Skip to content

added disable error log support #360

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
fatihusta wants to merge 3 commits into
base: master
Choose a base branch
from
Open

added disable error log support #360

fatihusta wants to merge 3 commits into from
+68 −5

Conversation

@fatihusta
Copy link

@fatihusta fatihusta commented Aug 13, 2025

modified old PR

#327

@fatihusta
added disable error log support
1494b25 
modified old PR

owasp-modsecurity#327

Signed-off-by: Fatih USTA <fatihusta86@gmail.com>
@airween
Copy link
Member

airween commented Aug 13, 2025

Hi @fatihusta,

many thanks for update the mentioned patch.

Could you add a new test case to the CI workflow, like this one? Just turn on this new feature, send an attack which triggers a rule, and check that the error.log is empty.

Thanks!

@airween airween mentioned this pull request Aug 13, 2025
Closed
@tomsommer
Copy link

tomsommer commented Aug 13, 2025
edited
Loading

Thank you for this. I'm already using it :)

My only feedback would be that the name of the variable is a bit confusing, you turn it ON to turn something OFF. modsecurity_use_error_log with default on would maybe make more sense?

Just my two cents

@fatihusta
added modsecurity_disable_error_log test cases
0d58757 
Signed-off-by: Fatih USTA <fatihusta86@gmail.com>
@airween
Copy link
Member

airween commented Aug 13, 2025

@fatihusta thanks for adding the test.

What do you think about @tomsommer's idea. I think you should consider it - I agree with him, the current implementation has a bit weird logic.

Also, after we agreed what should be the final keyword, please add the documentation into our README (README is part of the repository).

@fatihusta
directive changed as modsecurity_use_error_log
585dc82 
- tests are changed with new directive name
- nginx.conf updated with new directive name
- added doc

Signed-off-by: Fatih USTA <fatihusta86@gmail.com>
@sonarqubecloud
Copy link

sonarqubecloud bot commented Aug 14, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@fatihusta
Copy link
Author

fatihusta commented Aug 14, 2025

Hi
I changed the directive name as modsecurity_use_error_log. Default is on.

Thanks @tomsommer @airween

@airween
Copy link
Member

airween commented Aug 15, 2025

Hi I changed the directive name as modsecurity_use_error_log. Default is on.

Thanks - I'm going to check this soon. Until then, could you add this new keyword into README.md?

@fatihusta
Copy link
Author

fatihusta commented Aug 15, 2025

Hi I changed the directive name as modsecurity_use_error_log. Default is on.

Thanks - I'm going to check this soon. Until then, could you add this new keyword into README.md?

I already added modsecurity_use_error_log key into README.md.

@airween
Copy link
Member

airween commented Dec 8, 2025

@fatihusta thanks again your PR.

I tried it in my dev environment, but unfortunately the generated log messages still appear in error.log. I used this directive in nginx.conf's http section, and also put that into the vhost server section.

Yet, when I send a request that is blocked by the server, I see every log line in error.log.

Could you help me to set up Nginx to check it works as we expect it?

@fatihusta
Copy link
Author

fatihusta commented Dec 8, 2025

@fatihusta thanks again your PR.

I tried it in my dev environment, but unfortunately the generated log messages still appear in error.log. I used this directive in nginx.conf's http section, and also put that into the vhost server section.

Yet, when I send a request that is blocked by the server, I see every log line in error.log.

Could you help me to set up Nginx to check it works as we expect it?

Hi,

I don't know what is your setup but below config should be enough for testing.

Testing pipeline worked well with this.

    server {
        listen          80;
        server_name     modsecurity_use_error_log_off;

        modsecurity on;
        modsecurity_use_error_log off;
        modsecurity_rules_file /home/runner/work/ModSecurity-nginx/ModSecurity-nginx/ModSecurity-nginx/.github/nginx/modsecurity.conf;
        root  /usr/local/nginx/html/;

        location / {
            try_files $uri /index.html;
        }
    }

@airween
Copy link
Member

airween commented Dec 8, 2025

This is what I use:

    server {
        listen          8080;
        server_name     modsecurity_use_error_log_off;

        modsecurity on;
        modsecurity_use_error_log off;

        location / {
            try_files $uri /index.html;
        }
    }

The config uses CRS 4.21.0.

curl -sSo -I -X GET -H "Host: modsecurity_use_error_log_off" "http://localhost:8080/?q=/bin/bash"

checking the log:

$ grep -q "modsecurity_use_error_log_off" /var/log/nginx/error.log
$ echo $?
0

but

grep "modsecurity_use_error_log_off" /var/log/nginx/error.log
2025/12/08 16:13:26 [info] 104581#104581: *1 ModSecurity: Warning. Matched "Operator `ValidateByteRange' with parameter `38,44-46,48-58,61,65-90,95,97-122' against variable `ARGS:q' (Value: `/bin/bash' ) [file "/home/airween/src/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1733"] [id "920273"] [rev ""] [msg "Invalid character in request (outside of very strict set)"] [data "ARGS:q=/bin/bash"] [severity "2"] [ver "OWASP_CRS/4.22.0-dev"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/4"] [tag "OWASP_CRS"] [tag "OWASP_CRS/PROTOCOL-ENFORCEMENT"] [tag "capec/1000/210/272"] [hostname "modsecurity_use_error_log_off"] [uri "/"] [unique_id "176520680694.962895"] [ref "o0,1o4,1v8,9t:urlDecodeUni"], client: ::1, server: _, request: "GET /?q=/bin/bash HTTP/1.1", host: "modsecurity_use_error_log_off"
...

@fatihusta
Copy link
Author

fatihusta commented Dec 8, 2025

Ok, I'll check again. I'm preparing my setup.

@fatihusta
Copy link
Author

fatihusta commented Dec 8, 2025

I rebuilded from scratch and tested again. It's working.

I'm not sure why your setup is not working but here is screen capture.

modsecurity_use_error_log.mov

@airween
Copy link
Member

airween commented Dec 8, 2025

Thanks - it's still interesting, because now I have the same config (no CRS, SecRuleEngine On, only one rule like in GH CI), and when I inspected the process with gdb, I get this:

(gdb) br ngx_http_modsecurity_module.c:789
No symbol table is loaded.  Use the "file" command.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (ngx_http_modsecurity_module.c:789) pending.
(gdb) br ngx_http_modsecurity_module.c:170
No symbol table is loaded.  Use the "file" command.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 2 (ngx_http_modsecurity_module.c:170) pending.
(gdb) run -g "daemon off; master_process off;"
...
Breakpoint 1, ngx_http_modsecurity_merge_conf (cf=0x7fffffffe670, parent=0x555555822ec0, child=0x555555842920) at /path/to/connector-source/src/ngx_http_modsecurity_module.c:789
warning: Source file is more recent than executable.
789	    dd("PARENT RULES");
(gdb) p p->use_error_log
$1 = -1
(gdb) p c->use_error_log
$2 = 1
(gdb) c
Continuing.
...
Breakpoint 1, ngx_http_modsecurity_merge_conf (cf=0x7fffffffe670, parent=0x555555842920, child=0x555555845778) at /path/to/connector-source/src/ngx_http_modsecurity_module.c:789
789	    dd("PARENT RULES");
(gdb) p p->use_error_log
$3 = 1
(gdb) p c->use_error_log
$4 = 1
...
Breakpoint 1, ngx_http_modsecurity_merge_conf (cf=0x7fffffffe670, parent=0x555555822ec0, child=0x55555584b540) at /path/to/connector-source/src/ngx_http_modsecurity_module.c:789
789	    dd("PARENT RULES");
(gdb) p p->use_error_log
$5 = -1
(gdb) p c->use_error_log
$6 = 1
Breakpoint 1, ngx_http_modsecurity_merge_conf (cf=0x7fffffffe670, parent=0x55555584b540, child=0x55555584d580) at /path/to/connector-source/src/ngx_http_modsecurity_module.c:789
789	    dd("PARENT RULES");
(gdb) p p->use_error_log
$7 = 1
(gdb) p c->use_error_log
$8 = 1
...
Breakpoint 1, ngx_http_modsecurity_merge_conf (cf=0x7fffffffe670, parent=0x555555822ec0, child=0x555555858340) at /path/to/connector-source/src/ngx_http_modsecurity_module.c:789
789	    dd("PARENT RULES");
(gdb) p p->use_error_log
$9 = -1
(gdb) p c->use_error_log
$10 = 1
...
Breakpoint 1, ngx_http_modsecurity_merge_conf (cf=0x7fffffffe670, parent=0x555555858340, child=0x555555859fd0) at /path/to/connector-source/src/ngx_http_modsecurity_module.c:789
789	    dd("PARENT RULES");
(gdb) p p->use_error_log
$11 = 1
(gdb) p c->use_error_log
$12 = 1
...
Breakpoint 1, ngx_http_modsecurity_merge_conf (cf=0x7fffffffe670, parent=0x555555822ec0, child=0x55555585c398) at /path/to/connector-source/src/ngx_http_modsecurity_module.c:789
789	    dd("PARENT RULES");
(gdb) p p->use_error_log
$13 = -1
(gdb) p c->use_error_log
$14 = 0
...
Breakpoint 1, ngx_http_modsecurity_merge_conf (cf=0x7fffffffe670, parent=0x55555585c398, child=0x55555585e008) at /path/to/connector-source/src/ngx_http_modsecurity_module.c:789
789	    dd("PARENT RULES");
(gdb) p p->use_error_log
$15 = 0
(gdb) p c->use_error_log
$16 = 0
...
(gdb) c
Continuing.
modsec *** ngx_http_modsecurity_merge_conf: PARENT RULES at /path/to/connector-source/src/ngx_http_modsecurity_module.c line 789.
Phase: 0 (0 rules)
Phase: 1 (0 rules)
Phase: 2 (3 rules)
...
Phase: 4 (0 rules)
Phase: 5 (0 rules)
Phase: 6 (0 rules)
Phase: 7 (0 rules)
...
[sending request]
...
Breakpoint 2, ngx_http_modsecurity_process_intervention (transaction=0x5555557d4e40, r=0x555555939980, early_log=1) at /path/to/connector-source/src/ngx_http_modsecurity_module.c:170
170	    if (mcf->use_error_log) {
Breakpoint 2, ngx_http_modsecurity_process_intervention (transaction=0x5555557d4e40, r=0x555555939980, early_log=1) at /path/to/connector-source/src/ngx_http_modsecurity_module.c:170
170	    if (mcf->use_error_log) {
(gdb) p mcf->use_error_log
$17 = 1

There are many ngx_http_modsecurity_module.c:789 breaks above because I have several vhosts, and all vhosts trigger that function. In the last one it sets the value to 0, but when the logging method executed, it has the value 1.

If I put the modsecurity_use_error_log off; into the http block, then it works. But if there is no other occurrence than the only one vhost, it does not work.

Do you have any idea why does not work that?

@fatihusta
Copy link
Author

fatihusta commented Dec 9, 2025

It's realy interesting. I can't reproduce your problem. Here is my output.

modsecurity_use_error_log_gdb.mp4

Note: I added this dd line for easy debugging.

     dd("use_error_log merge before - parent: %ld, child: %ld, final: %ld",
                    p->use_error_log,
                    c->use_error_log == NGX_CONF_UNSET ? -1L : c->use_error_log,
                    c->use_error_log);
     
      ngx_conf_merge_value(c->use_error_log, p->use_error_log, 1);

      dd("use_error_log merge after - parent: %ld, child: %ld, final: %ld",
                    p->use_error_log,
                    c->use_error_log == NGX_CONF_UNSET ? -1L : c->use_error_log,
                    c->use_error_log);

Debug

gdb --args /usr/local/nginx/sbin/nginx -c /root/pkgs/ModSecurity-nginx/.github/nginx/nginx.conf -g 'daemon off;'

....
(gdb) break ngx_http_modsecurity_module.c:170
Breakpoint 1 at 0x12fbdd: file ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c, line 170.


(gdb) run
Starting program: /usr/local/nginx/sbin/nginx -c /root/pkgs/ModSecurity-nginx/.github/nginx/nginx.conf -g daemon\ off\;
.....


modsec *** ngx_http_modsecurity_merge_conf: use_error_log merge before - parent: -1, child: 1, final: 1 at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c line 784.
modsec *** ngx_http_modsecurity_merge_conf: use_error_log merge after - parent: -1, child: 1, final: 1 at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c line 797.

......
modsec *** ngx_http_modsecurity_merge_conf: use_error_log merge before - parent: 1, child: -1, final: -1 at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c line 784.
modsec *** ngx_http_modsecurity_merge_conf: use_error_log merge after - parent: 1, child: 1, final: 1 at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c line 797.

.....

modsec *** ngx_http_modsecurity_merge_conf: use_error_log merge before - parent: -1, child: -1, final: -1 at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c line 784.
modsec *** ngx_http_modsecurity_merge_conf: use_error_log merge after - parent: -1, child: 1, final: 1 at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c line 797.

.......

modsec *** ngx_http_modsecurity_merge_conf: use_error_log merge before - parent: 1, child: -1, final: -1 at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c line 784.
modsec *** ngx_http_modsecurity_merge_conf: use_error_log merge after - parent: 1, child: 1, final: 1 at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c line 797.

........
modsec *** ngx_http_modsecurity_merge_conf: use_error_log merge before - parent: -1, child: 0, final: 0 at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c line 784.
modsec *** ngx_http_modsecurity_merge_conf: use_error_log merge after - parent: -1, child: 0, final: 0 at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c line 797.

.....
modsec *** ngx_http_modsecurity_merge_conf: use_error_log merge before - parent: 0, child: -1, final: -1 at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c line 784.
modsec *** ngx_http_modsecurity_merge_conf: use_error_log merge after - parent: 0, child: 0, final: 0 at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c line 797.

.....
modsec *** ngx_http_modsecurity_merge_conf: use_error_log merge before - parent: -1, child: -1, final: -1 at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c line 784.
modsec *** ngx_http_modsecurity_merge_conf: use_error_log merge after - parent: -1, child: 1, final: 1 at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c line 797.

......
modsec *** ngx_http_modsecurity_merge_conf: use_error_log merge before - parent: 1, child: -1, final: -1 at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c line 784.
modsec *** ngx_http_modsecurity_merge_conf: use_error_log merge after - parent: 1, child: 1, final: 1 at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c line 797.

......
modsec *** ngx_http_modsecurity_merge_conf: use_error_log merge before - parent: -1, child: -1, final: -1 at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c line 784.
modsec *** ngx_http_modsecurity_merge_conf: use_error_log merge after - parent: -1, child: 1, final: 1 at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c line 797.

......
modsec *** ngx_http_modsecurity_merge_conf: use_error_log merge before - parent: 1, child: -1, final: -1 at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c line 784.
modsec *** ngx_http_modsecurity_merge_conf: use_error_log merge after - parent: 1, child: 1, final: 1 at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c line 797.

......
modsec *** ngx_http_modsecurity_merge_conf: use_error_log merge before - parent: -1, child: -1, final: -1 at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c line 784.
modsec *** ngx_http_modsecurity_merge_conf: use_error_log merge after - parent: -1, child: 1, final: 1 at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c line 797.


........
modsec *** ngx_http_modsecurity_merge_conf: use_error_log merge before - parent: 1, child: -1, final: -1 at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c line 784.
modsec *** ngx_http_modsecurity_merge_conf: use_error_log merge after - parent: 1, child: 1, final: 1 at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c line 797.

.....

*****
[Sending Request use error log on - modsectest1]
*****

Breakpoint 1, ngx_http_modsecurity_process_intervention (transaction=0x55dea82a7230, r=0x55dea821fcc0, early_log=1) at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c:170
170	    if (mcf->use_error_log) {
(gdb)
(gdb)
(gdb)
(gdb)
(gdb) p mcf->use_error_log
$1 = 1
(gdb) c
Continuing.

*****
[Sending Request use error log on - modsectest2]
*****

Breakpoint 1, ngx_http_modsecurity_process_intervention (transaction=0x55dea82a7230, r=0x55dea81f3730, early_log=1) at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c:170
170	    if (mcf->use_error_log) {
(gdb) p mcf->use_error_log
$2 = 1
(gdb) c
Continuing.


*****
[Sending Request use error log off - modsecurity_use_error_log_off]
*****


Breakpoint 1, ngx_http_modsecurity_process_intervention (transaction=0x55dea82a7230, r=0x55dea821fcc0, early_log=1) at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c:170
170	    if (mcf->use_error_log) {
(gdb) p mcf->use_error_log
$3 = 0
(gdb) c
Continuing.


*****
[Sending Request use error log on - modsectest3]
*****

Breakpoint 1, ngx_http_modsecurity_process_intervention (transaction=0x55dea82a7230, r=0x55dea821fcc0, early_log=1) at ../ModSecurity-nginx/src/ngx_http_modsecurity_module.c:170
170	    if (mcf->use_error_log) {
(gdb) p mcf->use_error_log
$4 = 1
(gdb) c
Continuing.

Nginx conf

user www-data;
worker_processes 1;
master_process off;
pid /run/nginx.pid;

events { worker_connections 768; }

http {
    include mime.types;
    default_type application/octet-stream;

    access_log /usr/local/nginx/logs/access.log;
    error_log /usr/local/nginx/logs/error.log info;

    modsecurity on;
    modsecurity_rules_file /root/pkgs/ModSecurity-nginx/.github/nginx/modsecurity.conf;
    # modsecurity_use_error_log off;

    server {
        listen 80;
        server_name modsectest1;
        modsecurity on;
        modsecurity_use_error_log on;
        root /usr/local/nginx/html;
        location / { try_files $uri /index.html; }
    }

    server {
        listen 80;
        server_name modsectest2;
        modsecurity on;
        root /usr/local/nginx/html;
        location / { try_files $uri /index.html; }
    }

    server {
        listen 80;
        server_name modsecurity_use_error_log_off;
        modsecurity on;
        modsecurity_use_error_log off;
        root /usr/local/nginx/html;
        location / { try_files $uri /index.html; }
    }

    server { listen 80; server_name modsectest3; modsecurity on; root /usr/local/nginx/html; location / { try_files $uri /index.html; } }
    server { listen 80; server_name modsectest4; modsecurity on; root /usr/local/nginx/html; location / { try_files $uri /index.html; } }
    server { listen 80; server_name modsectest5; modsecurity on; root /usr/local/nginx/html; location / { try_files $uri /index.html; } }
}

@airween
Copy link
Member

airween commented Dec 9, 2025

Thanks. I checked with this config (I made some modifications: I used worker_processes 4;, master_process on;, changed port and paths), and it works for me too.

Now I have to find the reason, why does not work with a "regular" config.

Thanks again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fatihusta @airween @tomsommer