From 601aa4049b4e15b2081d8e320a1ffb54c4e9d6aa Mon Sep 17 00:00:00 2001 From: Manuel Hutter Date: Thu, 8 Aug 2024 17:04:03 +0200 Subject: [PATCH] Exclude logs from K8s to /healthz Signed-off-by: Manuel Hutter --- Dockerfile | 4 +++- README.md | 26 ++++++--------------- custom-rules/before-crs.dist/cleanlogs.conf | 13 +++++++++++ 3 files changed, 23 insertions(+), 20 deletions(-) create mode 100644 custom-rules/before-crs.dist/cleanlogs.conf diff --git a/Dockerfile b/Dockerfile index fa567f5..2ad0249 100644 --- a/Dockerfile +++ b/Dockerfile @@ -21,7 +21,9 @@ ENV ACCESSLOG=/dev/stdout \ MODSEC_REQ_BODY_LIMIT=100000000 \ MODSEC_REQ_BODY_NOFILES_LIMIT=5242880 \ MODSEC_RESP_BODY_LIMIT=500000000 \ - CLAMD_DEBUG_LOG=off + CLAMD_DEBUG_LOG=off \ + # Use the default docker subnet as the default \ + HEALTHZ_CIDRS=172.18.0.0/24 USER root diff --git a/README.md b/README.md index 331fe95..5ce0a06 100644 --- a/README.md +++ b/README.md @@ -6,25 +6,6 @@ Based on the official [coreruleset/modsecurity-crs-docker](https://github.com/co - Sets opinionated default configurations - Includeds the [ClamAV anti-virus scanner](https://www.clamav.net/) client -## Status - -This image is currently being reworked. - -### Backlog - -- [x] rudimentary development environment -- [x] use the `alpine` upstream image -- [x] build & push to GHCR -- [x] automated updates via Renovate -- [x] can run on OpenShift -- [ ] ModSecurity configuration defaults (& documented) -- [x] JSON AccessLog -- [x] JSON ModSecurity log -- [x] custom rules support (`init`, `before`, `after`) -- [x] contains ClamAV -- [ ] automated release (tagging) process -- [ ] migrate other random configurations from the v3 image - ## Usage The latest image can be pulled from @@ -60,6 +41,13 @@ Most aspects can be configured using environment variables. For a full list of supported environment variables, see the [upstream documentation][upstream]. We use the Apache Alpine image. +### Extra configuration variables + +- `HEALTHZ_CIDRS` - CIDR from which requests to the `/healthz` endpoint should be whitelisted. + This should usually be set to your Kubernetes host subnet range. + Multiple CIDR ranges can be specified. + Example: `1.2.3.4/24,5.6.7.8/24` + ## License This project itself is licensed under BSD 3-Clause, see [LICENSE](./LICENSE). diff --git a/custom-rules/before-crs.dist/cleanlogs.conf b/custom-rules/before-crs.dist/cleanlogs.conf new file mode 100644 index 0000000..8ac54a7 --- /dev/null +++ b/custom-rules/before-crs.dist/cleanlogs.conf @@ -0,0 +1,13 @@ +# === Exempt frequent well-known requests from logging, e.g. health checks (ids: 40000 - 40100) + +# Ignore requests coming from Kubernetes going to the health check endpoint. +# - don't log +# - allow request +# - don't write an audit log for the request +SecRule REQUEST_URI "@streq /healthz" "phase:1,id:40099,nolog,allow,ctl:auditEngine=Off,chain" + SecRule REMOTE_ADDR "@ipMatch ${HEALTHZ_CIDRS}" + +# Ignore requests coming from localhost. This is useful if there are request issued via Shell or +# from a sidecar that provide limited or no customization in the request headers (e.g. Apache exporter). +SecRule REMOTE_ADDR "@ipMatch 127.0.0.1" "phase:1,id:40001,nolog,allow,ctl:auditEngine=Off" +SecRule REMOTE_ADDR "@ipMatch ::1" "phase:1,id:40002,nolog,allow,ctl:auditEngine=Off"