Custom error page not shown when ModSecurity found something.

[LeeShan87]

Hi All,

I want to show a custom error page to our clients, when and only when our WAF block their request.
Something like: Your request made something nasty. If you think this was a false positive alert, please contact with our support.

Our current configuration:
Nginx: 1.12.0
Modsecurity: v3/master
Modsecurity-nginx: master

An example Nginx config:

worker_processes  auto;

events {
    worker_connections  1024;
    use epoll;
}

http {
 server {
        listen 80 default_server;
        server_name  localhost;
	# Error page will be shown, but nothing will be logged.
        error_page 403 404 /40x.html;
        location = /40x.html {
	# If I add the same ModSecurity configurations here too, then it will auditlog for this location too, 
        # but the default Nginx error page will be shown.
        # And it will not work as expected, if multiple ModSecurity rule configuration is used.
        modsecurity On;
        root /srv/http;
        internal;
        modsecurity_rules '
                SecRuleEngine On
                SecAuditEngine On
                SecAuditLogParts ABIJDEFHZ
                SecAuditLogType Serial
                SecAuditLog /tmp/modsec_audit.log
                SecDebugLog "/tmp/debug_log.txt"
                SecDebugLogLevel 9
                SecRule ARGS "test" "log,id:1,block,deny,status:403"
        ';
        }

        location / {
		    # If ModSecurity found something, error page will not shown,
                    # if custom error page defined here.
		    # But logging will be ok.
			error_page 403 404 /40x.html;
			location = /40x.html {
			root /srv/http;
			internal;
			}

            modsecurity On;
            modsecurity_rules '
                SecRuleEngine On
                SecAuditEngine On
                SecAuditLogParts ABIJDEFHZ
                SecAuditLogType Serial
                SecAuditLog /tmp/modsec_audit.log
                SecDebugLog "/tmp/debug_log.txt"
                SecDebugLogLevel 9
                SecRule ARGS "test" "log,id:1,block,deny,status:403"
            ';
       }
    }
}

I already tried:
https://.com/SpiderLabs/ModSecurity/issues/1459
https://.com/SpiderLabs/ModSecurity-nginx/issues/55

[AirisX]

Hello,

logging actions are performed in the ngx_http_modsecurity_log_handler which registered on the NGX_HTTP_LOG_PHASE. This handler performed last in Nginx-connector module.

Let's say we defining the custom error page like this:

server {
        listen 80 default_server;
        server_name  localhost;

        error_page 403 404 /40x.html;

        location = /40x.html {
                root /srv/http;
                internal;
        }

        location / {
            modsecurity On;
            modsecurity_rules '
                SecRuleEngine On
                SecAuditEngine On
                SecAuditLogParts ABIJDEFHZ
                SecAuditLogType Serial
                SecAuditLog /tmp/modsec_audit.log
                SecDebugLog "/tmp/debug_log.txt"
                SecDebugLogLevel 9
                SecRule ARGS "test" "log,id:1,block,deny,status:403"
            ';
       }
    }

In this case after ModSecurity found something the request will be redirected to our custom page. Error page will be shown correctly. But there are no audit log entries because ngx_http_modsecurity_log_handler will not be executed after the redirection. And I think this is the main problem here.

[AirisX]

Hi @LeeShan87,

I'm trying to fix this problem here #90. Could you apply this and check changes in you case?

[met3or]

@AirisX - Following the compilation recipe for CentOS 7 here:
https://.com/SpiderLabs/ModSecurity/wiki/Compilation-recipes#centos-7-minimal

And using the altered src/ngx_http_modsecurity_module.c file suggested in your , I am unable to compile nginx.

/opt/ModSecurity-nginx/src/ngx_http_modsecurity_module.c:22:8: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before string constant
 nclude "stdio.h"
        ^
/opt/ModSecurity-nginx/src/ngx_http_modsecurity_module.c: In function ‘ngx_http_modsecurity_process_intervention’:
/opt/ModSecurity-nginx/src/ngx_http_modsecurity_module.c:201:13: error: ‘retur’ undeclared (first use in this function)
             retur
             ^
/opt/ModSecurity-nginx/src/ngx_http_modsecurity_module.c:201:13: note: each undeclared identifier is reported only once for each function it appears in
/opt/ModSecurity-nginx/src/ngx_http_modsecurity_module.c:202:9: error: expected ‘;’ before ‘}’ token
         }
         ^
/opt/ModSecurity-nginx/src/ngx_http_modsecurity_module.c: At top level:
/opt/ModSecurity-nginx/src/ngx_http_modsecurity_module.c:389:5: error: ‘ngx_http_modsecurity_init’ undeclared here (not in a function)
     ngx_http_modsecurity_init,              /* postconfiguration */
     ^
/opt/ModSecurity-nginx/src/ngx_http_modsecurity_module.c: In function ‘ngx_http_modsecurity_init’:
/opt/ModSecurity-nginx/src/ngx_http_modsecurity_module.c:423:26: error: unused variable ‘h_log’ [-Werror=unused-variable]
     ngx_http_handler_pt *h_log;
                          ^
/opt/ModSecurity-nginx/src/ngx_http_modsecurity_module.c: At top level:
/opt/ModSecurity-nginx/src/ngx_http_modsecurity_module.c:419:1: error: ‘ngx_http_modsecurity_init’ defined but not used [-Werror=unused-function]
 ngx_http_modsecurity_init(ngx_conf_t *cf)
 ^
cc1: all warnings being treated as errors
make[1]: *** [objs/addon/src/ngx_http_modsecurity_module.o] Error 1
make[1]: Leaving directory `/opt/nginx-1.9.2'
make: *** [build] Error 2

Are the errors generated, happy to help test this for you as I'm interested in having custom error pages too, let me know if there are any updates to this :)

Thanks,
met3or

[AirisX]

Hi @met3or,

Are you sure that proposed applied correctly? For example you have undeclared directive retur (there is no n at the end) that this doesn't contain. Please see the diff one more - https://.com/SpiderLabs/ModSecurity-nginx/pull/90/files?diff=split

Thank you!

[met3or]

Hi @AirisX - I'll copy the file across so I'm using the exact one, I'll try another time and feedback :)

Thanks for getting back in touch!

[met3or]

Hi @AirisX - Apologies for my hasty attempt earlier, using the correct I am able to successfully log a ModSecurity rule whilst also displaying the custom error page.

Looks good so far! 👍

[met3or]

Hi @AirisX - Just to confirm that I'm able to get this working as I had expected however, when running modsecurity outside of the location block in the configuration the custom defined error page does not display.

I feel this is worth mentioning.

Otherwise experiencing great results!

[AirisX]

@met3or could you provide your config here?

[AirisX]

Hi @met3or,

In order to resolve this problem you need to set modsecurity off; in location with custom error page, like this:

error_page 403 404 /40x.html;

location = /40x.html {
    root /srv/http;
    modsecurity off;
    internal;
}

The problem is that if ModSecurity is enabled in the server context, all of its locations inherit these settings. When ModSecurity will finds something nasty and thrown 403 response, the internal redirection mechanism will redirects this response to a location with a custom error page. Since this location also includes ModSecurity, the custom error page is not displayed. The request is checked again (as you can see in audit log entries). Of course, this is not the expected behavior. To change this you should disable ModSecurity at a location that contains custom error page.

[victorhora]

Maybe recursive_error_pages would change the inheritance behaviour as suggested at owasp-modsecurity/ModSecurity#1672 (comment)

[AirisX]

@victorhora recursive_error_pages do not change the inheritance behaviour in this case.

[msamad]

Hi guys,
Thank you for all the comments above, helped me work around ModSecurity for this issue. It is a bit ugly but works. If we set modsecurity off; then we lose the audit log. Keeping modsecurity on; and just skipping the modsecurity rules in error_page location works.

        location / {
            modsecurity On;
            .......... modsecurity rules ........

            error_page 403 /40x.html;
            location = /40x.html {
                root /srv/http;
                internal;
                modsecurity_rules '
                    SecRule REQUEST_URI "@beginsWith /" "id:1,pass,phase:1,skipAfter:END-RESPONSE-980-CORRELATION"
                    SecRule REQUEST_URI "@beginsWith /" "id:2,pass,phase:2,skipAfter:END-RESPONSE-980-CORRELATION"
                ';
            }
       }

So now, when ModSecurity throws 403 and the internal redirect happens, the rules don't run and a custom page is shown.

Any better way to skip the rules than mentioned above?

[msamad]

Sorry, my bad. Jumped to conclusion too early. The issue persists, the original audit log still does not appear. It was the audit log by skipAfter rules that was passing the test cases. :(