charts icon indicating copy to clipboard operation
charts copied to clipboard
verified publisher icon bitnami

[bitnami/nginx-ingress-controller] ModSecurity was not compiled with GeoIP or MaxMind support

Open LeTuR opened this issue 2 years ago • 3 comments

Name and Version

bitnami/nginx-ingress-controller 10.3.0

What architecture are you using?

amd64

What steps will reproduce the bug?

Trying to deploy latest nginx-ingress-controller with modsecurity enabled with OWASP core rule set fail.

Deploying (locally or on an AKS cluster) nginx-ingress-controller with the following configuration:

# values.yaml
config:
  enable-modsecurity: "true"
  enable-owasp-modsecurity-crs: "true"

Controller pod fail and restart with the following ModSecurity error:

	-------------------------------------------------------------------------------
	Error: exit status 1
	2024/02/08 14:58:38 [emerg] 38#38: "modsecurity_rules_file" directive Rules error. File: /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf. Line: 77. Column: 22. This version of ModSecurity was not compiled with GeoIP or MaxMind support.  in /tmp/nginx/nginx-cfg346937113:128
	nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf. Line: 77. Column: 22. This version of ModSecurity was not compiled with GeoIP or MaxMind support.  in /tmp/nginx/nginx-cfg346937113:128
	nginx: configuration file /tmp/nginx/nginx-cfg346937113 test failed
	
	-------------------------------------------------------------------------------

Are you using any custom parameters or values?

values.yaml

config: enable-modsecurity: "true" enable-owasp-modsecurity-crs: "true"

What is the expected behavior?

Controller pod should start without ModSecurity error.

What do you see instead?

Modsecurity errors:

	-------------------------------------------------------------------------------
	Error: exit status 1
	2024/02/08 14:58:38 [emerg] 38#38: "modsecurity_rules_file" directive Rules error. File: /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf. Line: 77. Column: 22. This version of ModSecurity was not compiled with GeoIP or MaxMind support.  in /tmp/nginx/nginx-cfg346937113:128
	nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /etc/nginx/owasp-modsecurity-crs/rules/REQUEST-910-IP-REPUTATION.conf. Line: 77. Column: 22. This version of ModSecurity was not compiled with GeoIP or MaxMind support.  in /tmp/nginx/nginx-cfg346937113:128
	nginx: configuration file /tmp/nginx/nginx-cfg346937113 test failed
	
	-------------------------------------------------------------------------------

Additional information

This configuration (without maxmindLicenseKey) works fine with Helm template version 9.3.33

Deployement with official nginx chart works fine using:

#values.yaml
controller:
  config:
    enable-modsecurity: "true"
    enable-owasp-modsecurity-crs: "true"

Bitnami version (not working):

-------------------------------------------------------------------------------
NGINX Ingress controller
  Release:       1.9.6
  Build:         7d6fa0b
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.21.6

-------------------------------------------------------------------------------

Nginx official version (working):

-------------------------------------------------------------------------------
NGINX Ingress controller
  Release:       v1.9.6
  Build:         6a73aa3b05040a97ef8213675a16142a9c95952a
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.21.6

-------------------------------------------------------------------------------

LeTuR avatar Feb 08 '24 15:02 LeTuR

Hi @LeTuR,

Thanks for reporting it. I was able to reproduce the issue and an internal task has been created to solve it.

dgomezleon avatar Feb 12 '24 08:02 dgomezleon

@LeTuR hey were you able to find a workaround to fix Modsecurity on pod start ? or have you disabled

enable-modsecurity: "true"
enable-owasp-modsecurity-crs: "true"

@javsalgar This also did occur in the latest version of the chart by bitnami 11.1.0 , i have attached the image below

ModSecurity-Issue

Hareshraman avatar Apr 18 '24 15:04 Hareshraman

@LeTuR hey were you able to find a workaround to fix Modsecurity on pod start ? or have you disabled

enable-modsecurity: "true"
enable-owasp-modsecurity-crs: "true"

@javsalgar This also did occur in the latest version of the chart by bitnami 11.1.0 , i have attached the image below

ModSecurity-Issue

Best solution in my case was to migrate to nginx ingress https://kubernetes.github.io/ingress-nginx/

I think fix should be done at the container image level.

LeTuR avatar Apr 20 '24 07:04 LeTuR