ngx_security_headers icon indicating copy to clipboard operation
ngx_security_headers copied to clipboard
verified publisher icon GetPageSpeed

Conflicts with ModSecurity

Open sharmashivanand opened this issue 6 years ago • 4 comments

Just here to chime in and say that if you are using ModSecurity-nginx / ModSecurity (v3), there is a conflict and you'd see errors like this in nginx error log. The module itself doesn't cause this, but I had the directive security_headers on; which caused this. Haven't tested with other directives. Hope this helps anyone coming across this one. Difficult to find.

2019/08/20 19:56:31 [alert] 2957#2957: worker process 2980 exited on signal 6 terminate called after throwing an instance of 'std::bad_alloc'

sharmashivanand avatar Aug 20 '19 20:08 sharmashivanand

Does this happen for any requests? Or need to craft specific request in order to reproduce? Thanks

dvershinin avatar Aug 21 '19 07:08 dvershinin

It happens for any request. I used the dom tools in the browser and sometimes it just outputs the html and blocks css jpg etc. At other times it closes the connection.

iPhone. iTypos. iApologize.

On Wed, 21 Aug 2019, 1:11 pm Danila Vershinin, [email protected] wrote:

Does this happen for any requests? Or need to craft specific request in order to reproduce? Thanks

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/GetPageSpeed/ngx_security_headers/issues/1?email_source=notifications&email_token=ADFWMROUNEXRZNI5KWDKCADQFTWR3A5CNFSM4IN4GRW2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4YYAEY#issuecomment-523337747, or mute the thread https://github.com/notifications/unsubscribe-auth/ADFWMRIDK3L2TBI5LPIPAM3QFTWR3ANCNFSM4IN4GRWQ .

sharmashivanand avatar Aug 21 '19 08:08 sharmashivanand

@sharmashivanand the error itself hinted that it's coming from some C++ code, I assumed it is an issue with libmodsecurity itself.

It seems that libmodsecurity is "sensitive" to the Server header being removed by ngx_security_headers. So I only took an action of defaulting to not removing server headers by default, e.g. security_headers on; alone should no longer cause issues with modsecurity.

If you also put hide_server_tokens off;, which is the new directive responsible for the server headers hiding (e.g. Server, X-Powered), it may expose the libmodsecurity failure.

All that said though, it's been a while and I've just tried with:

    modsecurity on;
    security_headers on;
    hide_server_tokens on;

... and I can't get it to error.

My own setup is basically all latest stable releases:

  • libmodsecurity 3.0.4
  • nginx modsecurity connector module1.0.1
  • ngx_security_headers 0.0.8
  • owasp crs 3.2.0
  • NGINX 1.16.1
  • RHEL 8

If you can confirm (or anyone else) that this works without issues, we can safely assume that libmodsecurity fixed whatever problem they had; and revert to the old behavior (default to hiding server tokens).

dvershinin avatar Feb 20 '20 01:02 dvershinin

I can confirm, the error is gone

Zoey2936 avatar May 22 '23 20:05 Zoey2936