Disabling rule / modsecurity #2490
Description
Hello,
I'm using nginx ingress with the owasp-modsecurity-crs rules turned on
Tried to disable rule id 932130 with this config:
SecRuleRemoveById 932130
But it doesn't works
I also tried to disable modsecurity:
modsecurity off;
But still getting blocks by this rule
This is example of the url I tried:
https://prometheus.example.com/graph?g0.expr=sum%28apiserver_request%3Aburnrate6h%29+%3E+%286+%2A+0.01%29+and+sum%28apiserver_request%3Aburnrate30m%29+%3E+%286+%2A+0.01%29&g0.tab=1
I really dont know why
This is the full config part of the nginx server:
server {
server_name prometheus.example.com ;
listen 80 ;
listen 443 ssl http2 ;
set $proxy_upstream_name "-";
ssl_certificate_by_lua_block {
certificate.call()
}
location = /_external-auth-Lw-Prefix {
internal;
opentracing on;
opentracing_propagate_context;
# ngx_auth_request module overrides variables in the parent request,
# therefore we have to explicitly set this variable again so that when the parent request
# resumes it has the correct value set for this variable so that Lua can pick backend correctly
set $proxy_upstream_name "kube-system-kube-prometheus-stack-prometheus-9090";
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Forwarded-Proto "";
proxy_set_header X-Request-ID $req_id;
proxy_set_header Host auth-prometheus.example.com;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Sent-From "nginx-ingress-controller";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Auth-Request-Redirect $request_uri;
proxy_buffering off;
proxy_buffer_size 4k;
proxy_buffers 4 4k;
proxy_request_buffering on;
proxy_http_version 1.1;
proxy_ssl_server_name on;
proxy_pass_request_headers on;
client_max_body_size 50m;
# Pass the extracted client certificate to the auth provider
set $target https://auth-prometheus.example.com/oauth2/auth;
proxy_pass $target;
}
location @5c97d2746132ef94f9a5b8a8b8ee8f6977b04d56 {
internal;
add_header Set-Cookie $auth_cookie;
return 302 https://auth-prometheus.example.com/oauth2/start?rd=https%3A%2F%2F$host$request_uri;
}
location / {
set $namespace "kube-system";
set $ingress_name "kube-prometheus-stack-prometheus";
set $service_name "kube-prometheus-stack-prometheus";
set $service_port "9090";
set $location_path "/";
opentracing off;
rewrite_by_lua_block {
lua_ingress.rewrite({
force_ssl_redirect = false,
ssl_redirect = true,
force_no_ssl_redirect = false,
use_port_in_redirects = false,
})
balancer.rewrite()
plugins.run()
}
# be careful with `access_by_lua_block` and `satisfy any` directives as satisfy any
# will always succeed when there's `access_by_lua_block` that does not have any lua code doing `ngx.exit(ngx.DECLINED)`
# other authentication method such as basic auth or external auth useless - all requests will be allowed.
#access_by_lua_block {
#}
header_filter_by_lua_block {
lua_ingress.header()
plugins.run()
}
body_filter_by_lua_block {
}
log_by_lua_block {
balancer.log()
monitor.call()
plugins.run()
}
rewrite_log on;
port_in_redirect off;
set $balancer_ewma_score -1;
set $proxy_upstream_name "kube-system-kube-prometheus-stack-prometheus-9090";
set $proxy_host $proxy_upstream_name;
set $pass_access_scheme $scheme;
set $pass_server_port $server_port;
set $best_http_host $http_host;
set $pass_port $pass_server_port;
set $proxy_alternative_upstream_name "";
modsecurity off;
# this location requires authentication
auth_request /_external-auth-Lw-Prefix;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
set_escape_uri $escaped_request_uri $request_uri;
error_page 401 = @5c97d2746132ef94f9a5b8a8b8ee8f6977b04d56;
limit_conn kube-system_kube-prometheus-stack-prometheus_a58436f5-6545-428b-9a98-b7110da050b2_conn 200;
limit_req zone=kube-system_kube-prometheus-stack-prometheus_a58436f5-6545-428b-9a98-b7110da050b2_rps burst=375 nodelay;
limit_req zone=kube-system_kube-prometheus-stack-prometheus_a58436f5-6545-428b-9a98-b7110da050b2_rpm burst=4500 nodelay;
client_max_body_size 50m;
proxy_set_header Host $best_http_host;
# Pass the extracted client certificate to the backend
# Allow websocket connections
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header X-Request-ID $req_id;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $best_http_host;
proxy_set_header X-Forwarded-Port $pass_port;
proxy_set_header X-Forwarded-Proto $pass_access_scheme;
proxy_set_header X-Scheme $pass_access_scheme;
# Pass the original X-Forwarded-For
proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
# mitigate HTTPoxy Vulnerability
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
proxy_set_header Proxy "";
# Custom headers to proxied server
proxy_connect_timeout 5s;
proxy_send_timeout 3600s;
proxy_read_timeout 3600s;
proxy_buffering off;
proxy_buffer_size 4k;
proxy_buffers 4 4k;
proxy_max_temp_file_size 1024m;
proxy_request_buffering on;
proxy_http_version 1.1;
proxy_cookie_domain off;
proxy_cookie_path off;
# In case of errors try the next upstream server before returning an error
proxy_next_upstream error timeout;
proxy_next_upstream_timeout 0;
proxy_next_upstream_tries 3;
more_set_headers "server: saffer";
more_set_headers "X-Content-Type-Options: nosniff";
more_set_headers "X-Frame-Options: DENY";
more_set_headers "X-Permitted-Cross-Domain-Policies: none";
more_set_headers "X-Content-Type-Options: nosniff";
more_set_headers "Referrer-Policy: no-referrer";
more_set_headers "X-Download-Options: noopen";
more_set_headers "X-Robots-Tag: none";
more_set_headers "X-Xss-Protection: 1; mode=block";
more_set_headers "Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' ;manifest-src 'self'; connect-src 'self' 'unsafe-inline';media-src 'self'; font-src 'self' data:; img-src 'self' data:; frame-ancestors 'none'; frame-src 'self'; object-src 'self'; base-uri 'self' ;form-action 'self';";
proxy_pass http://upstream_balancer;
proxy_redirect off;
}
}
## end server prometheus.example.com