我为我的 NGINX 入口控制器创建了以下
configMap apiVersion: v1
data:
allow-snippet-annotations: "true"
enable-modsecurity: "true"
enable-owasp-modsecurity-crs: "true"
modsecurity-snippet: |-
SecRuleEngine On
SecRequestBodyAccess On
SecAuditLog /dev/stdout
SecAuditLogFormat JSON
SecAuditEngine RelevantOnly
SecRule REQUEST_URI|ARGS|QUERY_STRING "@contains attack" "id:100001,phase:1,t:lowercase,deny,status:403,msg:'Attack Detected'"
kind: ConfigMap
metadata:
annotations:
meta.helm.sh/release-name: nginx-ingress
meta.helm.sh/release-namespace: ingress-basic
creationTimestamp: "2023-01-20T11:31:53Z"
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: nginx-ingress
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.5.1
helm.sh/chart: ingress-nginx-4.4.2
name: nginx-ingress-ingress-nginx-controller
namespace: ingress-basic
resourceVersion: "200257665"
uid: e6ab9121-9a73-47e3-83ec-6c1fa19072ee
我希望遵循 SecRule
SecRule REQUEST_URI|ARGS|QUERY_STRING "@contains attack" "id:100001,phase:1,t:lowercase,deny,status:403,msg:'Attack Detected'"
会阻止任何在 URI 或查询字符串中包含单词
attack https://secrule.sample.com/api?task=attack
但事实并非如此。我的 NGINX 入口控制器的 configMap 定义中显然缺少一些东西,但我不明白是什么。有什么线索吗?谢谢!
我想将 ModSecurity 与 NGINX 入口控制器一起使用,以阻止在查询字符串中包含给定单词的来电。
我通过转义配置映射中 SecRule 的引号和双引号解决了这个问题,如下所示:
SecRule REQUEST_URI|ARGS|QUERY_STRING \"@contains attack\" \"id:100001,phase:1,t:lowercase,deny,status:403,msg:\'Attack Detected\'\"