Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SecGeoLookupDb Not Working with Owasp CRS 4.5 Nginx Image #286

Closed
Dr-Lazarus-V2 opened this issue Sep 13, 2024 · 7 comments
Closed

SecGeoLookupDb Not Working with Owasp CRS 4.5 Nginx Image #286

Dr-Lazarus-V2 opened this issue Sep 13, 2024 · 7 comments

Comments

@Dr-Lazarus-V2
Copy link
Contributor

Issue: Lack of GeoLocation Support in OWASP CRS 4.5 Nginx Image

Description:

The OWASP CRS 4.5 Nginx Docker image, which is built on top of ModSecurity v3, is currently compiled with the following configuration flags:

./configure --with-yajl --with-ssdeep --with-geoip --with-pcre2 --enable-silent-rules

However, it appears that support for GeoLocation lookups is missing from this configuration, as the SecGeoLookupDb directive fails to load the GeoIP database. Specifically, the --with-maxmind flag seems to be missing, which is necessary for enabling MaxMind GeoIP database support.

Problem:

When trying to use the following configuration in ModSecurity:

SecGeoLookupDb /path/to/GeoLite2-Country.mmdb

ModSecurity fails to load the database, resulting in the inability to block traffic based on GeoLocation. This issue affects users who need GeoIP-based rules for their Web Application Firewall (WAF) using the CRS 4.5 Nginx image.

Steps to Reproduce:

  1. Use the OWASP CRS 4.5 Nginx image.
  2. Configure SecGeoLookupDb to point to a valid GeoIP database (e.g., /path/to/GeoLite2-Country.mmdb).
  3. Attempt to block traffic based on GeoLocation rules.
  4. Observe that the GeoIP database fails to load, and GeoLocation-based blocking is unavailable.
@Dr-Lazarus-V2
Copy link
Contributor Author

Dr-Lazarus-V2 commented Sep 13, 2024
edited
Loading

I have a proposed solution to update the following file: modsecurity-crs-docker/nginx/Dockerfile

  1. Added libmaxminddb-dev to the list of installed packages:

    libmaxminddb-dev

  2. Modified the ModSecurity configuration to include --with-maxmind:

    ./configure --with-yajl --with-ssdeep --with-geoip --with-pcre2 --with-maxmind --enable-silent-rules;

  3. Added libmaxminddb-dev to the additional packages:

    libmaxminddb-dev

These are the main changes reflecting the use of maxmind for GeoIP lookups instead of the previous geoip module.

@theseion
Copy link
Contributor

Thanks @Dr-Lazarus-V2.

@RedXanadu RedXanadu mentioned this issue Sep 13, 2024
Closed
@fzipi
Copy link
Member

fzipi commented Sep 13, 2024

Thanks @Dr-Lazarus-V2 . Can you provide a patch for nginx/Dockerfile, nginx/Dockerfile-alpine and openresty/Dockerfile-alpine? Thanks! 🚀

@Dr-Lazarus-V2
Copy link
Contributor Author

@fzipi, How do I provide a patch?

@fzipi
Copy link
Member

fzipi commented Sep 16, 2024
edited
Loading

Yes, can you? Just editing the files in the web interface will guide you in the process...

@Dr-Lazarus-V2
Copy link
Contributor Author

Okiee, I will try and raise a patch today.

@fzipi
Copy link
Member

fzipi commented Sep 19, 2024

Fixed by #288.

@fzipi fzipi closed this as completed Sep 19, 2024
@azurit azurit mentioned this issue Sep 19, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@theseion @fzipi @Dr-Lazarus-V2