NGINX Dynamic Module support

[LinuxJedi]

Lets you compile the module with Dynamic Module in NGINX 1.9.11 onwards.
Simply compile with --add-dynamic-module instead of --add-module and use
the load_module directive in the NGINX configuration file to use.

See:

• https://www.nginx.com/resources/wiki/extending/
• https://www.nginx.com/blog/dynamic-modules-nginx-1-9-11/

[zimmerle]

Hi @LinuxJedi,

Thank you for the patch! that is really cool feature. I would like to share some concerns about having the ModSecurity library in a location that is not standard. In the second step of the compilation, while compiling the ngx_http_modsecurity.org as a shared object, we have the following:

(...)
cc -o objs/ngx_http_modsecurity.so \
objs/addon/src/ngx_http_modsecurity_module.o \
objs/addon/src/ngx_http_modsecurity_pre_access.o \
objs/addon/src/ngx_http_modsecurity_header_filter.o \
objs/addon/src/ngx_http_modsecurity_body_filter.o \
objs/addon/src/ngx_http_modsecurity_log.o \
objs/addon/src/ngx_http_modsecurity_rewrite.o \
objs/ngx_http_modsecurity_modules.o \
 \
-shared
(...)

as expected in this scenario, the generated object is not linked with the ModSecurity library (neither to other dependencies):

(zimmerle@BeTuCaX)-(~/core/nginx-1.9.11)$ ldd /tmp/buildbot/mainline/modules/ngx_http_modsecurity.so
    linux-vdso.so.1 =>  (0x00007ffe68f66000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fea3da25000)
    /lib64/ld-linux-x86-64.so.2 (0x000055d412920000)

Dynamic loading this object in nginx, naturally leads to missing symbols during the run time. As demonstrated below:

(zimmerle@BeTuCaX)-(~/core/nginx-1.9.11)$ sudo /tmp/buildbot/mainline/sbin/nginx 
nginx: [emerg] dlopen() "/tmp/buildbot/mainline/modules/ngx_http_modsecurity.so" failed (/tmp/buildbot/mainline/modules/ngx_http_modsecurity.so: undefined symbol: msc_create_rules_set) in /tmp/buildbot/mainline/conf/nginx.conf:10

We can have a workable version, by extending the linker options to the modsecurity object generation, as following:

cc -o objs/ngx_http_modsecurity.so objs/addon/src/ngx_http_modsecurity_module.o objs/addon/src/ngx_http_modsecurity_pre_access.o objs/addon/src/ngx_http_modsecurity_header_filter.o objs/addon/src/ngx_http_modsecurity_body_filter.o objs/addon/src/ngx_http_modsecurity_log.o objs/addon/src/ngx_http_modsecurity_rewrite.o objs/ngx_http_modsecurity_modules.o  -shared -ldl -lpthread -lcrypt -Wl,-rpath,/usr/local/modsecurity/lib -L/usr/local/modsecurity/lib -lmodsecurity -lpcre -lssl -lcrypto -lz -Wl,-E

This lead us to a fully constructed ELF with all the symbols resolved:

(zimmerle@BeTuCaX)-(~/core/nginx-1.9.11)$ ldd objs/ngx_http_modsecurity.so 
    linux-vdso.so.1 =>  (0x00007ffec0b80000)
    libmodsecurity.so.3 => /usr/local/modsecurity/lib/libmodsecurity.so.3 (0x00007fbd95577000)
    libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fbd952ba000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fbd94eef000)
    librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fbd94ce7000)
    libcurl.so.4 => /usr/lib/x86_64-linux-gnu/libcurl.so.4 (0x00007fbd94a78000)
    libGeoIP.so.1 => /usr/lib/x86_64-linux-gnu/libGeoIP.so.1 (0x00007fbd94847000)
    libyajl.so.2 => /usr/lib/x86_64-linux-gnu/libyajl.so.2 (0x00007fbd9463c000)
    libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007fbd942ba000)
    libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007fbd940a2000)
    libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fbd93e84000)
    /lib64/ld-linux-x86-64.so.2 (0x000055dfb7ee9000)
    libidn.so.11 => /usr/lib/x86_64-linux-gnu/libidn.so.11 (0x00007fbd93c51000)
    librtmp.so.1 => /usr/lib/x86_64-linux-gnu/librtmp.so.1 (0x00007fbd93a33000)
    libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007fbd937ca000)
    libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007fbd93388000)
    libgssapi_krb5.so.2 => /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 (0x00007fbd9313d000)
    liblber-2.4.so.2 => /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2 (0x00007fbd92f2e000)
    libldap_r-2.4.so.2 => /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2 (0x00007fbd92cdc000)
    libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fbd92ac1000)
    libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fbd927b9000)
    libgnutls-deb0.so.28 => /usr/lib/x86_64-linux-gnu/libgnutls-deb0.so.28 (0x00007fbd9249c000)
    libhogweed.so.4 => /usr/lib/x86_64-linux-gnu/libhogweed.so.4 (0x00007fbd92269000)
    libnettle.so.6 => /usr/lib/x86_64-linux-gnu/libnettle.so.6 (0x00007fbd92033000)
    libgmp.so.10 => /usr/lib/x86_64-linux-gnu/libgmp.so.10 (0x00007fbd91db2000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fbd91bae000)
    libkrb5.so.3 => /usr/lib/x86_64-linux-gnu/libkrb5.so.3 (0x00007fbd918dc000)
    libk5crypto.so.3 => /usr/lib/x86_64-linux-gnu/libk5crypto.so.3 (0x00007fbd916ac000)
    libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x00007fbd914a8000)
    libkrb5support.so.0 => /usr/lib/x86_64-linux-gnu/libkrb5support.so.0 (0x00007fbd9129d000)
    libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007fbd91080000)
    libsasl2.so.2 => /usr/lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007fbd90e65000)
    libgssapi.so.3 => /usr/lib/x86_64-linux-gnu/libgssapi.so.3 (0x00007fbd90c25000)
    libp11-kit.so.0 => /usr/lib/x86_64-linux-gnu/libp11-kit.so.0 (0x00007fbd909bf000)
    libtasn1.so.6 => /usr/lib/x86_64-linux-gnu/libtasn1.so.6 (0x00007fbd907ac000)
    libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1 (0x00007fbd905a7000)
    libheimntlm.so.0 => /usr/lib/x86_64-linux-gnu/libheimntlm.so.0 (0x00007fbd9039e000)
    libkrb5.so.26 => /usr/lib/x86_64-linux-gnu/libkrb5.so.26 (0x00007fbd90114000)
    libasn1.so.8 => /usr/lib/x86_64-linux-gnu/libasn1.so.8 (0x00007fbd8fe70000)
    libhcrypto.so.4 => /usr/lib/x86_64-linux-gnu/libhcrypto.so.4 (0x00007fbd8fc3d000)
    libroken.so.18 => /usr/lib/x86_64-linux-gnu/libroken.so.18 (0x00007fbd8fa28000)
    libffi.so.6 => /usr/lib/x86_64-linux-gnu/libffi.so.6 (0x00007fbd8f81f000)
    libwind.so.0 => /usr/lib/x86_64-linux-gnu/libwind.so.0 (0x00007fbd8f5f6000)
    libheimbase.so.1 => /usr/lib/x86_64-linux-gnu/libheimbase.so.1 (0x00007fbd8f3e7000)
    libhx509.so.5 => /usr/lib/x86_64-linux-gnu/libhx509.so.5 (0x00007fbd8f19b000)
    libsqlite3.so.0 => /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 (0x00007fbd8eece000)
    libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007fbd8ec96000)

I am doing something wrong? or we may want to extend the linker options to the shared objects as well?

In case you want to see the full compilation log (along with the configuration options), it is available here: https://gist.github.com/zimmerle/5cab0a1bb2c51eb31810

Thanks again for the patch!

[LinuxJedi]

hmm... good point. Let me look over it again and see if I can improve that situation.

[LinuxJedi]

ok, please try this version of the patch. Hopefully you can see what I'm doing here but please let me know if you need me to explain any of it.

[zimmerle]

Hi @LinuxJedi,

Working like a charm! thanks again for patch. Merged on master' andexperimental' branches.

[GenericUK]

Has anyone confirmed this working?

I'm getting the following after compiling with nginx-1.10.3
module "/usr/share/nginx/modules/ngx_http_modsecurity_module.so" is not binary compatible

[zimmerle]

Hi @GenericUK,

Yep. It should be working fine. Are you compiling your nginx server and the module on the very same machine?

[GenericUK]

@zimmerle Thanks

Yes! But I have Nginx installed from my distro repository (Raspbian/Debian stretch) and then I downloaded the same version direct from Nginx for the build. I guess the flags used in ./configure might be different between the two. I don't know how/or if I can update the ./configure to match nginx -V

[GenericUK]

Here's my config using my installed Nginx options from nginx -V (excluding modules). It checks fine and make completes. Still the same not binary compatible message.

pi@raspberrypi:/opt/nginx-1.10.3 $ sudo NO_WARNING_CHECKS=yes ./configure --add-dynamic-module=/opt/ModSecurity-nginx --with-openssl=/usr/bin/openssl --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-mf9ymV/nginx-1.10.3=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi
checking for OS

• Linux 4.4.50-v7+ armv7l
  checking for C compiler ... found
• using GNU C compiler
• gcc version: 4.9.2 (Raspbian 4.9.2-10)
  checking for gcc -pipe switch ... found
  checking for --with-ld-opt="-Wl,-z,relro -Wl,-z,now" ... found
  checking for -Wl,-E switch ... found
  checking for gcc builtin atomic operations ... found
  checking for C99 variadic macros ... found
  checking for gcc variadic macros ... found
  checking for gcc builtin 64 bit byteswap ... found
  checking for unistd.h ... found
  checking for inttypes.h ... found
  checking for limits.h ... found
  checking for sys/filio.h ... not found
  checking for sys/param.h ... found
  checking for sys/mount.h ... found
  checking for sys/statvfs.h ... found
  checking for crypt.h ... found
  checking for Linux specific features
  checking for epoll ... found
  checking for EPOLLRDHUP ... found
  checking for O_PATH ... found
  checking for sendfile() ... found
  checking for sendfile64() ... found
  checking for sys/prctl.h ... found
  checking for prctl(PR_SET_DUMPABLE) ... found
  checking for sched_setaffinity() ... found
  checking for crypt_r() ... found
  checking for sys/vfs.h ... found
  checking for nobody group ... not found
  checking for nogroup group ... found
  checking for poll() ... found
  checking for /dev/poll ... not found
  checking for kqueue ... not found
  checking for crypt() ... not found
  checking for crypt() in libcrypt ... found
  checking for F_READAHEAD ... not found
  checking for posix_fadvise() ... found
  checking for O_DIRECT ... found
  checking for F_NOCACHE ... not found
  checking for directio() ... not found
  checking for statfs() ... found
  checking for statvfs() ... found
  checking for dlopen() ... not found
  checking for dlopen() in libdl ... found
  checking for sched_yield() ... found
  checking for SO_SETFIB ... not found
  checking for SO_REUSEPORT ... found
  checking for SO_ACCEPTFILTER ... not found
  checking for IP_RECVDSTADDR ... not found
  checking for IP_PKTINFO ... found
  checking for IPV6_RECVPKTINFO ... found
  checking for TCP_DEFER_ACCEPT ... found
  checking for TCP_KEEPIDLE ... found
  checking for TCP_FASTOPEN ... found
  checking for TCP_INFO ... found
  checking for accept4() ... found
  checking for eventfd() ... found
  checking for int size ... 4 bytes
  checking for long size ... 4 bytes
  checking for long long size ... 8 bytes
  checking for void * size ... 4 bytes
  checking for uint32_t ... found
  checking for uint64_t ... found
  checking for sig_atomic_t ... found
  checking for sig_atomic_t size ... 4 bytes
  checking for socklen_t ... found
  checking for in_addr_t ... found
  checking for in_port_t ... found
  checking for rlim_t ... found
  checking for uintptr_t ... uintptr_t found
  checking for system byte ordering ... little endian
  checking for size_t size ... 4 bytes
  checking for off_t size ... 8 bytes
  checking for time_t size ... 4 bytes
  checking for setproctitle() ... not found
  checking for pread() ... found
  checking for pwrite() ... found
  checking for pwritev() ... found
  checking for sys_nerr ... found
  checking for localtime_r() ... found
  checking for posix_memalign() ... found
  checking for memalign() ... found
  checking for mmap(MAP_ANON|MAP_SHARED) ... found
  checking for mmap("/dev/zero", MAP_SHARED) ... found
  checking for System V shared memory ... found
  checking for POSIX semaphores ... not found
  checking for POSIX semaphores in libpthread ... found
  checking for struct msghdr.msg_control ... found
  checking for ioctl(FIONBIO) ... found
  checking for struct tm.tm_gmtoff ... found
  checking for struct dirent.d_namlen ... not found
  checking for struct dirent.d_type ... found
  checking for sysconf(_SC_NPROCESSORS_ONLN) ... found
  checking for openat(), fstatat() ... found
  checking for getaddrinfo() ... found
  configuring additional dynamic modules
  adding module in /opt/ModSecurity-nginx
  checking for ModSecurity library ... not found
  checking for ModSecurity library in /usr/local/modsecurity ... found
• ngx_http_modsecurity_module was configured
  checking for PCRE library ... found
  checking for PCRE JIT support ... found
  checking for md5 in system md library ... not found
  checking for md5 in system md5 library ... not found
  checking for md5 in system OpenSSL crypto library ... found
  checking for sha1 in system md library ... not found
  checking for sha1 in system OpenSSL crypto library ... found
  checking for zlib library ... found
  creating objs/Makefile

Configuration summary

• using system PCRE library
• using OpenSSL library: /usr/bin/openssl
• md5: using system crypto library
• sha1: using system crypto library
• using system zlib library

nginx path prefix: "/usr/share/nginx"
nginx binary file: "/usr/share/nginx/sbin/nginx"
nginx modules path: "/usr/lib/nginx/modules"
nginx configuration prefix: "/etc/nginx"
nginx configuration file: "/etc/nginx/nginx.conf"
nginx pid file: "/run/nginx.pid"
nginx error log file: "/var/log/nginx/error.log"
nginx http access log file: "/var/log/nginx/access.log"
nginx http client request body temporary files: "/var/lib/nginx/body"
nginx http proxy temporary files: "/var/lib/nginx/proxy"
nginx http fastcgi temporary files: "/var/lib/nginx/fastcgi"
nginx http uwsgi temporary files: "/var/lib/nginx/uwsgi"
nginx http scgi temporary files: "/var/lib/nginx/scgi"