Skip to content

Nginx: Ingress Issue while having modsecurity rules defined #335

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Hemapriya0611 opened this issue Jan 6, 2025 · 1 comment
Open

Nginx: Ingress Issue while having modsecurity rules defined #335

Hemapriya0611 opened this issue Jan 6, 2025 · 1 comment

Comments

@Hemapriya0611
Copy link

Resource: "networking.k8s.io/v1, Resource=ingresses", GroupVersionKind: "networking.k8s.io/v1, Kind=Ingress" Name: "xxx", Namespace: "yyy" for: "a1a.yaml": Internal error occurred: failed calling webhook "validate.nginx.ingress.kubernetes.io": failed to call webhook: Post "https://nginx-ingress-nginx-controller-admission.nginx.svc:443/networking/v1/ingresses?timeout=30s": net/http: request canceled (Client.Timeout exceeded while awaiting headers)

Sample modsec rule defined in the ingress

**nginx.ingress.kubernetes.io/enable-modsecurity: "true" nginx.ingress.kubernetes.io/modsecurity-snippet: | Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf SecRuleEngine On SecRequestBodyAccess Off SecRule REQUEST_COOKIES_NAMES "@contains JSESSIONID" "id:51,allow,ctl:ruleRemovebyID=932100,ctl:ruleRemovebyID=942430,ctl:ruleRemovebyID=942440,ctl:ruleRemovebyID=942450" SecRule ARGS_NAMES "@contains routineArgs" "id:52,allow,ctl:ruleRemovebyID=942110,ctl:ruleRemovebyID=942370" SecRule ARGS_NAMES "@contains LogicalScreenModel[1].IRIS" "id:53,allow,ctl:ruleRemovebyID=920230,ctl:ruleRemovebyID=942190,ctl:ruleRemovebyID=942400,ctl:ruleRemovebyID=942430" SecRule ARGS_NAMES "@contains ARGS" "id:54,allow,ctl:ruleRemovebyID=942200,ctl:ruleRemovebyID=942110" SecRule ARGS_NAMES "@contains code" "id:55,allow,ctl:ruleRemovebyID=942430" SecRule REQUEST_HEADERS_NAMES "@contains host" "id:56,allow,ctl:ruleRemovebyID=931130" SecRule ARGS_NAMES "@contains $select" "id:57,allow,ctl:ruleRemovebyID=942360" SecRule ARGS_NAMES "@contains baseIdToVersionMap" "id:58,allow,ctl:ruleRemovebyID=942200,ctl:ruleRemovebyID=942260,ctl:ruleRemyour textovebyID=942330,ctl:ruleRemovebyID=942340,ctl:ruleRemovebyID=942370" SecRule REQUEST_COOKIES_NAMES "@contains user_to_recent_app_map" "id:59,allow,ctl:ruleRemovebyID=942200,ctl:ruleRemovebyID=942260,ctl:ruleRemovebyID=942330,ctl:ruleRemovebyID=942340,ctl:ruleRemovebyID=942370" SecRule REQUEST_URI "@contains .profile" "id:60,allow" SecRule ARGS_NAMES "@beginsWith attributeListView" "id:61,allow" SecRuleRemoveById 913101 920300 942430 930130**

Does not consistently happen on the same ingress - happens on application of 6 or more ingress.yaml Each ingress does not have more than 6 paths defined

If the webhook validation is turned off , the ingresses get applied but nginx po ends up in crashloopbackoff error with pod logs giving below

"New leader elected" identity="nginx-ingress-nginx-controller-7794c6bf65-vxwcm"
I1230 15:28:52.859767 6 sigterm.go:36] "Received SIGTERM, shutting down"
I1230 15:28:52.859806 6 nginx.go:393] "Shutting down controller queues"
I1230 15:28:52.876000 6 nginx.go:401] "Stopping admission controller"
E1230 15:28:52.876089 6 nginx.go:340] "Error listening for TLS connections" err="http: Server closed"
I1230 15:28:52.876100 6 nginx.go:409] "Stopping NGINX process"
E1230 15:28:52.932112 6 controller.go:208] Unexpected failure reloading the backend:
signal: terminated
E1230 15:28:52.932235 6 queue.go:131] "requeuing" err=<
signal: terminated
"Stopping admission controller" E1230 15:19:35.638124 7 nginx.go:340] "Error listening for TLS connections" err="http: Server closed" I1230 15:19:35.638133 7 nginx.go:409] "Stopping NGINX process" W1230 15:19:39.035919 7 controller.go:244] Dynamic reconfiguration failed (retrying; 5 retries left): Post "http://127.0.0.1:10246/configuration/backend s": dial tcp 127.0.0.1:10246: connect: connection refused E1230 15:19:48.011109 7 queue.go:76] "queue has been shutdown, failed to enqueue" key="&ObjectMeta{Name:sync status,GenerateName:,Namespace:,SelfLink:,U ID:,ResourceVersion:,Generation:0,CreationTimestamp:0001-01-01 00:00:00 +0000 UTC,DeletionTimestamp:,DeletionGracePeriodSeconds:nil,Labels:map[string]str ing{},Annotations:map[string]string{},OwnerReferences:[]OwnerReference{},Finalizers:[],ManagedFields:[]ManagedFieldsEntry{},}" W1230 15:19:52.868706 7 controller.go:244] Dynamic reconfiguration failed (retrying; 4 retries left): Post "http://127.0.0.1:10246/configuration/backend s": dial tcp 127.0.0.1:10246: connect: connection refused 2024/12/30 15:19:35 [notice] 4580#4580: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 24802/0/0) 2024/12/30 15:19:35 [notice] 4580#4580: signal process started
signal process started E1230 15:20:48.011198 7 queue.go:76] "queue has been shutdown, failed to enqueue" key="&ObjectMeta{Name:sync status,GenerateName:,Namespace:,SelfLink:,U ID:,ResourceVersion:,Generation:0,CreationTimestamp:0001-01-01 00:00:00 +0000 UTC,DeletionTimestamp:,DeletionGracePeriodSeconds:nil,Labels:map[string]str ing{},Annotations:map[string]string{},OwnerReferences:[]OwnerReference{},Finalizers:[],ManagedFields:[]ManagedFieldsEntry{},}"

How to make nginx with modsecurity implemented.
@airween
Copy link
Member

airween commented Jan 13, 2025

Hi @Hemapriya0611,

thanks for reporting this - unfortunately I never ever used Ingress so I can't help with this.

I just can add here that in "regular" way the connector and library works as we expect, so I assume this is some Ingress issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@airween @Hemapriya0611