Support log reopen on SIGHUP and SIGUSR1#372
Open
fremail wants to merge 1 commit into
Open
Conversation
`msc_rules_reopen_logs()` only exists in rules_set.h (the newer API) — it's not available in the older rules.h at all. So the ``#ifdef MSC_USE_RULES_SET` guard is necessary here; without it, the build would fail against older libmodsecurity versions that don't have this function.
|
There was a problem hiding this comment.
Pull request overview
Adds support for reopening ModSecurity audit/debug logs when nginx handles log reopen/reload signals (SIGUSR1/SIGHUP), using the newer msc_rules_reopen_logs() ModSecurity API behind an MSC_USE_RULES_SET feature guard.
Changes:
- Registers a custom
ngx_open_file_tflush callback to trigger ModSecurity log reopen on nginx log reopen events. - Tracks each merged
RulesSet *so log reopen can be applied across all configured rulesets. - Extends main module configuration to store the reopen trigger file handle.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
src/ngx_http_modsecurity_module.c |
Adds log-reopen trigger setup, ruleset registration, and a flush callback calling msc_rules_reopen_logs() on reopen signals. |
src/ngx_http_modsecurity_common.h |
Extends main конф struct to hold the reopen trigger ngx_open_file_t *. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+678
to
+697
| #if defined(MSC_USE_RULES_SET) | ||
| /* Set up log reopening on SIGUSR1/SIGHUP */ | ||
| { | ||
| ngx_str_t log_reopen_file = ngx_string("/dev/null"); | ||
|
|
||
| conf->log_reopen = ngx_conf_open_file(cf->cycle, &log_reopen_file); | ||
| if (conf->log_reopen == NULL) { | ||
| dd("failed to open file for triggering log reopen"); | ||
| return NGX_CONF_ERROR; | ||
| } | ||
|
|
||
| conf->log_reopen->data = ngx_list_create(cf->pool, 100, | ||
| sizeof(RulesSet *)); | ||
| if (conf->log_reopen->data == NULL) { | ||
| dd("failed to create list of rules sets for log reopen"); | ||
| return NGX_CONF_ERROR; | ||
| } | ||
|
|
||
| conf->log_reopen->flush = ngx_http_modsecurity_log_reopen; | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR uses new ModSecurity API implemented in owasp-modsecurity/ModSecurity#3521
The CI build fails because the ModSecurity API isn't released yet ☝️
There is another PR with a similar code -- #198 -- but its code is outdated and uses a different API. In any case this PR is based on work in #198, so thank you @brandonpayton for the initial work on that.
I've tested the code using testing notes from #198. I hope we'll see these changes released soon!
Side notes for reviewers
msc_rules_reopen_logs()only exists in rules_set.h (the newer API) — it's not available in the older rules.h at all. So the ``#ifdef MSC_USE_RULES_SET` guard is necessary. Without it the build would fail against olderlibmodsecurity versions that don't have this function.
Links
This PR depends on code from owasp-modsecurity/ModSecurity#3521
Resolves #121
Similar PR #198