use setenv as variable in nginx logging

[weestack]

Hello there,

In apache its possible to use environment variables defined in modsecurity for the apaches access logging, I have been trying to use the same for nginx, but so far have not been able to, is this something thats only implemented for apache?

Modescurity.con:

[...]
SecAction "id:90100,phase:5,pass,nolog,\
  setvar:TX.perf_modsecinbound=$PERF_PHASE1,\
  setvar:TX.perf_modsecinbound=+$PERF_PHASE2,\
  setvar:TX.perf_application=$TX.ModSecTimestamp3start,\
  setvar:TX.perf_application=-$TX.ModSecTimestamp2end,\
  setvar:TX.perf_modsecoutbound=$PERF_PHASE3,\
  setvar:TX.perf_modsecoutbound=+$PERF_PHASE4,\
  setenv:ModSecTimeIn=%{TX.perf_modsecinbound},\
  setenv:ApplicationTime=%{TX.perf_application},\
  setenv:ModSecTimeOut=%{TX.perf_modsecoutbound},\
  setenv:ModSecAnomalyScoreInPLs=%{tx.anomaly_score_pl1}-%{tx.anomaly_score_pl2}-%{tx.anomaly_score_pl3}-%{tx.anomaly_score_pl4},\
  setenv:ModSecAnomalyScoreOutPLs=%{tx.outbound_anomaly_score_pl1}-%{tx.outbound_anomaly_score_pl2}-%{tx.outbound_anomaly_score_pl3}-%{tx.outbound_anomaly_score_pl4},\
  setenv:ModSecAnomalyScoreIn=%{TX.anomaly_score},\
  setenv:ModSecAnomalyScoreOut=%{TX.outbound_anomaly_score}"
[...]

nginx.conf

[...]
log_format server '$remote_addr $loc $webapp [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for" ss"$ModSecTimeIn"';
[...]

Where in Apache you would be able to use the env vars like this:

ErrorLogFormat          "[%{cu}t] [%-m:%-l] %-a %-L %M"
LogFormat "%h %{GEOIP_COUNTRY_CODE}e %u [%{%Y-%m-%d %H:%M:%S}t.%{usec_frac}t] \"%r\" %>s %b \
\"%{Referer}i\" \"%{User-Agent}i\" \"%{Content-Type}i\" %{remote}p %v %A %p %R \
%{BALANCER_WORKER_ROUTE}e %X \"%{cookie}n\" %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x \
%I %O %{ratio}n%% %D %{ModSecTimeIn}e %{ApplicationTime}e %{ModSecTimeOut}e \
%{ModSecAnomalyScoreInPLs}e %{ModSecAnomalyScoreOutPLs}e \
%{ModSecAnomalyScoreIn}e %{ModSecAnomalyScoreOut}e" extended

[martinhsv]

Hello @weestack ,

ModSecurity v3 supports setenv, but you will likely encounter limitations related to nginx itself. nginx doesn't support use of environment variables out-of-the-box the same way that Apache does.

I have, however, seen some users refer to some tools, such as envsubst, that do enable some such use.

The variety of contexts or use cases where such tools might meet your needs may vary.

[fatihusta]

Hi @weestack
Did you find any solution for nginx?

@martinhsv
Is it possible to set some variable to header?
Because Nginx can access to header like http_x_modsec_rule_id.

[airween]

Hi @fatihusta,

Is it possible to set some variable to header?

Yes, it is, but after a quick check I can say Nginx is not able to create header from environment variable - see previous comment.

Because Nginx can access to header like http_x_modsec_rule_id.

Yes, but the connector does not handle the previously set environment variables. (Consider which environments need to handle?)

I see the legitimacy of the your request, but at the moment it is not a priority, sorry.

If you have any solutions, please send it as pull request.

[fatihusta]

Hi @airween
Thank you for your answer.