Skip to content

feat: set correct hostname in log produced by Nginx #353

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

feat: set correct hostname in log produced by Nginx #353

wants to merge 2 commits into from

Conversation

airween
Copy link
Member

@airween airween commented Apr 27, 2025

Reason

There was a discussion about this feature: #ModSecurity/3200

Current behavior: if ModSecurity catches an attack then it produces log entries. The problem is that the [hostname] field contains the server's IP address - which carries no information at all:

ModSecurity: Warning. ... [hostname "18.19.20.21"] [uri "/xmlrpc.php"]... client: 91.92.93.94, server: www.myserver.com, request: "POST /xmlrpc.php HTTP/1.1", host: "www.myserver.com"

At the end of the line, Nginx (and not ModSecurity) puts other fields, like server and host, but unfortunately those can be truncated if the other parts of line are too long, eg. [data] field by ModSecurity, or request field by Nginx, because Nginx truncates the log line after 2048 bytes.

The other advantage of this patch that now the fields will be the same as in case of mod_security2, so parsing the lines (hopefully) will be easier.

Note, that previously I sent a PR to ModSecurity, but it was rejected. Now the result is the same but the solution is completely different, because the library gets the value from the HTTP server.

How does it work

In ngx_http_modsecurity_rewrite.c there is a new block (with a compilation condition - it needs libmodsecurity3 3.0.13 at least, because msc_set_request_hostname was implemented in that version). In this block the module try to get the Host header from the request which processed by Nginx. If there is no Host header (eg. in case of HTTP/1.0) or the length is 0, then it gets the server_name value from the used virtualhost context - note, that it can be "_" in default config. Also if there is no Host header, Nginx will apply the default vhost, so the line will looks like [hostname "_"].

In other cases (there is a Host header) that value will be in [hostname] field.

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@dune73
Copy link
Member

dune73 commented Apr 27, 2025

Could give us three times the same alert in ModSec2, ModSec3-without-patch and ModSec3-with-patch? That would be easier to understand.

@airween
Copy link
Member Author

airween commented Apr 27, 2025

Sure.

The request:

curl -v -H "Host: foobar.com" "http://172.35.40.12/?q=/bin/bash"

Apache2 log:

ModSecurity: Warning. .... [file "...REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "626"] [id "932160"] ... [tag "application-multi"] ... [tag "PCI/6.5.2"] [hostname "foobar.com"] [uri "/"]

Libmodsecurity3 + Nginx without patch:

ModSecurity: Warning. ... [file "...REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "606"] [id "932160"] ... [tag "application-multi"] ... [tag "PCI/6.5.2"] [hostname "172.35.40.12"] [uri "/"]

Libmodsecurity3 + Nginx with patch:

ModSecurity: Warning. ... [file "...REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "606"] [id "932160"] ... [tag "application-multi"] ... [tag "PCI/6.5.2"] [hostname "foobar.com"] [uri "/"]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@airween @dune73