Unknown directive "modsecurity_rules" in /tmp/nginx-cfg128224059:398

[LAITRUNGMINHDUC]

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.): YES

What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.): modsecurity, modsecurity_rules

---

Is this a BUG REPORT or FEATURE REQUEST? (choose one): BUG REPORT

NGINX Ingress controller version: 0.20.0

Kubernetes version (use kubectl version): v1.11.3 (Server)

Environment:

• Cloud provider or hardware configuration: Azure Kubernetes Services (AKS)
• OS (e.g. from /etc/os-release): N/A
• Kernel (e.g. uname -a): N/A
• Install tools: N/A
• Others: N/A

What happened:
The ModSecurity feature doesn't work. In the log file, I saw these lines, and it keeps generating:
Error: exit status 1 2018/10/31 01:45:51 [emerg] 24881#24881: unknown directive "modsecurity_rules" in /tmp/nginx-cfg128224059:398 nginx: [emerg] unknown directive "modsecurity_rules" in /tmp/nginx-cfg128224059:398 nginx: configuration file /tmp/nginx-cfg128224059 test failed

What you expected to happen:
The ModSecurity feature work: Detect and block malicious requests and don't generate those lines of log.

How to reproduce it (as minimally and precisely as possible):
After create AKS on Azure and install NginX Ingress with HELM (namespace: ingress-nginx), here are 2 files (run it in order) to reproduce the error:

1/ MyConfigMap.yaml

apiVersion: v1  
kind: ConfigMap  
metadata:  
  name: ingress-configmap
  namespace: default
data:  
  enable-modsecurity: "true"
  enable-owasp-modsecurity-crs: "true"

2/ MyIngress.yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-ingress
  namespace: default
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/configuration-snippet: |
      modsecurity_rules '
        SecRuleEngine On
        SecAuditLog /var/log/modsec_audit.log
        SecAuditLogParts ABCIJDEFHZ
        SecAuditEngine RelevantOnly
        SecRuleRemoveById 932140
      ';    
spec:
  rules:
  - http:
      paths:
      - path: /
        backend:          
          serviceName: netcore
          servicePort: 80

Anything else we need to know:

• I also try to create a ConfigMap in namespace ingress-nginx, but it doesn't work too.
• Without these ModSecurity config, when I use annotation nginx.ingress.kubernetes.io/lua-resty-waf, it can block the malicious traffic, but I want to get the log from lua-resty-waf, not all logs in kubectl logs -n ingress-nginx <pod-name>.

[aledbf]

@LAITRUNGMINHDUC please check the configmap you are creating is being used in the ingress controller flags (from your report is not).
Without the module enabled the annotation cannot work (because the module is not loaded)

[diazjf]

@LAITRUNGMINHDUC Yeah it looks like the module is not being set. Can you post a copy of your deployment, as well as the nginx.conf(kubectl exec -it -n <namespace> <nginx-pod> cat /etc/nginx/nginx.conf).

[aledbf]

https://github.com/kubernetes/ingress-nginx/blob/master/deploy/mandatory.yaml

Please make sure the name of the configmap match

[diazjf]

@aledbf Confirmed that there is an issue when enabling modsecurity via the configmap. I'll look into it later today.

-------------------------------------------------------------------------------
W1031 18:48:17.199640       9 queue.go:130] requeuing configmap-change, err 
-------------------------------------------------------------------------------
Error: exit status 1
2018/10/31 18:48:17 [notice] 233#233: ModSecurity-nginx v1.0.0
2018/10/31 18:48:17 [emerg] 233#233: "modsecurity_rules_file" directive Rules error. File: /etc/nginx/modsecurity/modsecurity.conf. Line: 234. Column: 17. Failed to load locate the unicode map file from: unicode.mapping 20127 Looking at: 'unicode.mapping 20127', 'unicode.mapping 20127', '/etc/nginx/modsecurity/unicode.mapping 20127', '/etc/nginx/modsecurity/unicode.mapping 20127'.  in /tmp/nginx-cfg512345247:321
nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /etc/nginx/modsecurity/modsecurity.conf. Line: 234. Column: 17. Failed to load locate the unicode map file from: unicode.mapping 20127 Looking at: 'unicode.mapping 20127', 'unicode.mapping 20127', '/etc/nginx/modsecurity/unicode.mapping 20127', '/etc/nginx/modsecurity/unicode.mapping 20127'.  in /tmp/nginx-cfg512345247:321
nginx: configuration file /tmp/nginx-cfg512345247 test failed

-------------------------------------------------------------------------------

[aledbf]

Please use quay.io/kubernetes-ingress-controller/nginx-ingress-controller:dev This issue is fixed.

[aledbf]

Closing. Fixed in #3357

[aledbf]

@LAITRUNGMINHDUC I will post the link of a temporal image after #3309 is merged

[LAITRUNGMINHDUC]

@aledbf Hello guys, thanks for your support. Sorry for this late reply and not keeping in touch. My Azure account was out of credit, and I was busy last week (I got much homework and reports). I will try the solution after my account is renew. Thanks again.

Besides that, because I am new to Kubernetes, I want to ask:
What do you mean by "ingress controller flags"? In your mandatory.yaml, is that "nginx-configuration" in ConfigMap? And it must be "nginx-configuration"?

Thank you

[aledbf]

@LAITRUNGMINHDUC this section https://github.com/kubernetes/ingress-nginx/blob/master/deploy/mandatory.yaml#L197