Adds the SecRemoteRulesFailAction directive

This directive allows the user to set a default action whenever the SecRemoteRules failed to download a set of rules. Current the supported values are: Warn and Abort. By default `Abort' is selected.
2025-08-14 05:45:59 +03:00 · 2014-11-11 14:02:00 -08:00 · 2014-11-11 14:02:00 -08:00 · 38b9924705
commit 38b9924705
parent 9b836b652a
4 changed files with 61 additions and 3 deletions
--- a/apache2/apache2_config.c
+++ b/apache2/apache2_config.c
@ -2213,6 +2213,28 @@ static const char *cmd_rule_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
    return NULL;
 }

+static const char *cmd_remote_rules_fail(cmd_parms *cmd, void *_dcfg, const char *p1)
+{
+    directory_config *dcfg = (directory_config *)_dcfg;
+    if (dcfg == NULL) return NULL;
+
+    if (strncasecmp(p1, "warn", 4) == 0)
+    {
+        remote_rules_fail_action = REMOTE_RULES_WARN_ON_FAIL;
+    }
+    else if (strncasecmp(p1, "abort", 5) == 0)
+    {
+        remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL;
+    }
+    else
+    {
+        return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for " \
+                "SecRemoteRulesFailAction, expected: Abort or Warn.");
+    }
+
+    return NULL;
+}
+
 static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
        const char *p2)
 {
@ -3552,6 +3574,15 @@ const command_rec module_directives[] = {
        "key and URI to the remote rules"
    ),

+    AP_INIT_TAKE1 (
+        "SecRemoteRulesFailAction",
+        cmd_remote_rules_fail,
+        NULL,
+        CMD_SCOPE_ANY,
+        "Abort or Warn"
+    ),
+
+
    AP_INIT_TAKE1 (
        "SecXmlExternalEntity",
        cmd_xml_external_entity,
--- a/apache2/mod_security2.c
+++ b/apache2/mod_security2.c
@ -69,6 +69,7 @@ unsigned long int DSOLOCAL msc_pcre_match_limit = 0;
 unsigned long int DSOLOCAL msc_pcre_match_limit_recursion = 0;

 msc_remote_rules_server DSOLOCAL *remote_rules_server = NULL;
+int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL;

 int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED;

@ -82,6 +83,7 @@ unsigned long int DSOLOCAL conn_write_state_limit = 0;
 TreeRoot DSOLOCAL *conn_write_state_whitelist = 0;
 TreeRoot DSOLOCAL *conn_write_state_suspicious_list = 0;

+
 #if defined(WIN32) || defined(VERSION_NGINX)
 int (*modsecDropAction)(request_rec *r) = NULL;
 #endif
--- a/apache2/modsecurity.h
+++ b/apache2/modsecurity.h
@ -146,6 +146,7 @@ extern DSOLOCAL unsigned long int msc_pcre_match_limit;
 extern DSOLOCAL unsigned long int msc_pcre_match_limit_recursion;

 extern DSOLOCAL msc_remote_rules_server *remote_rules_server;
+extern DSOLOCAL int remote_rules_fail_action;

 extern DSOLOCAL int status_engine_state;

@ -198,6 +199,9 @@ extern DSOLOCAL int *unicode_map_table;
 #define STATUS_ENGINE_ENABLED           1
 #define STATUS_ENGINE_DISABLED          0

+#define REMOTE_RULES_ABORT_ON_FAIL	0
+#define REMOTE_RULES_WARN_ON_FAIL	1
+
 #define HASH_DISABLED             0
 #define HASH_ENABLED              1

--- a/apache2/msc_remote_rules.c
+++ b/apache2/msc_remote_rules.c
@ -300,8 +300,19 @@ int msc_remote_grab_content(apr_pool_t *mp, const char *uri, const char *key,

        if (res != CURLE_OK)
        {
-            *error_msg = apr_psprintf(mp, "Failed to fetch \"%s\" error: %s ",
+            if (remote_rules_fail_action == REMOTE_RULES_WARN_ON_FAIL)
+            {
+                 ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+                         "Failed to fetch \"%s\" error: %s ",
+                         remote_rules_server->uri, curl_easy_strerror(res));
+            }
+            else
+            {
+                *error_msg = apr_psprintf(mp, "Failed to fetch \"%s\" " \
+                    "error: %s ",
                    remote_rules_server->uri, curl_easy_strerror(res));
+            }
+
            return -1;
        }

@ -444,7 +455,8 @@ int msc_remote_decrypt(apr_pool_t *pool,
    //        at least size of IV + Salt
    if (chunk->size < 16+16+1)
    {
-        *error_msg = "Unexpected content.";
+        *error_msg = "Failed to download rules from a remote server: " \
+            "Unexpected content.";
        return -1;
    }
    iv = chunk->memory;
@ -574,6 +586,7 @@ int msc_remote_add_rules_from_uri(cmd_parms *orig_parms,
    int start = 0;
    int end = 0;
    int added_rules = 0;
+    int res = 0;
    apr_size_t plain_text_len = 0;

    apr_pool_t *mp = orig_parms->pool;
@ -581,13 +594,21 @@ int msc_remote_add_rules_from_uri(cmd_parms *orig_parms,
    chunk_encrypted.size = 0;
    chunk_encrypted.memory = NULL;

-    msc_remote_grab_content(mp, remote_rules_server->uri,
+    res = msc_remote_grab_content(mp, remote_rules_server->uri,
            remote_rules_server->key, &chunk_encrypted, error_msg);
    if (*error_msg != NULL)
    {
        return -1;
    }

+    /* error_msg is not filled when the user set SecRemoteRulesFailAction
+     * to warn
+     */
+    if (res != 0)
+    {
+        return res;
+    }
+
    msc_remote_decrypt(mp, remote_rules_server->key, &chunk_encrypted,
            &plain_text,
            &plain_text_len,