plugin-registry icon indicating copy to clipboard operation
plugin-registry copied to clipboard
verified publisher icon coreruleset

Transfer GeoIP Plugin?

Open logopk opened this issue 1 year ago • 13 comments

Hi @azurit,

do you plan to transfer the geoIP Plugin to the CRS plugin-registry?

Thanks

Peter

logopk avatar Feb 17 '24 13:02 logopk

Hi @logopk, yes, of course i will try to do it (but it does not depend only on me).

azurit avatar Feb 17 '24 16:02 azurit

Hi @logopk,

Are you planning on using geo IP rules in your CRS setup? It would be good to understand your use case.

For what it's worth, there's a general feeling that geo IP logic does not belong in CRS, which is why it was removed. There are better places to handle geo IP-related logic (at the proxy level, at the web server, via a network firewall, at the edge, etc.)

It's a similar situation to anti-DoS rules: it is possible to implement via SecRules, but there are many better places to perform it, and the support varies between engines and engine versions (and the anti-DoS logic has also been removed from the core of CRS).

RedXanadu avatar Feb 19 '24 18:02 RedXanadu

@RedXanadu Understood. I am using maxminddb in apache. When I started I used rewrite rules but then I noticed the geoip plugin. I had the impression that all security rules should be handled in on piece of software. So CRS seemed to be a good place. Am I wrong? Regards Peter

logopk avatar Feb 19 '24 20:02 logopk

Hey @logopk, I think there are pros and cons here. CRS kicked the GeoIP stuff because it's no longer in line with the pattern based stuff we are doing. But your reasoning about the single place makes a lot of sense. Hence the plugin option.

@azurit : Moving the GeoIP stuff into our repo would be cool, I think. Where do you see the problems?

dune73 avatar Feb 20 '24 21:02 dune73

There's the added complication that ModSec on Apache (assuming you're using v2, @logopk) does not handle the MaxMind database format. You would have to roll your own database files. Do-able (I maintained this for several years for customers who insisted on using MaxMind inside ModSec), but it's more steps and more complication.

The Apache MaxMind module is more flexible and more mature, if you want to keep everything in one place (Apache).

RedXanadu avatar Feb 20 '24 23:02 RedXanadu

Well, that ModSec2 shortcoming is not necessarily set in stone ...

dune73 avatar Feb 20 '24 23:02 dune73

I use modmaxmind with modsec2 and the database format is no problem.

logopk avatar Feb 21 '24 05:02 logopk

Well done.

I think the plugin should offer that option (or any other ENV variable) for full flexibility.

dune73 avatar Feb 21 '24 06:02 dune73

I think the plugin should offer that option (or any other ENV variable) for full flexibility.

It is offering it.

azurit avatar Feb 21 '24 09:02 azurit

Ready for the migration of the plugin, then I guess. :)

dune73 avatar Feb 21 '24 09:02 dune73

Can we close this one?

fzipi avatar Jun 01 '24 17:06 fzipi

@fzipi I don't see it in the plugin registry yet!?

logopk avatar Jun 01 '24 21:06 logopk

Let's keep this open until the plugin is included.

azurit avatar Jun 01 '24 21:06 azurit