From owner-freebsd-stable@freebsd.org Wed Jan 23 15:50:46 2019 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1F72E14AB965 for ; Wed, 23 Jan 2019 15:50:46 +0000 (UTC) (envelope-from softwareinforjam@gmail.com) Received: from mail-ua1-x92b.google.com (mail-ua1-x92b.google.com [IPv6:2607:f8b0:4864:20::92b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E968F77E89 for ; Wed, 23 Jan 2019 15:50:44 +0000 (UTC) (envelope-from softwareinforjam@gmail.com) Received: by mail-ua1-x92b.google.com with SMTP id e16so855831uam.12 for ; Wed, 23 Jan 2019 07:50:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:mime-version:to:cc:from:subject:date:importance :in-reply-to:references; bh=3oHtdIhe3KGXN2oUY3WrtYhvKxHv0O0N+EvhnuBBkxY=; b=mjeibNkndIeh6pmeRWCoKhS3+QczfEf2w6X1C54JVIFgbuBEr5YKxvgA9vsaOoHGNc 7UWnbEtah/UQCz4OI1tLcxd2457VTE4bCbFl3NSX0T/YIWtqA0TUg5+SQkb6zHz8RZ8h TR6jc5UXSrYBe5dAHx9BbTJICksJndSUr4X88bVVi96W1s1kI7zp9/V40xBl1fAmvA3y Aiz/RH6lNxI6TrTpA1ICvFQTEX1rzvdZ6+EJGzKc1Xd3lcj3yZasZcIgLiWxvhGOi982 iATfzbL7ojjE6PrVqSJO5vrslGtAf3pk5JPmS9TWXlSA7Z3Q2gG7QInZ7Q31sJ2xKil+ 2xrA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:mime-version:to:cc:from:subject:date :importance:in-reply-to:references; bh=3oHtdIhe3KGXN2oUY3WrtYhvKxHv0O0N+EvhnuBBkxY=; b=O9nc102thl/bjLsEV0u7fIRXHiOctJsXQ75GiAomrv9WU6zFEYMuwouBScxhYaQZbg LbHFBwg1PVGHql2h4cvU4wpSSfR7MtV/9Gb2UL8vMgO5khOO4Kh11q5Ik8ZW/zinNIqR J7E8pls7no4K7dQK8+Prg69f0OahJLElUkqaT+H8rG2ZUk+aS18zK9bbwlKwsBm2Up7W INKsrWXceDIsQQBOEpuGV3i1a4URZ1RYyOVoIf/295IlnrUO1+lvUFvnch3OTYtlkw4S kOIvcwa2oJjpw/alM7ob4QL0Mrd2U7flUoRRzSeyz0jIObHX0JPqUKsf2dUFCnux/V1a 6Fyw== X-Gm-Message-State: AJcUukeKrlbunr717473yPIhSfnw43jdh4nFXm+iXAR7oOQlCI9ZUzlu mQYqzxclDznidXv/Mnxo+04= X-Google-Smtp-Source: ALg8bN70dzPQ2/PX+KrJ9k+sC//KucDzj9laotYAlxcUQfFREJf7Bn445hvNnQJaR/1sUWXwb55rtg== X-Received: by 2002:ab0:16c:: with SMTP id 99mr990133uak.15.1548258644202; Wed, 23 Jan 2019 07:50:44 -0800 (PST) Received: from ?IPv6:::ffff:192.10.1.165? (git.mayberryinv.com. [63.143.111.202]) by smtp.gmail.com with ESMTPSA id t133sm17832123vsc.8.2019.01.23.07.50.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 23 Jan 2019 07:50:43 -0800 (PST) Message-ID: <5c488d53.1c69fb81.68ca7.efd8@mx.google.com> MIME-Version: 1.0 To: Matt Garber Cc: "freebsd-stable@freebsd.org" From: SoftwareInforJam Subject: RE: Issue with mod_security3 Date: Wed, 23 Jan 2019 10:50:44 -0500 Importance: normal X-Priority: 3 In-Reply-To: References: <5c4744cd.1c69fb81.7b84f.5450@mx.google.com> <20190122185438.GC85865@v1.leiden.byshenk.net> <5c476baa.1c69fb81.58970.0af8@mx.google.com> <5c47b2c0.1c69fb81.ba7c2.95f3@mx.google.com> X-Rspamd-Queue-Id: E968F77E89 X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=mjeibNkn; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of softwareinforjam@gmail.com designates 2607:f8b0:4864:20::92b as permitted sender) smtp.mailfrom=softwareinforjam@gmail.com X-Spamd-Result: default: False [-5.49 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FREEMAIL_FROM(0.00)[gmail.com]; URI_COUNT_ODD(1.00)[5]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; HAS_X_PRIO_THREE(0.00)[3]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_TLS_LAST(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_SHORT(-0.98)[-0.979,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TAGGED_RCPT(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-stable@freebsd.org]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[b.2.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; IP_SCORE(-2.50)[ip: (-8.03), ipnet: 2607:f8b0::/32(-2.47), asn: 15169(-1.90), country: US(-0.08)] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jan 2019 15:50:46 -0000 It seems to be working now thanks. At first I got a binary incompatible err= or when I ran service nginx configtest. I realized after that I needed to r= un configure with the same options that nginx is configured with on the Pro= d box. I copied the output of nginx -V to configure and ran again. The seco= nd module it produced seems to be working fine. Thanks very much again for = your help. Sent from Mail for Windows 10 From: Matt Garber Sent: Tuesday, January 22, 2019 7:59 PM To: SoftwareInforJam Cc: freebsd-stable@freebsd.org Subject: Re: Issue with mod_security3 > On Jan 22, 2019, at 7:18 PM, SoftwareInforJam wrote: >=20 > Well I am making some progress I guess. Now modsecurity is installed and = not orphaned. My challenge now is that I have been reading several document= s and all of them say I need to add the following to nginx.conf >=20 > load_module modules/ngx_http_modsecurity.so; >=20 > My challenge now is I can=E2=80=99t seem to find this module anywhere. I = am not sure what to do now. Isn=E2=80=99t this module needed for this to wo= rk? >=20 > root@proxy:/usr/local/etc/nginx # find / -name "ngx_http_modsecurity*" > /usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurit= y_body_filter.o > /usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurit= y_rewrite.o > /usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurit= y_log.o > /usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurit= y_pre_access.o > /usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurit= y_header_filter.o > /usr/ports/www/nginx/work/nginx-1.14.2/objs/addon/src/ngx_http_modsecurit= y_module.o > /usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecur= ity_body_filter.c > /usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecur= ity_common.h > /usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecur= ity_header_filter.c > /usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecur= ity_log.c > /usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecur= ity_module.c > /usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecur= ity_pre_access.c > /usr/ports/www/nginx/work/ModSecurity-nginx-71ede63/src/ngx_http_modsecur= ity_rewrite.c Here are the steps I just followed successfully in a test jail =E2=80=93 a = mix of packages (modsecurity3) and the source for nginx and the ModSecurity= 3-nginx connector; the =E2=80=98modsecurity3=E2=80=99 package installs the = shared library (e.g., /usr/local/lib/libmodsecurity.so.3.0.3), but doesn=E2= =80=99t install the nginx connector. If the nginx port doesn=E2=80=99t have= a make option for the connector, you might have to either hack the port or= just compile from source like I did: ----- Very simplified, single jail ----- 1. Install the modsecurity3 library package and git for cloning the ModSecu= rity-nginx repo: # pkg install modsecurity3 git 2. Grab the latest nginx source and ModSecurity-nginx repo: $ fetch 'http://nginx.org/download/nginx-1.14.2.tar.gz' $ tar -zxvf nginx-1.14.2.tar.gz $ git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git $ cd nginx-1.14.2 3. Compile nginx, adding support for the ModSecurity3-nginx connector as a = dynamic module. I=E2=80=99ve also added a variety of other FreeBSD-specific= configuration directives and/or compilation/linking hardening used by ngin= x upstream in their Linux repositories: $ ./configure --with-compat --add-dynamic-module=3D../ModSecurity-nginx --p= refix=3D/usr/local/etc/nginx --with-cc-opt=3D'-g -O2 -fstack-protector-stro= ng -Wformat -Werror=3Dformat-security -fPIC -Wdate-time -D_FORTIFY_SOURCE= =3D2 -I /usr/local/include' --with-ld-opt=3D'-Wl,-Bsymbolic-functions -Wl,-= z,relro -Wl,-z,now -fPIC -L /usr/local/lib' --conf-path=3D/usr/local/etc/ng= inx/nginx.conf --sbin-path=3D/usr/local/sbin/nginx --pid-path=3D/var/run/ng= inx.pid --error-log-path=3D/var/log/nginx/error.log --user=3Dwww --group=3D= www --modules-path=3D/usr/local/libexec/nginx --with-file-aio --with-thread= s --without-mail_imap_module --without-mail_pop3_module --without-mail_smtp= _module --with-mail_ssl_module --http-client-body-temp-path=3D/var/tmp/ngin= x/client_body_temp --http-fastcgi-temp-path=3D/var/tmp/nginx/fastcgi_temp -= -http-proxy-temp-path=3D/var/tmp/nginx/proxy_temp --http-scgi-temp-path=3D/= var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=3D/var/tmp/nginx/uwsgi_temp = --http-log-path=3D/var/log/nginx/access.log --with-http_addition_module --w= ith-http_auth_request_module --with-http_flv_module --with-http_gunzip_modu= le --with-http_gzip_static_module --with-http_random_index_module --with-ht= tp_realip_module --with-pcre --with-http_secure_link_module --with-http_sli= ce_module --with-http_ssl_module --with-http_stub_status_module --with-http= _sub_module --with-http_v2_module --with-stream_ssl_module --with-mail=3Ddy= namic --with-stream=3Ddynamic $ make $ sudo make install 4. The above step should have created ngx_http_modsecurity_module.so under = the nginx source directory, and installed it into /usr/local/libexec/nginx,= at which point the load_module directive in the nginx configuration should= work fine, and you can move on to ruleset configuration. FYI, all of the a= bove just follows the ~second half of , after taking care of t= he prerequisites with FreeBSD packages instead. Like I said, you could prob= ably relatively easily hack the nginx port to add in the integration of Mod= Security3-nginx if you care about that more than keeping up-to-date with ng= inx source separately, but then you=E2=80=99d have to avoid overwriting the= port =E2=80=93 YMMV. Thanks, =E2=80=94 Matt Garber