Skip to content

Add variables to hold processing times for modsecurity phases #278

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 14 commits into
base: master
Choose a base branch
from
Open

Add variables to hold processing times for modsecurity phases #278

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
e695492
Add variables to hold processing times for modsecurity phases
awmackowiak Mar 24, 2022
8052510
Add variable for logging time and add examples how to use it to README
awmackowiak Mar 25, 2022
75cf7a4
Merge pull request #1 from awmackowiak/am-logging
awmackowiak Mar 25, 2022
26ac576
Fixes after review
awmackowiak May 16, 2022
481e463
Fixes after review
awmackowiak May 16, 2022
811d9a0
Fixes after review
awmackowiak May 17, 2022
f7cff06
Fixes after review
May 18, 2022
55b41d0
Fixes after review
awmackowiak May 18, 2022
38ec2e3
Fixes after review
awmackowiak May 18, 2022
6ec6bbb
Fixes after review
awmackowiak May 18, 2022
aeb5307
Fixes after review
awmackowiak May 18, 2022
bb939a1
Fixes after review
awmackowiak May 18, 2022
d386de9
Fixes after review
awmackowiak May 18, 2022
7aa12d0
Merge pull request #2 from awmackowiak/am-logging
awmackowiak May 20, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,27 @@ using the same unique identificator.

String can contain variables.

# Format Variables
ModSecurity-nginx provide times variables for particular phases that you can uses in nginx *log_format*:

*$modsecurity_req_headers_phase_time*
request headers processing time in seconds with a microseconds resolution; time elapsed for processing headers in first phase by ModSecurity
*$modsecurity_req_body_phase_time*
request body processing time in seconds with a microseconds resolution; time elapsed for processing request body in second phase by ModSecurity
*$modsecurity_resp_headers_phase_time*
resposnse headers processing time in seconds with a microseconds resolution; time elapsed for processing response headers in third phase by ModSecurity
*$modsecurity_resp_body_phase_time*
response body processing time in seconds with a microseconds resolution; time elapsed for processing response body in fourth phase by ModSecurity
*$modsecurity_logging_phase_time*
logging processing time in seconds with a microseconds resolution; time elapsed for processing logging in fifth phase by ModSecurity

The following example show how to configure custom *log_format* with variables above and use them with custom *access.log*:

```nginx
log_format format_modsecurity 'modsecurity_req_headers_phase_time: $modsecurity_req_headers_phase_time, modsecurity_req_body_phase_time: $modsecurity_req_body_phase_time, modsecurity_resp_headers_phase_time: $modsecurity_resp_headers_phase_time, modsecurity_resp_body_phase_time: $modsecurity_resp_body_phase_time, modsecurity_logging_phase_time: $modsecurity_logging_phase_time';

access_log /usr/local/nginx/logs/modsecurity.log format_modsecurity;
```

# Contributing

Expand Down
3 changes: 3 additions & 0 deletions src/ngx_http_modsecurity_body_filter.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,8 @@ ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in)

if (is_request_processed) {
ngx_pool_t *old_pool;
struct timeval start_tv;
ngx_gettimeofday(&start_tv);

old_pool = ngx_http_modsecurity_pcre_malloc_init(r->pool);
msc_process_response_body(ctx->modsec_transaction);
Expand All @@ -164,6 +166,7 @@ ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
/* XXX: I don't get how body from modsec being transferred to nginx's buffer. If so - after adjusting of nginx's
XXX: body we can proceed to adjust body size (content-length). see xslt_body_filter() for example */
ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r, 0);
ctx->resp_body_phase_time = ngx_http_modsecurity_compute_processing_time(start_tv);
if (ret > 0) {
return ret;
}
Expand Down
6 changes: 6 additions & 0 deletions src/ngx_http_modsecurity_common.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,11 @@ typedef struct {
unsigned processed:1;
unsigned logged:1;
unsigned intervention_triggered:1;
ngx_msec_int_t req_headers_phase_time;
ngx_msec_int_t req_body_phase_time;
ngx_msec_int_t resp_headers_phase_time;
ngx_msec_int_t resp_body_phase_time;
ngx_msec_int_t logging_phase_time;
} ngx_http_modsecurity_ctx_t;


Expand Down Expand Up @@ -164,5 +169,6 @@ ngx_int_t ngx_http_modsecurity_pre_access_handler(ngx_http_request_t *r);
/* ngx_http_modsecurity_rewrite.c */
ngx_int_t ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r);

ngx_msec_int_t ngx_http_modsecurity_compute_processing_time(struct timeval tv);

#endif /* _NGX_HTTP_MODSECURITY_COMMON_H_INCLUDED_ */
8 changes: 7 additions & 1 deletion src/ngx_http_modsecurity_header_filter.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -446,6 +446,9 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r)
return ngx_http_next_header_filter(r);
}

struct timeval start_tv;
ngx_gettimeofday(&start_tv);

/*
* Lets ask nginx to keep the response body in memory
*
Expand Down Expand Up @@ -524,9 +527,12 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r)
#endif

old_pool = ngx_http_modsecurity_pcre_malloc_init(r->pool);
msc_process_response_headers(ctx->modsec_transaction, status, http_response_ver);
msc_process_response_headers(ctx->modsec_transaction, status, http_response_ver);
ngx_http_modsecurity_pcre_malloc_done(old_pool);
ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r, 0);

ctx->resp_headers_phase_time = ngx_http_modsecurity_compute_processing_time(start_tv);

if (r->error_page) {
return ngx_http_next_header_filter(r);
}
Expand Down
3 changes: 3 additions & 0 deletions src/ngx_http_modsecurity_log.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,11 +71,14 @@ ngx_http_modsecurity_log_handler(ngx_http_request_t *r)
dd("already logged earlier");
return NGX_OK;
}
struct timeval start_tv;
ngx_gettimeofday(&start_tv);

dd("calling msc_process_logging for %p", ctx);
old_pool = ngx_http_modsecurity_pcre_malloc_init(r->pool);
msc_process_logging(ctx->modsec_transaction);
ngx_http_modsecurity_pcre_malloc_done(old_pool);
ctx->logging_phase_time = ngx_http_modsecurity_compute_processing_time(start_tv);

return NGX_OK;
}
166 changes: 165 additions & 1 deletion src/ngx_http_modsecurity_module.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,13 +25,26 @@
#include <ngx_http.h>

static ngx_int_t ngx_http_modsecurity_init(ngx_conf_t *cf);
static ngx_int_t ngx_http_modsecurity_add_variables(ngx_conf_t *cf);
static void *ngx_http_modsecurity_create_main_conf(ngx_conf_t *cf);
static char *ngx_http_modsecurity_init_main_conf(ngx_conf_t *cf, void *conf);
static void *ngx_http_modsecurity_create_conf(ngx_conf_t *cf);
static char *ngx_http_modsecurity_merge_conf(ngx_conf_t *cf, void *parent, void *child);
static void ngx_http_modsecurity_cleanup_instance(void *data);
static void ngx_http_modsecurity_cleanup_rules(void *data);

static ngx_int_t ngx_http_modsecurity_req_headers_phase_time(ngx_http_request_t *r,
ngx_http_variable_value_t *v, uintptr_t data);
static ngx_int_t ngx_http_modsecurity_req_body_phase_time(ngx_http_request_t *r,
ngx_http_variable_value_t *v, uintptr_t data);
static ngx_int_t ngx_http_modsecurity_resp_headers_phase_time(ngx_http_request_t *r,
ngx_http_variable_value_t *v, uintptr_t data);
static ngx_int_t ngx_http_modsecurity_resp_body_phase_time(ngx_http_request_t *r,
ngx_http_variable_value_t *v, uintptr_t data);
static ngx_int_t ngx_http_modsecurity_logging_phase_time(ngx_http_request_t *r,
ngx_http_variable_value_t *v, uintptr_t data);
static ngx_int_t ngx_http_modsecurity_time_variable(ngx_http_request_t *r,
ngx_http_variable_value_t *v, uintptr_t data, ngx_msec_int_t usec);

/*
* PCRE malloc/free workaround, based on
Expand Down Expand Up @@ -268,6 +281,12 @@ ngx_http_modsecurity_create_ctx(ngx_http_request_t *r)
return NULL;
}

ctx->req_headers_phase_time = -1;
ctx->req_body_phase_time = -1;
ctx->resp_headers_phase_time = -1;
ctx->resp_body_phase_time = -1;
ctx->logging_phase_time = -1;

mmcf = ngx_http_get_module_main_conf(r, ngx_http_modsecurity_module);
mcf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity_module);

Expand Down Expand Up @@ -490,7 +509,7 @@ static ngx_command_t ngx_http_modsecurity_commands[] = {


static ngx_http_module_t ngx_http_modsecurity_ctx = {
NULL, /* preconfiguration */
ngx_http_modsecurity_add_variables, /* preconfiguration */
ngx_http_modsecurity_init, /* postconfiguration */

ngx_http_modsecurity_create_main_conf, /* create main configuration */
Expand Down Expand Up @@ -520,6 +539,31 @@ ngx_module_t ngx_http_modsecurity_module = {
};


static ngx_http_variable_t ngx_http_modsecurity_vars[] = {
{ ngx_string("modsecurity_req_headers_phase_time"), NULL,
ngx_http_modsecurity_req_headers_phase_time, 0,
NGX_HTTP_VAR_NOCACHEABLE, 0 },

{ ngx_string("modsecurity_req_body_phase_time"), NULL,
ngx_http_modsecurity_req_body_phase_time, 0,
NGX_HTTP_VAR_NOCACHEABLE, 0 },

{ ngx_string("modsecurity_resp_headers_phase_time"), NULL,
ngx_http_modsecurity_resp_headers_phase_time, 0,
NGX_HTTP_VAR_NOCACHEABLE, 0 },

{ ngx_string("modsecurity_resp_body_phase_time"), NULL,
ngx_http_modsecurity_resp_body_phase_time, 0,
NGX_HTTP_VAR_NOCACHEABLE, 0 },

{ ngx_string("modsecurity_logging_phase_time"), NULL,
ngx_http_modsecurity_logging_phase_time, 0,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

use a same function with different argument, like 0, 1, 2, ...

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you provide an example what are you mean for that?
I didn't find example for variables with indexed arguments.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Refer https://github.com/nginx/nginx/blob/release-1.21.6/src/http/ngx_http_upstream.c#L391-L401
Same function ngx_http_upstream_response_time_variable for 3 variables.

NGX_HTTP_VAR_NOCACHEABLE, 0 },
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add NGX_HTTP_VAR_NOHASH?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes you are right. I added it.


ngx_http_null_variable
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ngx_http_null_variable is introduced in 1.13.4, expand it to support old nginx. nginx/nginx@b992f72

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. I change it for old style.

};


static ngx_int_t
ngx_http_modsecurity_init(ngx_conf_t *cf)
{
Expand Down Expand Up @@ -596,6 +640,23 @@ ngx_http_modsecurity_init(ngx_conf_t *cf)
return NGX_OK;
}

static ngx_int_t
ngx_http_modsecurity_add_variables(ngx_conf_t *cf) {
ngx_http_variable_t *var, *v;

for (v = ngx_http_modsecurity_vars; v->name.len; v++) {
var = ngx_http_add_variable(cf, &v->name, v->flags);
if (var == NULL) {
return NGX_ERROR;
}

var->get_handler = v->get_handler;
var->data = v->data;
}

return NGX_OK;
};


static void *
ngx_http_modsecurity_create_main_conf(ngx_conf_t *cf)
Expand Down Expand Up @@ -788,4 +849,107 @@ ngx_http_modsecurity_cleanup_rules(void *data)
}


static ngx_int_t
ngx_http_modsecurity_req_headers_phase_time(ngx_http_request_t *r,
ngx_http_variable_value_t *v, uintptr_t data)
{
ngx_http_modsecurity_ctx_t *ctx;

ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
if (ctx == NULL) {
return NGX_ERROR;
}
return ngx_http_modsecurity_time_variable(r, v, data, ctx->req_headers_phase_time);
}


static ngx_int_t
ngx_http_modsecurity_req_body_phase_time(ngx_http_request_t *r,
ngx_http_variable_value_t *v, uintptr_t data)
{
ngx_http_modsecurity_ctx_t *ctx;

ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
if (ctx == NULL) {
return NGX_ERROR;
}
return ngx_http_modsecurity_time_variable(r, v, data, ctx->req_body_phase_time);
}


static ngx_int_t
ngx_http_modsecurity_resp_headers_phase_time(ngx_http_request_t *r,
ngx_http_variable_value_t *v, uintptr_t data)
{
ngx_http_modsecurity_ctx_t *ctx;

ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
if (ctx == NULL) {
return NGX_ERROR;
}
return ngx_http_modsecurity_time_variable(r, v, data, ctx->resp_headers_phase_time);
}


static ngx_int_t
ngx_http_modsecurity_resp_body_phase_time(ngx_http_request_t *r,
ngx_http_variable_value_t *v, uintptr_t data)
{
ngx_http_modsecurity_ctx_t *ctx;

ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
if (ctx == NULL) {
return NGX_ERROR;
}
return ngx_http_modsecurity_time_variable(r, v, data, ctx->resp_body_phase_time);
}


static ngx_int_t
ngx_http_modsecurity_logging_phase_time(ngx_http_request_t *r,
ngx_http_variable_value_t *v, uintptr_t data)
{
ngx_http_modsecurity_ctx_t *ctx;

ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
if (ctx == NULL) {
return NGX_ERROR;
}
return ngx_http_modsecurity_time_variable(r, v, data, ctx->logging_phase_time);
}


static ngx_int_t
ngx_http_modsecurity_time_variable(ngx_http_request_t *r,
ngx_http_variable_value_t *v, uintptr_t data, ngx_msec_int_t usec)
{
u_char *p;

p = ngx_pnalloc(r->pool, NGX_TIME_T_LEN + 7);
if (p == NULL) {
return NGX_ERROR;
}

if(usec == -1) {
v->len = ngx_sprintf(p, "-") - p;
} else {
v->len = ngx_sprintf(p, "%T.%06M", (time_t) usec / 1000000, usec % 1000000) - p;
}

v->valid = 1;
v->no_cacheable = 0;
v->not_found = 0;
v->data = p;

return NGX_OK;
}


ngx_msec_int_t
ngx_http_modsecurity_compute_processing_time(struct timeval tv) {
struct timeval current_tv;
ngx_gettimeofday(&current_tv);
return (ngx_msec_int_t) ((current_tv.tv_sec - tv.tv_sec) * 1000000 + (current_tv.tv_usec - tv.tv_usec));
};

/* vi:set ft=c ts=4 sw=4 et fdm=marker: */
7 changes: 7 additions & 0 deletions src/ngx_http_modsecurity_pre_access.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,9 @@ ngx_http_modsecurity_pre_access_handler(ngx_http_request_t *r)
int ret = 0;
int already_inspected = 0;

struct timeval start_tv;
ngx_gettimeofday(&start_tv);

dd("request body is ready to be processed");

r->write_event_handler = ngx_http_core_run_phases;
Expand Down Expand Up @@ -209,7 +212,11 @@ ngx_http_modsecurity_pre_access_handler(ngx_http_request_t *r)
/* XXX: once more -- is body can be modified ? content-length need to be adjusted ? */

old_pool = ngx_http_modsecurity_pcre_malloc_init(r->pool);

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove blank line

msc_process_request_body(ctx->modsec_transaction);

ctx->req_body_phase_time = ngx_http_modsecurity_compute_processing_time(start_tv);

ngx_http_modsecurity_pcre_malloc_done(old_pool);

ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r, 0);
Expand Down
7 changes: 6 additions & 1 deletion src/ngx_http_modsecurity_rewrite.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,9 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)
if (ctx == NULL)
{
int ret = 0;
struct timeval start_tv;

ngx_gettimeofday(&start_tv);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest use ngx_timeofday like request_time or upstream_xxx_time in upstream module.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or ngx_current_msec.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sorry, ngx_current_msec is cached. just use ngx_gettimeofday

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to use clock_gettime with CLOCK_MONOTONIC for ns.


ngx_connection_t *connection = r->connection;
/**
Expand Down Expand Up @@ -206,6 +209,9 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)
ngx_http_modsecurity_pcre_malloc_done(old_pool);
dd("Processing intervention with the request headers information filled in");
ret = ngx_http_modsecurity_process_intervention(ctx->modsec_transaction, r, 1);

ctx->req_headers_phase_time = ngx_http_modsecurity_compute_processing_time(start_tv);

if (r->error_page) {
return NGX_DECLINED;
}
Expand All @@ -215,6 +221,5 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)
}
}


return NGX_DECLINED;
}