Modsecurity firewall blocking traffic for SecRequestBodyLimit
Summary
This really threw me for a loop since I've been creating environments for the last couple months. Didn't see the recent press release until a couple hours of digging into why I was hitting 403s. Then I saw these errors in the ingress controller logs Request body limit is marked to reject the request
. We have a docker registry behind our ingress controller which is how I hit this issue. Am I missing something?
Steps to reproduce
- Create a new environment with an existing kubernetes cluster
- Install the ingress via tiller
- Create a service/deployment for a docker registry
- Push an image with layers over the SecRequestBodyLimit
What is the current bug behavior?
Blocks requests with a 403 over the SecRequestBodyLimit.
What is the expected correct behavior?
I'm not positive on the correct config, but would love some clarification. My impression was the initial release of this firewall would not block traffic.
Relevant logs and/or screenshots
@cloudshell:~ ()$ kubectl exec -it ingress-nginx-ingress-controller-7cf6944677-clc6d -n gitlab-managed-apps /bin/sh
# grep -r SecRequestBody .
./etc/nginx/owasp-modsecurity-crs/crs-setup.conf:# SecRequestBodyAccess, SecAuditEngine, SecDebugLog, and XML processing.
./etc/nginx/modsecurity/modsecurity.conf:SecRequestBodyAccess On
./etc/nginx/modsecurity/modsecurity.conf:SecRequestBodyLimit 13107200
./etc/nginx/modsecurity/modsecurity.conf:SecRequestBodyNoFilesLimit 131072
./etc/nginx/modsecurity/modsecurity.conf:SecRequestBodyLimitAction Reject
Possible fixes
Was able to push images by changing the SecRequestBodyLimitAction
from Reject
> ProcessPartial
- Exec into the ingress controller
- Change to the following in
/etc/nginx/owasp-modsecurity-crs/crs-setup.conf
modsecurity.conf:SecRequestBodyLimitAction ProcessPartial
- Reload nginx
nginx -s reload