Unable to override SecRequestBodyAccess in ingress annotation

[dcherniv]

NGINX Ingress controller version: 0.31.1

Kubernetes version (use kubectl version): 1.15.x EKS

Environment: AWS

• Cloud provider or hardware configuration: AWS
• OS (e.g. from /etc/os-release): Amazon OS
• Install tools: helm
• Others:

What happened:
modsecurity denies request that are larger than default body size which is 13MB

2020/05/28 14:29:17 [error] 4449#4449: *3867114 Request body limit is marked to reject the request, client: 100.35.16.34, 

Even with the following annotation in place on the ingress resource:

 14     nginx.ingress.kubernetes.io/modsecurity-snippet: |$
 15       SecRuleEngine On$
 16       SecAuditEngine RelevantOnly$
 17       SecAuditLogFormat JSON$
 18       SecAuditLogType Serial$
 19       SecAuditLog /dev/stdout$
 20       SecRuleRemoveById 949110$
 21       SecRuleRemoveById 200003$
 22       SecRequestBodyAccess Off$
 23       SecRule REQUEST_HEADERS:User-Agent \"fern-scanner\" \"log,deny,id:107,status:403,msg:\'Fern Scanner Identified\'\"$

What you expected to happen:
Request body processing to be disabled on the ingress resource.

How to reproduce it:
Enable modsecurity with the following annotation and try to post a large file.
/kind bug

[aledbf]

@dcherniv I am awaiting feedback from the modsecurity project owasp-modsecurity/ModSecurity-nginx#183
Not there issue but the same conditions.

[dcherniv]

@aledbf ah that makes sense. This issue is strange in that i can in fact override some variables but not the others.
For example the following annotations does bump the body limit:

    nginx.ingress.kubernetes.io/modsecurity-snippet: |
      SecRequestBodyLimit 20000000
      [...]

SecRequestBodyAccess Off in annotations has no effect however.
Just thought i'd add my findings here, in case someone else bumps into the same issue.

[aledbf]

@dcherniv at this point, because all the issues I am considering to extract the mod-security feature to a sidecar.
This is the start of the POC https://github.com/aledbf/blockade

[dcherniv]

@aledbf bummer. we just finished switching from lua-resty WAF to modsecurity :)
But happy to see there's work being done on WAF at ingress controller level still.
Let me know if you need help testing the new project.

[aledbf]

@dcherniv just to be clear, this is just a POC, and if we do something, no change to what you have now for ModSecurity would be required. That is a deal-breaker for me. The only change should be an additional container in the deployment/daemonset definition

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

[fejta-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

[k8s-ci-robot]

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.