-
Notifications
You must be signed in to change notification settings - Fork 8.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"too long parameter" error on modsecurity-snippet #8032
Comments
@mac-chaffee: This issue is currently awaiting triage. If Ingress contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
As a temporary workaround, I was able to accomplish what I wanted with the following helm values: controller:
extraVolumeMounts:
- name: custom-modsecurity-rules
mountPath: /etc/nginx/owasp-modsecurity-crs/custom/
extraVolumes:
- name: custom-modsecurity-rules
configMap:
name: ingress-nginx-controller
items:
- key: long-modsecurity-snippet
path: custom-modsecurity-rules.conf
config:
enable-modsecurity: "true"
enable-owasp-modsecurity-crs: "true"
modsecurity-snippet: |
SecRuleEngine On
# Increment this to force nginx to reload the rules when you change the configmap: 1.0.1
Include /etc/nginx/owasp-modsecurity-crs/custom/custom-modsecurity-rules.conf
# This isn't a supported configmap value because we actually mount it as a file.
long-modsecurity-snippet: |
# Put your custom rules here. Max size is ~1MB instead of 4KB |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close |
@k8s-triage-robot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
The modsecurity-snippet configmap value is a place to put custom modsecurity rules and exceptions, but these modsecurity rules can get pretty long and verbose. Since the entirety of
modsecurity-snippet
gets templated into nginx.conf inside amodsecurity_rules
directive, that means there's a high chance of hitting the 4096 character maximum size for nginx parameters. (should probably be mentioned in the docs for this and other long snippets).Instead of using modsecurity-snippet, one might consider using a new ConfigMap, which you could mount with
extraVolumes/extraVolumeMounts
in your helm values. However, this approach means you'd have to manually reload the nginx configuration, or restart all the pods, which leads to more downtime/connection resets.A better solution would be something like this:
Mount the value of
modsecurity-snippet
as a separate file inside the nginx container at/etc/nginx/modsecurity/modsecurity-snippet.conf
or somewhere similar.Rather than including the literal value of
modsecurity-snippet
inside the directivemodsecurity_rules: '...'
, include the following:The above code will avoid the 4096-char limit while still supporting automatic reloads since the sha256sum will change whenever the content inside the configmap changes.
The text was updated successfully, but these errors were encountered: