct dirent.d_type ... found
    checking for sysconf(_SC_NPROCESSORS_ONLN) ... found
    checking for sysconf(_SC_LEVEL1_DCACHE_LINESIZE) ... found
    checking for openat(), fstatat() ... found
    checking for getaddrinfo() ... found
    configuring additional modules
    adding module in ../ngx_cache_purge-2.5
     + ngx_http_cache_purge_module was configured
    adding module in ../redis2-nginx-module-0.15
     + ngx_http_redis2_module was configured
    adding module in ../ngx_http_redis-0.3.7
     + ngx_http_redis_module was configured
    adding module in ../memc-nginx-module-0.18
     + ngx_http_memc_module was configured
    adding module in ../srcache-nginx-module-0.31
     + ngx_http_srcache_filter_module was configured
    configuring additional dynamic modules
    adding module in ../nginx-module-vts
     + ngx_http_vhost_traffic_status_module was configured
    adding module in ../ngx_brotli
     + ngx_brotli was configured
    adding module in ../incubator-pagespeed-ngx-1.13.35.2-stable
    mod_pagespeed_dir=../incubator-pagespeed-ngx-1.13.35.2-stable/psol/include
    build_from_source=false
    checking for psol ... found
    List of modules (in reverse order of applicability):  ngx_http_write_filter_module ngx_http_header_filter_module ngx_http_chunked_filter_module ngx_http_v2_filter_module ngx_http_range_header_filter_module ngx_http_gzip_filter_module ngx_http_postpone_filter_module ngx_http_ssi_filter_module ngx_http_charset_filter_module ngx_http_sub_filter_module ngx_http_addition_filter_module ngx_http_userid_filter_module ngx_http_headers_filter_module
    checking for psol-compiler-compat ... found
     + ngx_pagespeed was configured
    adding module in ../ngx-fancyindex-0.4.2
     + ngx_http_fancyindex_module was configured
    adding module in ../ngx_devel_kit-0.3.0
     + ngx_devel_kit was configured
    adding module in ../set-misc-nginx-module-0.32
    found ngx_devel_kit for ngx_set_misc; looks good.
     + ngx_http_set_misc_module was configured
    adding module in ../echo-nginx-module-0.61
     + ngx_http_echo_module was configured
    adding module in ../headers-more-nginx-module-0.33
     + ngx_http_headers_more_filter_module was configured
    adding module in ../ModSecurity-nginx
    checking for ModSecurity library ... not found
    checking for ModSecurity library in /usr/local/modsecurity ... found
     + ngx_http_modsecurity_module was configured
    checking for PCRE library ... found
    checking for PCRE JIT support ... found
    checking for GD library ... found
    checking for GD WebP support ... not found
    checking for GeoIP library ... found
    checking for GeoIP IPv6 support ... found
    checking for atomic_ops library ... found
    creating objs/Makefile
    
    Configuration summary
      + using threads
      + using system PCRE library
      + using OpenSSL library: ../openssl-1.1.1b
      + using zlib library: ../zlib-cloudflare-1.3.0
      + using system libatomic_ops library
    
      nginx path prefix: "/usr/local/nginx"
      nginx binary file: "/usr/local/sbin/nginx"
      nginx modules path: "/usr/local/nginx/modules"
      nginx configuration prefix: "/usr/local/nginx/conf"
      nginx configuration file: "/usr/local/nginx/conf/nginx.conf"
      nginx pid file: "/usr/local/nginx/logs/nginx.pid"
      nginx error log file: "/usr/local/nginx/logs/error.log"
      nginx http access log file: "/usr/local/nginx/logs/access.log"
      nginx http client request body temporary files: "client_body_temp"
      nginx http proxy temporary files: "proxy_temp"
      nginx http fastcgi temporary files: "fastcgi_temp"
      nginx http uwsgi temporary files: "uwsgi_temp"
      nginx http scgi temporary files: "scgi_temp"
    
     
  10. EckyBrazzz

    EckyBrazzz Active Member

    786
    156
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +289
    Local Time:
    6:43 AM
    1.17.x Cluster
    10.3.x Cluster & Redis
    Always, unless it took a while before making changes because I have a cron running every 4hours.

    Now I did it, but nothing important

    for me, and gone compile nginx again post it on git, delete the Vhosts :)
    Code:
    cmupdate
    No local changes to save
    remote: Enumerating objects: 12, done.
    remote: Counting objects: 100% (12/12), done.
    remote: Compressing objects: 100% (4/4), done.
    remote: Total 8 (delta 6), reused 6 (delta 4), pack-reused 0
    Unpacking objects: 100% (8/8), done.
    From https://github.com/centminmod/centminmod
       be2d841..6f4fb67  123.09beta01 -> origin/123.09beta01
    Updating be2d841..6f4fb67
    Fast-forward
     centmin.sh        | 4 ++--
     inc/csftweaks.inc | 2 +-
     2 files changed, 3 insertions(+), 3 deletions(-)
    Just a small note, don't know if it's important.
    Code:
    Submodule path 'test/test-cases/secrules-language-tests': checked out '5d85f3655aa31cb873a0bbdc160d63f2b5e9179a'
    libtoolize: putting auxiliary files in `.'.
    libtoolize: copying file `./ltmain.sh'
    libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `build'.
    libtoolize: copying file `build/libtool.m4'
    libtoolize: copying file `build/ltoptions.m4'
    libtoolize: copying file `build/ltsugar.m4'
    libtoolize: copying file `build/ltversion.m4'
    libtoolize: copying file `build/lt~obsolete.m4'
    fatal: No names found, cannot describe anything.
    fatal: No names found, cannot describe anything.
    fatal: No names found, cannot describe anything.
    fatal: No names found, cannot describe anything.
    fatal: No names found, cannot describe anything.
    fatal: No names found, cannot describe anything.
    configure.ac:50: installing './ar-lib'

    Link : CMM NGINX

    Old one deleted, posted it privately, same as this one that won't live long there on github.

    Latest nginx-configure-310319-232603.log rather old and there is no other availble.

    Cloudflare again on foum
    Code:
    The following error occurred:
    400 Bad Request
    cloudflare
    
     
  11. EckyBrazzz

    EckyBrazzz Active Member

    786
    156
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +289
    Local Time:
    6:43 AM
    1.17.x Cluster
    10.3.x Cluster & Redis
    Always, unless it took a while before making changes because I have a cron running every 4hours.

    Now I did it, but nothing important

    for me, and gone compile nginx again post it on git, delete the Vhosts :)
    Code:
    cmupdate
    No local changes to save
    remote: Enumerating objects: 12, done.
    remote: Counting objects: 100% (12/12), done.
    remote: Compressing objects: 100% (4/4), done.
    remote: Total 8 (delta 6), reused 6 (delta 4), pack-reused 0
    Unpacking objects: 100% (8/8), done.
    From https://github.com/centminmod/centminmod
       be2d841..6f4fb67  123.09beta01 -> origin/123.09beta01
    Updating be2d841..6f4fb67
    Fast-forward
     centmin.sh        | 4 ++--
     inc/csftweaks.inc | 2 +-
     2 files changed, 3 insertions(+), 3 deletions(-)
    Just a small note, don't know if it's important.
    Code:
    Submodule path 'test/test-cases/secrules-language-tests': checked out '5d85f3655aa31cb873a0bbdc160d63f2b5e9179a'
    libtoolize: putting auxiliary files in `.'.
    libtoolize: copying file `./ltmain.sh'
    libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `build'.
    libtoolize: copying file `build/libtool.m4'
    libtoolize: copying file `build/ltoptions.m4'
    libtoolize: copying file `build/ltsugar.m4'
    libtoolize: copying file `build/ltversion.m4'
    libtoolize: copying file `build/lt~obsolete.m4'
    fatal: No names found, cannot describe anything.
    fatal: No names found, cannot describe anything.
    fatal: No names found, cannot describe anything.
    fatal: No names found, cannot describe anything.
    fatal: No names found, cannot describe anything.
    fatal: No names found, cannot describe anything.
    configure.ac:50: installing './ar-lib'

    Link: CMM NGINX

    Old one deleted, posted it privately, same as this one that won't live long there on GitHub.

    Latest nginx-configure-310319-232603.log rather old and there is no other available.

    Cloudflare again on forum (red popup)
    Code:
    The following error occurred:
    400 Bad Request
    cloudflare
    
     
  12. eva2000

    eva2000 Administrator Staff Member

    42,393
    9,572
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,752
    Local Time:
    7:43 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    hmm thanks for heads up

    that's fine

    ah i see modsecurity in your nginx_upgrade log now it's erroring out at
    Code (Text):
    linux/8/crtendS.o /lib/../lib64/crtn.o  -O2   -pthread -Wl,-soname -Wl,libmodsecurity.so.3 -o .libs/libmodsecurity.so.3.0.3
    /opt/rh/devtoolset-8/root/usr/libexec/gcc/x86_64-redhat-linux/8/ld: cannot find -llibmaxminddb
    collect2: error: ld returned 1 exit status
    make[3]: *** [libmodsecurity.la] Error 1
    make[3]: Leaving directory `/svr-setup/ModSecurity/src'
    make[2]: *** [all-recursive] Error 1
    make[2]: Leaving directory `/svr-setup/ModSecurity/src'
    make[1]: *** [all] Error 2
    make[1]: Leaving directory `/svr-setup/ModSecurity/src'
    make: *** [all-recursive] Error 1
    Making install in others
    make[1]: Entering directory `/svr-setup/ModSecurity/others'
    make[2]: Entering directory `/svr-setup/ModSecurity/others'
    make[2]: Nothing to be done for `install-exec-am'.
    make[2]: Nothing to be done for `install-data-am'.
    make[2]: Leaving directory `/svr-setup/ModSecurity/others'
    make[1]: Leaving directory `/svr-setup/ModSecurity/others'
    Making install in src
    make[1]: Entering directory `/svr-setup/ModSecurity/src'
    make[2]: Entering directory `/svr-setup/ModSecurity/src'
    

    and
    Code (Text):
    /opt/rh/devtoolset-8/root/usr/libexec/gcc/x86_64-redhat-linux/8/ld: cannot find -llibmaxminddb
    collect2: error: ld returned 1 exit status
    make[2]: *** [libmodsecurity.la] Error 1
    make[2]: Leaving directory `/svr-setup/ModSecurity/src'
    make[1]: *** [install-recursive] Error 1
    make[1]: Leaving directory `/svr-setup/ModSecurity/src'
    make: *** [install-recursive] Error 1
    /svr-setup/nginx-1.15.12 ~
    MODSEC_OPT =
    


    looks like it needs libmaxminddb which seems it worked for me as I have Nginx GeoIP2 module enabled and that installs libmaxmanddb as part of the process.

    but you have it enabled too
    Code (Text):
    NGINX_GEOIPTWOLITE='y'
    NGXDYNAMIC_GEOIPTWOLITE='y'
    


    but looking out your nginx_upgrade.log log i see it picked up both GeoIP 2 and GeoIP legacy and trying to find GeoIP 2 itseems

    Code (Text):
    ModSecurity -  for Linux
    
     Mandatory dependencies
       + libInjection                                  ....v3.9.2-30-gbf234eb
       + SecLang tests                                 ....5d85f36
    
     Optional dependencies
       + GeoIP/MaxMind                                 ....found
         * (MaxMind) v
            /usr/local/lib//libmaxminddb.so, /usr/local/include, -DWITH_MAXMIND -I/usr/local/include
         * (GeoIP) v1.5.0
            -lGeoIP  , -I/usr/include/ 
       + LibCURL                                       ....found v7.29.0
         -lcurl  ,  -DWITH_CURL
       + YAJL                                          ....found v2.0.4
         -lyajl  , -DWITH_YAJL 
       + LMDB                                          ....disabled
       + LibXML2                                       ....found v2.9.1
         -lxml2 -lz -lm -ldl, -I/usr/include/libxml2 -DWITH_LIBXML2
       + SSDEEP                                        ....found
         -lfuzzy -L/usr/lib64/, -DWITH_SSDEEP -I/usr/include
       + LUA                                           ....found v501
         -llua-5.1 -L/usr/lib64/, -DWITH_LUA -DWITH_LUA_5_1 -I/usr/include
    
     Other Options
       + Test Utilities                                ....enabled
       + SecDebugLog                                   ....enabled
       + afl fuzzer                                    ....disabled
       + library examples                              ....enabled
       + Building parser                               ....disabled
       + Treating pm operations as critical section    ....disabled
    


    so will need to work on a fix, so for now you'll have to disable modsecurity and I'll update this thread once I have a fix updated
     
  13. EckyBrazzz

    EckyBrazzz Active Member

    786
    156
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +289
    Local Time:
    6:43 AM
    1.17.x Cluster
    10.3.x Cluster & Redis
    Ok, great. Gonna put this one into the freezer for a while... Backup the server and move to my next issue.

    Get rid of PureFtpd and only SFTP

    GeoIP with the Mamato (latest beta) and works it EXCELLENT. Never go back to Google analytics. Thinking about sharing a try out for other members of CMM to see if it fits their needs before give it at try on their own server(s). (with request on a private conversation)
    I only use GEOIP 2, the other one GEOIP is a no go, Don't really need it.
     
    • Like Like x 1
  14. eva2000

    eva2000 Administrator Staff Member

    42,393
    9,572
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,752
    Local Time:
    7:43 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Yeah modsecurity isn't finding the library/header paths for maxmind - it should from SpiderLabs/ModSecurity. So needs investigating.
     
  15. eva2000

    eva2000 Administrator Staff Member

    42,393
    9,572
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,752
    Local Time:
    7:43 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    For now one workaround is disable libmaxmind in favour of legacy geoip header/library for modsecurity build
    Code (Text):
    ModSecurity -  for Linux
    
     Mandatory dependencies
       + libInjection                                  ....v3.9.2-30-gbf234eb
       + SecLang tests                                 ....5d85f36
    
     Optional dependencies
       + GeoIP/MaxMind                                 ....found 
          * (GeoIP) v1.6.12
             -lGeoIP  , -I/usr/include/ 
       + LibCURL                                       ....found v7.64.1 
          -lcurl,  -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
       + YAJL                                          ....found v2.0.4
          -lyajl  , -DWITH_YAJL 
       + LMDB                                          ....disabled
       + LibXML2                                       ....found v2.9.9
          -lxml2 -lz -llzma -lm -ldl, -I/usr/include/libxml2 -DWITH_LIBXML2
       + SSDEEP                                        ....found 
          -lfuzzy -L/usr/lib64/, -DWITH_SSDEEP -I/usr/include
       + LUA                                           ....found v501
          -lluajit-5.1 -L/usr/local/lib/, -DWITH_LUA -DWITH_LUA_5_1 -I/usr/include
    
     Other Options
       + Test Utilities                                ....enabled
       + SecDebugLog                                   ....enabled
       + afl fuzzer                                    ....disabled
       + library examples                              ....enabled
       + Building parser                               ....disabled
       + Treating pm operations as critical section    ....disabled
    

    Code (Text):
    cat config.log  | grep -i geoip
    configure:4938: Nothing about GeoIP was informed during the configure phase. Trying to detect it on the platform...
    configure:5192: Nothing about GeoIP was informed during the configure phase. Trying to detect it on the platform...
    configure:5356: using GeoIP v1.6.12
    GEOIP_CFLAGS='-DWITH_GEOIP -I/usr/include/  '
    GEOIP_CFLAGS_FALSE='#'
    GEOIP_CFLAGS_TRUE=''
    GEOIP_DISPLAY='-lGeoIP  , -I/usr/include/  '
    GEOIP_FOUND='1'
    GEOIP_LDADD='-lGeoIP  '
    GEOIP_LDFLAGS=' '
    GEOIP_LIBS=''
    GEOIP_VERSION='1.6.12'
    
     
  16. eva2000

    eva2000 Administrator Staff Member

    42,393
    9,572
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,752
    Local Time:
    7:43 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    • Winner Winner x 2
  17. EckyBrazzz

    EckyBrazzz Active Member

    786
    156
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +289
    Local Time:
    6:43 AM
    1.17.x Cluster
    10.3.x Cluster & Redis
    Confirm..... Your amazing!
     
    • Like Like x 1
  18. eva2000

    eva2000 Administrator Staff Member

    42,393
    9,572
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,752
    Local Time:
    7:43 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  19. EckyBrazzz

    EckyBrazzz Active Member

    786
    156
    43
    Mar 28, 2018
    >>>>Click here<<<< i'm nearby......
    Ratings:
    +289
    Local Time:
    6:43 AM
    1.17.x Cluster
    10.3.x Cluster & Redis
    Keeps fingers crossed until a fix is available.