ingress-nginx: PATCH method dies with `enable-modsecurity: "true"` default configuration

Summary Observations: PATCH method with JSON request body sent to ingress receives no response bytes on connection and connection is left open.

Connection is closed only when NGINX ingress is bounced due to server reload (on change of ConfigMap, pod deletion … etc)

when Debug logging is enabled with SecDebugLog /dev/stdout SecDebugLogLevel 4

the debug log shows that phase 1 of the Modsecurity (a) recognized the “application/json”, and that (b) phase 2 assigned the JSON attributes into ARGS for subsequent scanning.

** Changing from “DetectOnly” to rule enforcement does not change the behavior. Adding the CRS ruleset does not change the behavior.

** PATCH method works correctly when enable-modsecurity: "false"

==================================== Version info:

kubectl version Server Version: version.Info{Major:“1”, Minor:“16”, GitVersion:“v1.16.9”, GitCommit:“a17149e1a189050796ced469dbd78d380f2ed5ef”, GitTreeState:“clean”, BuildDate:“2020-04-16T23:15:50Z”, GoVersion:“go1.13.9”, Compiler:“gc”, Platform:“linux/amd64”}

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 23 (6 by maintainers)

Most upvoted comments

/remove-lifecycle stale

I will try with latest versions. There is some discussion on the modsecurity board about http2 related patch which may help

+1
PaulCharlton on Sep 23, 2021
Read more comments on GitHub
← ingress-nginx: Page "Bare-metal considerations"/Section "A pure software solution: MetalLB" doesn't mention how to install ingress-nginx service
ingress-nginx: Performance degradation when upgrading from 0.21.0 to 0.23.0 →