Skip to content

Commit

Permalink
fix error
Browse files Browse the repository at this point in the history
Signed-off-by: Felipe Zipitria <[email protected]>
  • Loading branch information
fzipi committed Mar 13, 2022
1 parent 1758ec8 commit 76d2f61
Show file tree
Hide file tree
Showing 25 changed files with 240 additions and 91 deletions.
37 changes: 25 additions & 12 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -57,9 +57,9 @@ jobs:
- name: Install dependencies with apt
run: |
sudo add-apt-repository universe
sudo apt-get update
sudo apt-get -y \
--fix-missing install \
sudo apt-get -qq update
sudo apt-get -y -qq \
--fix-missing --no-install-recommends install \
gcc make \
libxml2-dev \
libxslt-dev \
Expand Down Expand Up @@ -89,26 +89,28 @@ jobs:
- name: Configure compilation of dynamic module
run: |
ls -l
cd ${{ github.workspace }}/nginx-${{ matrix.nginx_version }}
./configure \
--with-compat \
--add-dynamic-module=${{ github.workspace }}/ \
--with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' \
--with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' \
--prefix=/usr/share/nginx \
--prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log \
--lock-path=/var/lock/nginx.lock \
--pid-path=/run/nginx.pid \
--modules-path=/usr/lib/nginx/modules \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--http-scgi-temp-path=/var/lib/nginx/scgi \
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
--http-client-body-temp-path=/var/cache/nginx/client_temp \
--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
--with-debug \
--with-file-aio \
--with-threads \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_realip_module \
Expand All @@ -126,10 +128,21 @@ jobs:
--with-http_xslt_module=dynamic \
--with-stream=dynamic
- name: Compile dynamic module
run: |
- name: Compile dynamic module and install nginx
run: |
cd ${{ github.workspace }}/nginx-${{ matrix.nginx_version }}
make modules
make
sudo make install
- name: Run tests
run: |
wget http://hg.nginx.org/nginx-tests/archive/tip.tar.gz
tar xzf tip.tar.gz
cd nginx-tests-*
cp ../tests/* .
export TEST_NGINX_BINARY=/usr/sbin/nginx
prove .
- name: Upload a Build Artifact
uses: actions/upload-artifact@v2
Expand Down
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
.vscode/
80 changes: 80 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
FROM golang as go-builder

ARG libcoraza_version=master

# For latest build deps, see https://github.com/nginxinc/docker-nginx/blob/master/mainline/alpine/Dockerfile
RUN set -eux; \
apt-get update -qq; \
apt-get install -qq --no-install-recommends \
autoconf \
automake \
libtool \
gcc \
bash \
make

COPY ./libcoraza /tmp/master

RUN set -eux; \
#wget https://github.com/corazawaf/libcoraza/tarball/master -O /tmp/master; \
#tar -xvf /tmp/master; \
#cd corazawaf-libcoraza-*; \
cd /tmp/master; \
./build.sh; \
./configure; \
make; \
make V=1 install

FROM nginx:stable as ngx-coraza

COPY --from=go-builder /usr/local/include/coraza /usr/local/include/coraza
COPY --from=go-builder /usr/local/lib/libcorazacore.a /usr/local/lib
COPY --from=go-builder /usr/local/lib/libcorazautils.a /usr/local/lib
COPY --from=go-builder /usr/local/lib/libcorazacore.so /usr/local/lib
COPY --from=go-builder /usr/local/lib/libcorazautils.so /usr/local/lib

# For latest build deps, see https://github.com/nginxinc/docker-nginx/blob/master/mainline/alpine/Dockerfile
RUN set -eux; \
apt-get update -qq; \
apt-get install -qq --no-install-recommends \
gcc \
gnupg1 \
ca-certificates \
libc-dev \
make \
openssl \
curl \
gnupg \
wget \
libpcre3 libpcre3-dev \
zlib1g-dev

COPY . /usr/src/coraza-nginx

# Download sources
RUN set -eux; \
curl "http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" -o - | tar zxC /usr/src -f -;
# Reuse same cli arguments as the nginx:alpine image used to build

RUN CONFARGS=$(nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p');\
cd /usr/src/nginx-$NGINX_VERSION; \
./configure --with-compat "$CONFARGS" --add-dynamic-module=/usr/src/coraza-nginx; \
make modules; \
mkdir -p /usr/lib/nginx/modules; \
find objs/*.so -print; \
cp objs/ngx_*.so /usr/lib/nginx/modules

FROM nginx:stable

RUN sed -i -e "s|events {|load_module \"/usr/lib/nginx/modules/ngx_http_coraza_module.so\";\n\nevents {|" /etc/nginx/nginx.conf;

COPY ./coraza.conf /etc/nginx/conf.d/coraza.conf
COPY --from=ngx-coraza /usr/lib/nginx/modules/ /usr/lib/nginx/modules/
COPY --from=go-builder /usr/local/lib/libcorazacore.so /usr/local/lib
COPY --from=go-builder /usr/local/lib/libcorazautils.so /usr/local/lib

RUN ldconfig -v

EXPOSE 80
STOPSIGNAL SIGTERM
CMD ["nginx", "-g", "daemon off;"]
80 changes: 40 additions & 40 deletions config
Original file line number Diff line number Diff line change
Expand Up @@ -10,40 +10,41 @@

ngx_addon_name="ngx_http_coraza_module"
coraza_dependency="ngx_http_postpone_filter_module \
ngx_http_ssi_filter_module \
ngx_http_charset_filter_module \
ngx_http_xslt_filter_module \
ngx_http_image_filter_module \
ngx_http_sub_filter_module \
ngx_http_addition_filter_module \
ngx_http_gunzip_filter_module \
ngx_http_userid_filter_module \
ngx_http_headers_filter_module \
ngx_http_copy_filter_module"
ngx_http_ssi_filter_module \
ngx_http_charset_filter_module \
ngx_http_xslt_filter_module \
ngx_http_image_filter_module \
ngx_http_sub_filter_module \
ngx_http_addition_filter_module \
ngx_http_gunzip_filter_module \
ngx_http_userid_filter_module \
ngx_http_headers_filter_module \
ngx_http_copy_filter_module"


if test -n "$ngx_module_link"; then
ngx_module_type=HTTP_FILTER
ngx_module_name="$ngx_addon_name"
ngx_module_srcs="$ngx_addon_dir/src/ngx_http_coraza_module.c \
$ngx_addon_dir/src/ngx_http_coraza_pre_access.c \
$ngx_addon_dir/src/ngx_http_coraza_header_filter.c \
$ngx_addon_dir/src/ngx_http_coraza_body_filter.c \
$ngx_addon_dir/src/ngx_http_coraza_log.c \
$ngx_addon_dir/src/ngx_http_coraza_rewrite.c \
"
$ngx_addon_dir/src/ngx_http_coraza_pre_access.c \
$ngx_addon_dir/src/ngx_http_coraza_header_filter.c \
$ngx_addon_dir/src/ngx_http_coraza_body_filter.c \
$ngx_addon_dir/src/ngx_http_coraza_log.c \
$ngx_addon_dir/src/ngx_http_coraza_rewrite.c \
$ngx_addon_dir/src/ngx_http_coraza_utils.c \
"
ngx_module_deps="$ngx_addon_dir/src/ddebug.h \
$ngx_addon_dir/src/ngx_http_coraza_common.h \
"
ngx_module_libs="-lcorazacore"
ngx_module_incs="-I /usr/local/coraza/include"
$ngx_addon_dir/src/ngx_http_coraza_common.h \
"
ngx_module_libs="-lcorazacore"
ngx_module_incs="-I /usr/local/coraza/include"

ngx_module_order="ngx_http_chunked_filter_module \
ngx_http_v2_filter_module \
ngx_http_range_header_filter_module \
ngx_http_gzip_filter_module \
$ngx_module_name \
$coraza_dependency";
ngx_module_order="ngx_http_chunked_filter_module \
ngx_http_v2_filter_module \
ngx_http_range_header_filter_module \
ngx_http_gzip_filter_module \
$ngx_module_name \
$coraza_dependency";

. auto/module
else
Expand All @@ -54,19 +55,18 @@ else
CORE_LIBS="$CORE_LIBS $ngx_feature_libs"

HTTP_FILTER_MODULES="$HTTP_FILTER_MODULES ngx_http_coraza_module"
NGX_ADDON_SRCS="\
$NGX_ADDON_SRCS \
$ngx_addon_dir/src/ngx_http_coraza_module.c \
$ngx_addon_dir/src/ngx_http_coraza_pre_access.c \
$ngx_addon_dir/src/ngx_http_coraza_header_filter.c \
$ngx_addon_dir/src/ngx_http_coraza_body_filter.c \
$ngx_addon_dir/src/ngx_http_coraza_log.c \
$ngx_addon_dir/src/ngx_http_coraza_rewrite.c \
"
NGX_ADDON_SRCS="$NGX_ADDON_SRCS \
$ngx_addon_dir/src/ngx_http_coraza_module.c \
$ngx_addon_dir/src/ngx_http_coraza_pre_access.c \
$ngx_addon_dir/src/ngx_http_coraza_header_filter.c \
$ngx_addon_dir/src/ngx_http_coraza_body_filter.c \
$ngx_addon_dir/src/ngx_http_coraza_log.c \
$ngx_addon_dir/src/ngx_http_coraza_rewrite.c \
$ngx_addon_dir/src/ngx_http_coraza_utils.c \
"

NGX_ADDON_DEPS="\
$NGX_ADDON_DEPS \
$ngx_addon_dir/src/ddebug.h \
$ngx_addon_dir/src/ngx_http_coraza_common.h \
"
NGX_ADDON_DEPS="$NGX_ADDON_DEPS \
$ngx_addon_dir/src/ddebug.h \
$ngx_addon_dir/src/ngx_http_coraza_common.h \
"
fi
5 changes: 5 additions & 0 deletions coraza.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
coraza on;
coraza_rules 'SecRuleEngine On
SecRule ARGS "@streq whee" "id:10,phase:2"
SecRule ARGS "@streq whee" "id:11,phase:2"
';
4 changes: 2 additions & 2 deletions ngx-modsec.stp → ngx-coraza.stp
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,12 @@ global rules_phase


# Rules
probe process("/usr/local/lib/libcoraza.so.3").function("[email protected]*")
probe process("/usr/local/lib/libcoraza.so").function("[email protected]*")
{
begin_rule = gettimeofday_us();
}

probe process("/usr/local/lib/libcoraza.so.3").function("[email protected]*").return
probe process("/usr/local/lib/libcoraza.so").function("[email protected]*").return
{
elapsed_rule = gettimeofday_us() - begin_rule
rules[$this->m_ruleId] <<< elapsed_rule
Expand Down
2 changes: 2 additions & 0 deletions src/ngx_http_coraza_common.h
Original file line number Diff line number Diff line change
Expand Up @@ -126,5 +126,7 @@ ngx_int_t ngx_http_coraza_pre_access_handler(ngx_http_request_t *r);
/* ngx_http_coraza_rewrite.c */
ngx_int_t ngx_http_coraza_rewrite_handler(ngx_http_request_t *r);

/* ngx_http_coraza_utils.c */
ngx_int_t ngx_str_to_char(ngx_str_t a, char *str, ngx_pool_t *p);

#endif /* _ngx_http_coraza_COMMON_H_INCLUDED_ */
30 changes: 21 additions & 9 deletions src/ngx_http_coraza_module.c
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,9 @@ void ngx_http_coraza_cleanup(void *data)

ctx = (ngx_http_coraza_ctx_t *)data;

coraza_transaction_free(ctx->coraza_transaction);
if (coraza_free_transaction(ctx->coraza_transaction) != NGX_OK) {
dd("cleanup -- transaction free failed: %d", res);
};
}

ngx_inline ngx_http_coraza_ctx_t *
Expand Down Expand Up @@ -199,15 +201,20 @@ char *
ngx_conf_set_rules(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
{
int res;
char *rules;
char *rules = NULL;
ngx_str_t *value;
char *error;
char *error = NULL;
ngx_http_coraza_conf_t *mcf = conf;
ngx_http_coraza_main_conf_t *mmcf;

value = cf->args->elts;

res = coraza_rules_add(mcf->waf, (char *)value[1].data, &error);
if (ngx_str_to_char(value[1], rules, cf->pool) != NGX_OK) {
dd("Failed to get the rules");
return NGX_CONF_ERROR;
}

res = coraza_rules_add(mcf->waf, rules, &error);

if (res < 0)
{
Expand All @@ -225,15 +232,20 @@ char *
ngx_conf_set_rules_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
{
int res;
char *rules_set;
char *rules_set = NULL;
ngx_str_t *value;
char **error;
char **error = NULL;
ngx_http_coraza_conf_t *mcf = conf;
ngx_http_coraza_main_conf_t *mmcf;

value = cf->args->elts;

res = coraza_rules_add(mcf->waf, (char *)value[1].data, &error);
if (ngx_str_to_char(value[1], rules_set, cf->pool) != NGX_OK) {
dd("Failed to get the rules_file");
return NGX_CONF_ERROR;
}

res = coraza_rules_add(mcf->waf, rules_set, error);

if (res < 0)
{
Expand Down Expand Up @@ -555,11 +567,11 @@ ngx_http_coraza_merge_conf(ngx_conf_t *cf, void *parent, void *child)
dd("CHILD RULES");
coraza_rules_dump(c->rules_set);
#endif
rules = coraza_rules_merge(c->waf, p->waf, &error);
rules = coraza_rules_merge(c->waf, p->waf, error);

if (rules < 0)
{
return error;
return *error;
}

#if defined(CORAZA_DDEBUG) && (CORAZA_DDEBUG)
Expand Down
6 changes: 3 additions & 3 deletions src/ngx_http_coraza_pre_access.c
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,7 @@ ngx_http_coraza_pre_access_handler(ngx_http_request_t *r)
{
int ret = 0;
int already_inspected = 0;
char *file_name = NULL;

dd("request body is ready to be processed");

Expand All @@ -156,8 +157,7 @@ ngx_http_coraza_pre_access_handler(ngx_http_request_t *r)

if (r->request_body->temp_file != NULL) {
ngx_str_t file_path = r->request_body->temp_file->file.name;
const char *file_name = ngx_str_to_char(file_path, r->pool);
if (file_name == (char*)-1) {
if (ngx_str_to_char(file_path, file_name, r->pool) != NGX_OK) {
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}
/*
Expand All @@ -166,7 +166,7 @@ ngx_http_coraza_pre_access_handler(ngx_http_request_t *r)
*/
dd("request body inspection: file -- %s", file_name);

coraza_request_body_from_file(ctx->coraza_transaction, (char*)file_name);
coraza_request_body_from_file(ctx->coraza_transaction, file_name);

already_inspected = 1;
} else {
Expand Down
Loading

0 comments on commit 76d2f61

Please sign in to comment.