"too long parameter" error on modsecurity-snippet

[mac-chaffee]

The modsecurity-snippet configmap value is a place to put custom modsecurity rules and exceptions, but these modsecurity rules can get pretty long and verbose. Since the entirety of modsecurity-snippet gets templated into nginx.conf inside a modsecurity_rules directive, that means there's a high chance of hitting the 4096 character maximum size for nginx parameters. (should probably be mentioned in the docs for this and other long snippets).

Instead of using modsecurity-snippet, one might consider using a new ConfigMap, which you could mount with extraVolumes/extraVolumeMounts in your helm values. However, this approach means you'd have to manually reload the nginx configuration, or restart all the pods, which leads to more downtime/connection resets.

A better solution would be something like this:

1. Mount the value of modsecurity-snippet as a separate file inside the nginx container at /etc/nginx/modsecurity/modsecurity-snippet.conf or somewhere similar.

2. Rather than including the literal value of modsecurity-snippet inside the directive modsecurity_rules: '...', include the following:

    modsecurity_rules: '
        # sha256sum:abcdef123...
        Include /etc/nginx/modsecurity/modsecurity-snippet.conf
    '
   

The above code will avoid the 4096-char limit while still supporting automatic reloads since the sha256sum will change whenever the content inside the configmap changes.

[k8s-ci-robot]

@mac-chaffee: This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[mac-chaffee]

As a temporary workaround, I was able to accomplish what I wanted with the following helm values:

controller:
  extraVolumeMounts:
  - name: custom-modsecurity-rules
    mountPath: /etc/nginx/owasp-modsecurity-crs/custom/
  extraVolumes:
  - name: custom-modsecurity-rules
    configMap:
      name: ingress-nginx-controller
      items:
      - key: long-modsecurity-snippet
        path: custom-modsecurity-rules.conf
config:
  enable-modsecurity: "true"
  enable-owasp-modsecurity-crs: "true"
  modsecurity-snippet: |
    SecRuleEngine On
    # Increment this to force nginx to reload the rules when you change the configmap: 1.0.1
    Include /etc/nginx/owasp-modsecurity-crs/custom/custom-modsecurity-rules.conf
  # This isn't a supported configmap value because we actually mount it as a file.
  long-modsecurity-snippet: |
    # Put your custom rules here. Max size is ~1MB instead of 4KB

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue or PR with /reopen
• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue or PR with /reopen
• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.