Skip to content

Command nginx -t create file modsec-shared-collections in directory where it run #2354

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
unix196 opened this issue Jul 9, 2020 · 2 comments
Open

Command nginx -t create file modsec-shared-collections in directory where it run #2354

unix196 opened this issue Jul 9, 2020 · 2 comments
Labels
3.x Related to ModSecurity version 3.x

Comments

@unix196
Copy link

unix196 commented Jul 9, 2020

Nginx build with connector modsecurity-nginx. Modsecurity build with lmdb support (--with-lmdb)

server /etc/nginx # ls -al
...
-rw-r--r--   1 root root  3957 Aug 10  2017 mime.types
drwxr-xr-x   2 root root  4096 Feb 19 12:38 modsec
-rw-r--r--   1 root root  5494 Jan 23 20:55 nginx.conf
drwxr-xr-x   2 root root  4096 Jul  9 12:54 sites-available
drwxr-xr-x   2 root root  4096 Jul  9 12:55 sites-enabled

server /etc/nginx # nginx -t
nginx: [emerg] too long parameter "..." started in /etc/nginx/sites-enabled/modsec-shared-collections:1
nginx: configuration file /etc/nginx/nginx.conf test failed
server  /etc/nginx # ls -al
...
-rw-r--r--   1 root root    3957 Aug 10  2017 mime.types
drwxr-xr-x   2 root root    4096 Feb 19 12:38 modsec
-rw-r--r--   1 root root 1048576 Jul  9 12:56 modsec-shared-collections
-rw-r--r--   1 root root    8192 Jul  9 12:56 modsec-shared-collections-lock

server ~/test# ls -l
total 0
server ~/test # nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
server ~/test # ls -l
total 12
-rw-r--r-- 1 root root 1048576 Jul  9 13:23 modsec-shared-collections
-rw-r--r-- 1 root root    8192 Jul  9 13:23 modsec-shared-collections-lock

This is very strange behavior. If I change directory to /etc/nginx, then run nginx -t - after that my nginx config is broken.

ldd /usr/local/modsecurity/lib/libmodsecurity.so
	linux-vdso.so.1 (0x00007ffc5f95e000)
	libcurl.so.4 => /usr/lib/x86_64-linux-gnu/libcurl.so.4 (0x00007f339cc37000)
	librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f339ca2f000)
	libxml2.so.2 => /usr/lib/x86_64-linux-gnu/libxml2.so.2 (0x00007f339c674000)
	liblmdb.so.0 => /usr/lib/x86_64-linux-gnu/liblmdb.so.0 (0x00007f339c45f000)
	libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007f339c1ed000)
	libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f339be6b000)
	libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f339bb67000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f339b7c8000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f339d2de000)
	libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f339b5b1000)
	libnghttp2.so.14 => /usr/lib/x86_64-linux-gnu/libnghttp2.so.14 (0x00007f339b38b000)
	libidn2.so.0 => /usr/lib/x86_64-linux-gnu/libidn2.so.0 (0x00007f339b169000)
	librtmp.so.1 => /usr/lib/x86_64-linux-gnu/librtmp.so.1 (0x00007f339af4c000)
	libssh2.so.1 => /usr/lib/x86_64-linux-gnu/libssh2.so.1 (0x00007f339ad1f000)
	libpsl.so.5 => /usr/lib/x86_64-linux-gnu/libpsl.so.5 (0x00007f339ab11000)
	libssl.so.1.0.2 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2 (0x00007f339a8a8000)
	libcrypto.so.1.0.2 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.2 (0x00007f339a442000)
	libgssapi_krb5.so.2 => /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 (0x00007f339a1f7000)
	libkrb5.so.3 => /usr/lib/x86_64-linux-gnu/libkrb5.so.3 (0x00007f3399f1d000)
	libk5crypto.so.3 => /usr/lib/x86_64-linux-gnu/libk5crypto.so.3 (0x00007f3399cea000)
	libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x00007f3399ae6000)
	liblber-2.4.so.2 => /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2 (0x00007f33998d7000)
	libldap_r-2.4.so.2 => /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2 (0x00007f3399686000)
	libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f339946c000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f339924f000)
	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f339904b000)
	libicui18n.so.57 => /usr/lib/x86_64-linux-gnu/libicui18n.so.57 (0x00007f3398bd1000)
	libicuuc.so.57 => /usr/lib/x86_64-linux-gnu/libicuuc.so.57 (0x00007f3398829000)
	libicudata.so.57 => /usr/lib/x86_64-linux-gnu/libicudata.so.57 (0x00007f3396dac000)
	liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f3396b86000)
	libunistring.so.0 => /usr/lib/x86_64-linux-gnu/libunistring.so.0 (0x00007f339686f000)
	libgnutls.so.30 => /usr/lib/x86_64-linux-gnu/libgnutls.so.30 (0x00007f33964d6000)
	libhogweed.so.4 => /usr/lib/x86_64-linux-gnu/libhogweed.so.4 (0x00007f33962a1000)
	libnettle.so.6 => /usr/lib/x86_64-linux-gnu/libnettle.so.6 (0x00007f339606a000)
	libgmp.so.10 => /usr/lib/x86_64-linux-gnu/libgmp.so.10 (0x00007f3395de7000)
	libgcrypt.so.20 => /lib/x86_64-linux-gnu/libgcrypt.so.20 (0x00007f3395ad7000)
	libkrb5support.so.0 => /usr/lib/x86_64-linux-gnu/libkrb5support.so.0 (0x00007f33958cb000)
	libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1 (0x00007f33956c7000)
	libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f33954b0000)
	libsasl2.so.2 => /usr/lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007f3395295000)
	libp11-kit.so.0 => /usr/lib/x86_64-linux-gnu/libp11-kit.so.0 (0x00007f3395030000)
	libidn.so.11 => /lib/x86_64-linux-gnu/libidn.so.11 (0x00007f3394dfc000)
	libtasn1.so.6 => /usr/lib/x86_64-linux-gnu/libtasn1.so.6 (0x00007f3394be9000)
	libgpg-error.so.0 => /lib/x86_64-linux-gnu/libgpg-error.so.0 (0x00007f33949d5000)
	libffi.so.6 => /usr/lib/x86_64-linux-gnu/libffi.so.6 (0x00007f33947cc000)
@zimmerle zimmerle added the 3.x Related to ModSecurity version 3.x label Jul 9, 2020
@zimmerle
Copy link
Contributor

zimmerle commented Jul 9, 2020

Indeed this is annoying.

Ideally the lmdb file should be created in a path relative to execution binary, in that case: nginx. Not sure if we need a configuration flag for that, where the user will be able to pin point the location of the collection. That seem to be a good idea as we want to support others such us: Redis (#1139) and Memcache (#1140). Both Memcache and Redis, demands specific parameters at runtime (e.g. Server address).

@martinhsv
Copy link
Contributor

martinhsv commented May 12, 2023
edited
Loading

The location of the directory holding the lmdb data can currently be specified by using the nginx configuration item working_directory.

Implementing additional functionality under this issue would mostly be advantageous if users find this existing method insufficiently flexible.

If we do implement something here, it would likely be to activate the SecDataDir ModSecurity item for that purpose.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3.x Related to ModSecurity version 3.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zimmerle @unix196 @martinhsv