New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v2: make sure ModSecurity runs after mod_maxminddb (GeoIP) in phase 1 #2812
base: v2/master
Are you sure you want to change the base?
Conversation
Pay attention, this breaks some current implementations. |
I might be misunderstanding your use case, but is not this something you would typically do with mod_remoteip? I see how this breaks your use case, yet I think doing the lookup before phase 1 is the more natural behavior. Using ModSecurity to work around the X-Forwarded-For header in phase 1, so you can then do GeoIP lookup and run your GeoIP rules in phase 2 obviously works, but I think it's a hack that only works since ModSecurity happens to run after mod_maxminddb by hazard. Neither of the two modules defines the priority with regards to the other module. So either ModSecurity or mod_maxminddb could change their behaviour anytime and break your setup. |
I introduced that feature in mod_maxminddb to allow ModSecurity to set the variable in phase 1, so it's really wanted. |
Fine with me, it's @martinhsv's call anyways. |
Could you explain in more detail that earlier feature of yours and why this PR would break it? |
If you don't want to use mod_remoteip, or if you need to parse a HTTP header with a syntax that mod_remoteip doesn't support, you can do it with a phase 1 rule. If ModSecurity runs first, you set an environment variable with the IP to be analyzed by mod_maxminddb. |
I see a lack of flexibility on the side of ModSec and on the side of mod_maxminddb.
Right now, the two use cases contradict each other. Maybe we need to bring in the Maxmind developers into the conversation. I see that @horgh and @oschwald are frequent committers with a maxmind email address. |
@oschwald interacted with me at the time and approved my PR
On 21-10-2022 09:00, Christian Folini
wrote:
CAUTION: this email originated from
outside of Approach. Do not click links or open
attachments unless you trust the sender and know the
content is safe.
I see a lack of flexibility on the side of ModSec
and on the side of mod_maxminddb.
We have the desire to direct mod_maxminddb by setting an
env variable in ModSec's phase 1.
Looking up the GeoIP information and reacting via ModSec
as early as possible in the lifecycle, thus before the
request body is parsed, is also very useful and IMHO a
natural desire.
Right now, the two use cases contradict each
other.
Maybe we need to bring in the Maxmind developers
into the conversation.
I see that
@horgh and
@oschwald are frequent committers with a maxmind email
address.
—
Reply to this email directly,
view it on GitHub, or
unsubscribe.
You are receiving this because you were mentioned.Message
ID: ***@***.***>
[
{
***@***.***": "http://schema.org",
***@***.***": "EmailMessage",
"potentialAction": {
***@***.***": "ViewAction",
"target": "#2812 (comment)",
"url": "#2812 (comment)",
"name": "View Pull Request"
},
"description": "View this Pull Request on GitHub",
"publisher": {
***@***.***": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]
|
I'd suspect the second use case is more common, but ideally there would not be breakage for the first use case. If there is something that can be done on the |
Thank you very much for chiming in @oschwald. |
For the record, my latest blog post about GeoIP including the breaking change to mod_maxminddb is here: https://www.netnea.com/cms/2022/10/12/using-geoip-information-together-with-modsecurity/ |
If the changes in 1.2.0 was breaking, I apologize. We strive to only introduce such changes when there is a major version bump. That said, it has been over 2.5 years since that release and I assume many people now depend on the new behavior it introduced. |
No, I see no breakage. Most ModSecurity users worked with the legacy DB format since ModSecurity 2.9 supported that natively. When legacy disappeared (thank you for keeping it alive for so long), a few people I know started to transform the new format into the legacy format in order to keep it working on ModSec 2.9. I was not aware @marcstern is a user of mod_maxminddb. As far as I can see I was the first one to write a detailed blog post how to integrate GeoIP information and also mod_maxminddb with ModSecurity. So the whole coordination problem between the two modules is rather new, or let's say it only surfaced now to a somewhat wider audience. @marcstern: How would you solve it on the MaxMind side so that both use cases could continue? |
With the current behaviour (MS in phase 1 before mod_maxminddb), we have these possibilities:
If we switch the order, we have these possibilities:
The only advantage of the second case is to allow GeoIP in "real" phase 1. Usually, people from SpidereLabs tell me "you're one for the very few using that, we should focus on the average user" ;-) Btw, one goal of MS is also to protect internals. In the current situation, in case there's a problem (with mod_remoteip or another similar mechanism), MS can check, in phase 1, that the IP has the right format and maybe blocking an attack on mod_maxminddb (buffer overflow, ...). That would be impossible if mod_maxminddb runs first. I guess this is nice argument. |
Very simple patch adding
mod_maxminddb.c
topostread_beforeme_list
.This allows to use mod_maxminddb GeoIP information in phase 1.