Skip to content

Commit

Permalink
Exclude logs from K8s to /healthz
Browse files Browse the repository at this point in the history
Signed-off-by: Manuel Hutter <[email protected]>
  • Loading branch information
mhutter committed Aug 12, 2024
1 parent d0483c0 commit 37ef42c
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 20 deletions.
4 changes: 3 additions & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,9 @@ ENV ACCESSLOG=/dev/stdout \
MODSEC_REQ_BODY_LIMIT=100000000 \
MODSEC_REQ_BODY_NOFILES_LIMIT=5242880 \
MODSEC_RESP_BODY_LIMIT=500000000 \
CLAMD_DEBUG_LOG=off
CLAMD_DEBUG_LOG=off \
# Use the default docker subnet as the default \
HEALTHZ_CIDRS=172.18.0.0/24

USER root

Expand Down
26 changes: 7 additions & 19 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,25 +6,6 @@ Based on the official [coreruleset/modsecurity-crs-docker](https://github.com/co
- Sets opinionated default configurations
- Includeds the [ClamAV anti-virus scanner](https://www.clamav.net/) client

## Status

This image is currently being reworked.

### Backlog

- [x] rudimentary development environment
- [x] use the `alpine` upstream image
- [x] build & push to GHCR
- [x] automated updates via Renovate
- [x] can run on OpenShift
- [ ] ModSecurity configuration defaults (& documented)
- [x] JSON AccessLog
- [x] JSON ModSecurity log
- [x] custom rules support (`init`, `before`, `after`)
- [x] contains ClamAV
- [ ] automated release (tagging) process
- [ ] migrate other random configurations from the v3 image

## Usage

The latest image can be pulled from
Expand Down Expand Up @@ -60,6 +41,13 @@ Most aspects can be configured using environment variables.
For a full list of supported environment variables, see the [upstream documentation][upstream].
We use the Apache Alpine image.

### Extra configuration variables

- `HEALTHZ_CIDRS` - CIDR from which requests to the `/healthz` endpoint should be whitelisted.
This should usually be set to your Kubernetes host subnet range.
Multiple CIDR ranges can be specified.
Example: `1.2.3.4/24,5.6.7.8/24`

## License

This project itself is licensed under BSD 3-Clause, see [LICENSE](./LICENSE).
Expand Down
13 changes: 13 additions & 0 deletions custom-rules/before-crs.dist/cleanlogs.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# === Exempt frequent well-known requests from logging, e.g. health checks (ids: 40000 - 40100)

# Ignore requests coming from Kubernetes going to the health check endpoint.
# - don't log
# - allow request
# - don't write an audit log for the request
SecRule REQUEST_URI "@streq /healthz" "phase:1,id:40099,nolog,allow,ctl:auditEngine=Off,chain"
SecRule REMOTE_ADDR "@ipMatch ${HEALTHZ_CIDRS}"

# Ignore requests coming from localhost. This is useful if there are request issued via Shell or
# from a sidecar that provide limited or no customization in the request headers (e.g. Apache exporter).
SecRule REMOTE_ADDR "@ipMatch 127.0.0.1" "phase:1,id:40001,nolog,allow,ctl:auditEngine=Off"
SecRule REMOTE_ADDR "@ipMatch ::1" "phase:1,id:40002,nolog,allow,ctl:auditEngine=Off"

0 comments on commit 37ef42c

Please sign in to comment.