Merge pull request #360 from fatihusta/disable-error-log

airween · web-flow · commit c42572698b84 · 2025-12-10T21:51:48.000+01:00
added disable error log support
diff --git a/.github/nginx/nginx.conf b/.github/nginx/nginx.conf
@@ -74,5 +74,18 @@ http {
         }
     }
 
+    server {
+        listen          80;
+        server_name     modsecurity_use_error_log_off;
+
+        modsecurity on;
+        modsecurity_use_error_log off;
+        modsecurity_rules_file /home/runner/work/ModSecurity-nginx/ModSecurity-nginx/ModSecurity-nginx/.github/nginx/modsecurity.conf;
+        root  /usr/local/nginx/html/;
+
+        location / {
+            try_files $uri /index.html;
+        }
+    }
 }
 
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -140,6 +140,28 @@ jobs:
             echo "FAIL"
             exit 1
           fi
+      - name: Check attack log vhost 2 (modsecurity_use_error_log on(default))
+        run: |
+          if ( grep -q "modsectest2" /usr/local/nginx/logs/error.log ); then
+            echo "OK"
+          else
+            echo "FAIL"
+            exit 1
+          fi
+      - name: Check attack log vhost 3 (modsecurity_use_error_log off)
+        run: |
+          status=$(curl -sSo /dev/null -w %{http_code} -I -X GET -H "Host: modsecurity_use_error_log_off" "http://localhost/?q=attack")
+          if [ "${status}" == "403" ]; then
+            if ( grep -q "modsecurity_use_error_log_off" /usr/local/nginx/logs/error.log ); then
+              echo "FAIL"
+              exit 1
+            else
+              echo "OK"
+            fi
+          else
+            echo "FAIL"
+            exit 1
+          fi
       - name: Start Nginx with redir
         run: |
           sudo killall nginx
@@ -320,4 +342,4 @@ jobs:
           md temp
           set TEMP=temp
           set TEST_NGINX_BINARY=..\objs\nginx.exe
-          prove modsecurity*.t
+          prove modsecurity*.t
diff --git a/README.md b/README.md
@@ -175,6 +175,15 @@ using the same unique identificator.
 
 String can contain variables.
 
+modsecurity_use_error_log
+-----------
+**syntax:** *modsecurity_use_error_log on | off*
+
+**context:** *http, server, location*
+
+**default:** *on*
+
+Turns on or off ModSecurity error log functionality.
 
 # Contributing
 
diff --git a/src/ngx_http_modsecurity_common.h b/src/ngx_http_modsecurity_common.h
@@ -118,6 +118,7 @@ typedef struct {
     void                      *rules_set;
 
     ngx_flag_t                 enable;
+    ngx_flag_t                 use_error_log;
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
     ngx_flag_t                 sanity_checks_enabled;
 #endif
diff --git a/src/ngx_http_modsecurity_module.c b/src/ngx_http_modsecurity_module.c
@@ -146,6 +146,7 @@ ngx_http_modsecurity_process_intervention (Transaction *transaction, ngx_http_re
     intervention.log = NULL;
     intervention.disruptive = 0;
     ngx_http_modsecurity_ctx_t *ctx = NULL;
+    ngx_http_modsecurity_conf_t  *mcf;
 
     dd("processing intervention");
 
@@ -160,12 +161,19 @@ ngx_http_modsecurity_process_intervention (Transaction *transaction, ngx_http_re
         return 0;
     }
 
-    log = intervention.log;
-    if (intervention.log == NULL) {
-        log = "(no log message was specified)";
+    mcf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity_module);
+    if (mcf == NULL) {
+        return NGX_HTTP_INTERNAL_SERVER_ERROR;
     }
 
-    ngx_log_error(NGX_LOG_ERR, (ngx_log_t *)r->connection->log, 0, "%s", log);
+    // logging to nginx error log can be disable by setting `modsecurity_use_error_log` to off
+    if (mcf->use_error_log) {
+        log = intervention.log;
+        if (intervention.log == NULL) {
+          log = "(no log message was specified)";
+        }
+        ngx_log_error(NGX_LOG_ERR, (ngx_log_t *)r->connection->log, 0, "%s", log);
+    }
 
     if (intervention.log != NULL) {
         free(intervention.log);
@@ -513,6 +521,14 @@ static ngx_command_t ngx_http_modsecurity_commands[] =  {
     0,
     NULL
   },
+  {
+    ngx_string("modsecurity_use_error_log"),
+    NGX_HTTP_LOC_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_MAIN_CONF|NGX_CONF_FLAG,
+    ngx_conf_set_flag_slot,
+    NGX_HTTP_LOC_CONF_OFFSET,
+    offsetof(ngx_http_modsecurity_conf_t, use_error_log),
+    NULL
+  },
   ngx_null_command
 };
 
@@ -724,6 +740,7 @@ ngx_http_modsecurity_create_conf(ngx_conf_t *cf)
     conf->rules_set = msc_create_rules_set();
     conf->pool = cf->pool;
     conf->transaction_id = NGX_CONF_UNSET_PTR;
+    conf->use_error_log = NGX_CONF_UNSET;
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
     conf->sanity_checks_enabled = NGX_CONF_UNSET;
 #endif
@@ -763,6 +780,7 @@ ngx_http_modsecurity_merge_conf(ngx_conf_t *cf, void *parent, void *child)
 
     ngx_conf_merge_value(c->enable, p->enable, 0);
     ngx_conf_merge_ptr_value(c->transaction_id, p->transaction_id, NULL);
+    ngx_conf_merge_value(c->use_error_log, p->use_error_log, 1);
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
     ngx_conf_merge_value(c->sanity_checks_enabled, p->sanity_checks_enabled, 0);
 #endif

Original file line number	Diff line number	Diff line change
`@@ -74,5 +74,18 @@ http {`
`74`	`74`	`}`
`75`	`75`	`}`
`76`	`76`
	`77`	`+ server {`
	`78`	`+ listen 80;`
	`79`	`+ server_name modsecurity_use_error_log_off;`
	`80`	`+`
	`81`	`+ modsecurity on;`
	`82`	`+ modsecurity_use_error_log off;`
	`83`	`+ modsecurity_rules_file /home/runner/work/ModSecurity-nginx/ModSecurity-nginx/ModSecurity-nginx/.github/nginx/modsecurity.conf;`
	`84`	`+ root /usr/local/nginx/html/;`
	`85`	`+`
	`86`	`+ location / {`
	`87`	`+ try_files $uri /index.html;`
	`88`	`+ }`
	`89`	`+ }`
`77`	`90`	`}`
`78`	`91`