nginx modsecurity规则引发的一些问题

一、WordPress无法上传

#日志报错信息
{"transaction":{"client_ip":"111.120.147.157","time_stamp":"Mon Apr 18 14:44:27 2022","server_id":"59dc9f7d04897c359fe52b02d661b77ba2fb97ec","client_port":2065,"host_ip":"111.120.147.167","host_port":443,"unique_id":"1650264267","request":{"method":"POST","http_version":1.1,"uri":"/index.php?rest_route=%2Fwp%2Fv2%2Fposts%2F771&_locale=user","headers":{"X-WP-Nonce":"2a6c6c438f","Content-Type":"application/json","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36","Sec-Fetch-Site":"same-origin","sec-ch-ua-mobile":"?0","Origin":"https://blog.espnlol.com","X-HTTP-Method-Override":"PUT","Accept":"application/json, */*;q=0.1","sec-ch-ua":"\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"100\", \"Google Chrome\";v=\"100\"","sec-ch-ua-platform":"\"macOS\"","Referer":"https://blog.espnlol.com/wp-admin/post.php?post=771&action=edit","Content-Length":"1288","Connection":"keep-alive","Sec-Fetch-Mode":"cors","Host":"blog.espnlol.com","Sec-Fetch-Dest":"empty","Accept-Encoding":"gzip, deflate, br","Cookie":"wordpress_logged_in_08062b8c63e7assdfasdfasdfasdf97888da8eafd339=asdfsadfsadf%7C1641806981%7CBySIIywdeCyglVJ6ExK9dUodceoiNModwP4JR4w1473%7C9cc60ed2b95252351ae1d6bdecasdfasdfsadfsdfsadf6b57e92693fd30fa; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=zh_CN; wordpress_logged_in_b574904b4eac1f7594a2f13e115ceb10=asdfasdfsdfsdf%7C1650433949%7CCsIEzuxWWsadfasdfasdfasdfxuEasvnXZ2iz6KCvw7%7Ce2b13836871cd8c8ca3b61a7efc0dd0a0929dac5f37cde26cc197102a0dc3fb5; wp-settings-1=uploader%3D1%26ampampeditor%3Dtinymce%26ampaasdfsadfasdfad%26ampampimgsize%3Dfull%26ampamphidetb%3D1%26ampampposts_list_mode%3Dlist%26ampamppost_dfw%3Doff%26ampampeditor_plain_text_paste_warning%3D1%26ampampmfold%3Do; wp-settings-time-1=1650261150","Accept-Language":"zh-CN,zh;q=0.9,en;q=0.8"}},"response":{"body":"<html>\r\n<head><title>405 Not Allowed</title></head>\r\n<body>\r\n<center><h1>405 Not Allowed</h1></center>\r\n<hr><center>nginx/1.20.2</center>\r\n</body>\r\n</html>\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n","http_code":405,"headers":{"Server":"nginx/1.20.2","Date":"Mon, 18 Apr 2022 06:44:27 GMT","Content-Length":"559","Content-Type":"text/html","Connection":"keep-alive"}},"producer":{"modsecurity":"ModSecurity v3.0.6 (Linux)","connector":"ModSecurity-nginx v1.0.2","secrules_engine":"Enabled","components":["OWASP_CRS/3.4.0-dev\""]},"messages":[{"message":"Argument value too long","details":{"match":"Matched \"Operator `Gt' with parameter `200' against variable `ARGS:json.content' (Value: `<!-- wp:heading -->\\x0a<h2>\\xe5\\x9f\\xba\\xe4\\xba\\x8edocker\\xe5\\xae\\x89\\xe8\\xa3\\x85\\xe5\\xae\\x8cnextclo (2361 characters omitted)' )","reference":"v13,1213t:length","ruleId":"920370","file":"/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf","lineNumber":"828","data":"ARGS:json.content=1213","severity":"2","ver":"OWASP_CRS/3.4.0-dev","rev":"","tags":["application-multi","language-multi","platform-multi","attack-protocol","paranoia-level/1","OWASP_CRS","capec/1000/210/272"],"maturity":"0","accuracy":"0"}}]}}

#通过上述可以看出规则配置REQUEST-920-PROTOCOL-ENFORCEMENT.conf中的920370rule阻断了请求
SecRule &TX:ARG_LENGTH "@eq 1" \
    "id:920370,\
    phase:2,\
    block,\  ---> 修改为pass即可
    t:none,\
    msg:'Argument value too long',\
    logdata:'%{MATCHED_VAR_NAME}=%{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-protocol',\
    tag:'paranoia-level/1',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/210/272',\
    ver:'OWASP_CRS/3.4.0-dev',\
    severity:'CRITICAL',\
    chain"
    SecRule ARGS "@gt %{tx.arg_length}" \
        "t:none,t:length,\
        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"

二、nextcloud无法打开图片及文件浏览

#日志报错信息
{"transaction":{"client_ip":"111.120.147.157","time_stamp":"Mon Apr 18 13:28:52 2022","server_id":"2cfe5f887cb2c23a7d43f5cad97bfe6480614d5d","client_port":2181,"host_ip":"111.120.147.167","host_port":8443,"unique_id":"1650259732","request":{"method":"SEARCH","http_version":1.1,"uri":"/remote.php/dav/","headers":{"Depth":"infinity","Origin":"https://pan.smszhd.com:8443","requesttoken":"asdfasdfasdfasdfasdffGhlMvzEIp9VN8XTs=:dfsadfsadfNUCvWKMnn/CbhiSy9HCF7z9VtikRnSsqdkg=","Content-Type":"text/xml","Accept-Encoding":"gzip, deflate, br","Cookie":"__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; oc0djgsvdlxg=asdfsdfsfc19b4638239b34f4eaca; oc_sessionPassphrase=lUIC79%2Bc7fr1oB2BST428Ys2DUBmJcGG%2FODUOpO%2F1RbTln%2BNxchinZIDrUffEsE9I8APhecA%2FhJVFoX4gdWsf%2Bar4VwkuRWnh5mlr%2F0%2Fcab%2FBasdfsdfasdf; nc_username=sadfasdf; nc_token=yWdPRU0IDJbVasdfsadfasdfasdf; nc_session_id=0198d3def292c19b4638239b34f4eaca","Content-Length":"1583","Accept-Language":"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2","Accept":"text/plain","Cache-Control":"max-age=0","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:99.0) Gecko/20100101 Firefox/99.0","Sec-Fetch-Site":"same-origin","Sec-Fetch-Dest":"empty","Host":"pan.smszhd.com:8443","Sec-Fetch-Mode":"cors","Connection":"keep-alive"}},"response":{"body":"","http_code":405,"headers":{}},"producer":{"modsecurity":"ModSecurity v3.0.6 (Linux)","connector":"ModSecurity-nginx v1.0.2","secrules_engine":"Enabled","components":["OWASP_CRS/3.4.0-dev\""]},"messages":[{"message":"Method is not allowed by policy","details":{"match":"Matched \"Operator `Within' with parameter `GET POST PUT' against variable `REQUEST_METHOD' (Value: `SEARCH' )","reference":"v0,6","ruleId":"911100","file":"/etc/modsecurity.d/owasp-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf","lineNumber":"28","data":"SEARCH","severity":"2","ver":"OWASP_CRS/3.4.0-dev","rev":"","tags":["application-multi","language-multi","platform-multi","attack-generic","paranoia-level/1","OWASP_CRS","capec/1000/210/272/220/274","PCI/12.1"],"maturity":"0","accuracy":"0"}}]}}

#通过上述可以看出规则配置REQUEST-911-METHOD-ENFORCEMENT.conf中的911100rule阻断了请求,打开规则库REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf,新增下面配置
SecAction \
    "id:911100,\
    phase:1,\
    nolog,\
    pass,\
    t:none,\
    setvar:tx.crs_exclusions_nextcloud=1"
此条目发表在nginx分类目录。将固定链接加入收藏夹。

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注