Hi,
I’m trying to enable ModSecurity for Kong. It seems that OpenResty needs to be rebuilt with this module. So, I built it using the following commands:
cd /tmp \
&& git clone https://github.com/SpiderLabs/ModSecurity-nginx \
&& wget https://openresty.org/download/openresty-1.25.3.2.tar.gz \
&& tar -xvzf openresty-1.25.3.2.tar.gz \
&& cd openresty-1.25.3.2 \
&& ./configure --add-module=/tmp/ModSecurity-nginx --with-pcre-jit --with-http_ssl_module --with-http_realip_module --with-http_stub_status_module --with-http_v2_module \
&& make -j2 \
&& make install \
&& export PATH=/usr/local/openresty/bin:$PATH
However, after building it, when I start Kong, I get the following error:
error: nginx configuration is invalid (exit code 1):
nginx: [emerg] unknown directive "lua_kong_load_var_index" in /usr/local/kong/nginx-kong.conf:64
nginx: configuration file /usr/local/kong/nginx.conf test failed
It seems that OpenResty also needs to be built with the lua-kong-nginx-module . So, I tried rebuilding it using the following commands:
cd /tmp \
&& git clone https://github.com/SpiderLabs/ModSecurity-nginx \
&& git clone https://github.com/Kong/lua-kong-nginx-module.git \
&& wget https://openresty.org/download/openresty-1.25.3.2.tar.gz \
&& tar -xvzf openresty-1.25.3.2.tar.gz \
&& cd openresty-1.25.3.2 \
&& ./configure --add-module=/tmp/ModSecurity-nginx --add-module=/tmp/lua-kong-nginx-module --with-pcre-jit --with-http_ssl_module --with-http_realip_module --with-http_stub_status_module --with-http_v2_module \
&& make -j2 \
&& make install \
&& export PATH=/usr/local/openresty/bin:$PATH
However, the build fails with the following error:
/tmp/lua-kong-nginx-module/src/ngx_http_lua_kong_ssl.c: In function ‘ngx_http_lua_kong_ssl_get_http2_alpn_enabled’:
/tmp/lua-kong-nginx-module/src/ngx_http_lua_kong_ssl.c:209:21: error: ‘ngx_http_lua_ssl_ctx_t’ {aka ‘struct <anonymous>’} has no member named ‘disable_http2_alpn’
209 | if (cctx && cctx->disable_http2_alpn) {
| ^~
/tmp/lua-kong-nginx-module/src/ngx_http_lua_kong_ssl.c: In function ‘ngx_http_lua_ffi_disable_http2_alpn’:
/tmp/lua-kong-nginx-module/src/ngx_http_lua_kong_ssl.c:240:9: error: ‘ngx_http_lua_ssl_ctx_t’ {aka ‘struct <anonymous>’} has no member named ‘disable_http2_alpn’
240 | cctx->disable_http2_alpn = 1;
| ^~
make[2]: *** [objs/Makefile:3256: objs/addon/src/ngx_http_lua_kong_ssl.o] Error 1
make[2]: *** Waiting for unfinished jobs....
make[2]: Leaving directory '/tmp/openresty-1.25.3.2/build/nginx-1.25.3'
make[1]: *** [Makefile:10: build] Error 2
make[1]: Leaving directory '/tmp/openresty-1.25.3.2/build/nginx-1.25.3'
make: *** [Makefile:9: all] Error 2
At this point, I’m unsure how to proceed in order to have the latest version of Kong running with ModSecurity.
If anyone has a method to enable or install ModSecurity on the latest version of Kong, I’d really appreciate the help.
I also want to mention that I am not using Docker and need a native installation.
Environment Details:
Kong Version: 3.9.0
OpenResty Version: 1.25.3.2
OS: Ubuntu 20 & 22
###Full Command sheet:
apt update \
&& apt upgrade -y \
&& apt-get install -y --no-install-recommends perl unzip openssl \
&& bash <(curl -sS https://get.konghq.com/install) -p kong -v 3.9.0
# Install all required perequisite pckages for ModSecurity
apt update \
&& apt-get install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev libssl-dev
# Download and Compile the ModSecurity 3.0 Source Code
cd /tmp \
&& git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity \
&& cd ModSecurity \
&& git submodule init \
&& git submodule update \
&& ./build.sh \
&& ./configure \
&& make \
&& make install
# Download the NGINX Connector for ModSecurity and Compile it as a Dynamic Module
cd /tmp \
&& git clone https://github.com/SpiderLabs/ModSecurity-nginx \
&& wget https://openresty.org/download/openresty-1.25.3.2.tar.gz \
&& tar -xvzf openresty-1.25.3.2.tar.gz \
&& cd openresty-1.25.3.2 \
&& ./configure --add-module=/tmp/ModSecurity-nginx --with-pcre-jit --with-http_ssl_module --with-http_realip_module --with-http_stub_status_module --with-http_v2_module \
&& make -j2 \
&& make install \
&& export PATH=/usr/local/openresty/bin:$PATH
# Configure ModSecurity
mkdir -p /usr/local/openresty/nginx/modsec \
&& cd /usr/local/openresty/nginx/modsec \
&& wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended \
&& mv -f modsecurity.conf-recommended modsecurity.conf \
&& sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' modsecurity.conf \
&& cp -f /tmp/ModSecurity/unicode.mapping .
tee /usr/local/openresty/nginx/modsec/main.conf > /dev/null <<EOF
# From https://github.com/SpiderLabs/ModSecurity/blob/master/
# modsecurity.conf-recommended
#
# Edit to set SecRuleEngine On
Include "/usr/local/openresty/nginx/modsec/modsecurity.conf"
# Basic test rule
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
SecDefaultAction "phase:2,log,auditlog,deny,status:403"
SecDefaultAction "phase:1,log,auditlog,deny,status:403"
EOF
# Configure and Enable ModSecurity on Kong-Nginx
sed -i 's/server_name\ \ localhost;/server_name\ \ localhost;\n\ \ \ \ modsecurity\ on;\n\ \ \ \ modsecurity_rules_file\ \/usr\/local\/openresty\/nginx\/modsec\/main.conf;/' /usr/local/openresty/nginx/conf/nginx.conf \
&& sed -i 's/server_name\ kong;/server_name\ kong;\n\ \ \ \ modsecurity\ on;\n\ \ \ \ modsecurity_rules_file\ \/usr\/local\/openresty\/nginx\/modsec\/main.conf;/' /usr/local/share/lua/5.1/kong/templates/nginx_kong.lua \
&& sed -i 's/server_name\ kong_admin;/server_name\ kong_admin;\n\ \ \ \ modsecurity\ on;\n\ \ \ \ modsecurity_rules_file\ \/usr\/local\/openresty\/nginx\/modsec\/main.conf;/' /usr/local/share/lua/5.1/kong/templates/nginx_kong.lua