[Buildroot] [PATCH 1/2] support/testing: add new test for nginx-modsecurity

[Buildroot] [PATCH 1/2] support/testing: add new test for nginx-modsecurity

[Raphaël Mélotte via buildroot]

This test verifies that we can run nginx with the modsecurity
directives.
It also checks a very simple rule that blocks requests containing the
keyword "blockme".

Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
---
 DEVELOPERS                                    |  2 ++
 .../tests/package/test_nginx_modsecurity.py   | 36 +++++++++++++++++++
 .../overlay/etc/nginx/modsecurity-rules.conf  |  7 ++++
 .../overlay/etc/nginx/nginx.conf              | 15 ++++++++
 4 files changed, 60 insertions(+)
 create mode 100644 support/testing/tests/package/test_nginx_modsecurity.py
 create mode 100644 support/testing/tests/package/test_nginx_modsecurity/overlay/etc/nginx/modsecurity-rules.conf
 create mode 100644 support/testing/tests/package/test_nginx_modsecurity/overlay/etc/nginx/nginx.conf

diff --git a/DEVELOPERS b/DEVELOPERS
index d127364a58..5731b4bbe0 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -2850,6 +2850,8 @@ F:	support/testing/tests/package/sample_python_sdbus.py
 F:	support/testing/tests/package/sample_python_sdbus_networkmanager.py
 F:	support/testing/tests/package/sample_python_urllib3.py
 F:	support/testing/tests/package/test_python_jmespath.py
+F:	support/testing/tests/package/test_nginx_modsecurity
+F:	support/testing/tests/package/test_nginx_modsecurity.py
 F:	support/testing/tests/package/test_python_pymupdf.py
 F:	support/testing/tests/package/test_python_rsa.py
 F:	support/testing/tests/package/test_python_s3transfer.py
diff --git a/support/testing/tests/package/test_nginx_modsecurity.py b/support/testing/tests/package/test_nginx_modsecurity.py
new file mode 100644
index 0000000000..1b34c08e20
--- /dev/null
+++ b/support/testing/tests/package/test_nginx_modsecurity.py
@@ -0,0 +1,36 @@
+import os
+
+import infra.basetest
+
+
+class TestNginxModsecurity(infra.basetest.BRTest):
+    overlay = infra.filepath("tests/package/test_nginx_modsecurity/overlay")
+    config = infra.basetest.BASIC_TOOLCHAIN_CONFIG + \
+        f"""
+        BR2_TOOLCHAIN_EXTERNAL=y
+        BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
+        BR2_USE_MMU=y
+        BR2_TARGET_ROOTFS_CPIO=y
+        BR2_TARGET_ROOTFS_CPIO_GZIP=y
+        BR2_ROOTFS_OVERLAY="{overlay}"
+        BR2_PACKAGE_NGINX=y
+        BR2_PACKAGE_NGINX_HTTP=y
+        BR2_PACKAGE_NGINX_MODSECURITY=y
+        """
+
+    def test_run(self):
+        cpio_file = os.path.join(self.builddir, "images", "rootfs.cpio")
+        self.emulator.boot(arch="armv5",
+                           kernel="builtin",
+                           options=["-initrd", cpio_file])
+        self.emulator.login()
+
+        self.assertRunOk("nginx -V")
+        self.assertRunOk("wget http://localhost/index.html")
+        self.assertRunOk("grep -F 'Welcome to nginx!' index.html")
+        cmd = "wget -q -O /dev/null --server-response 2>&1 " \
+            "http://localhost/blockme/ 2>&1 | awk '/^  HTTP/{print $2}'"
+        out, ret = self.emulator.run(cmd)
+        self.assertEqual(ret, 0)
+        # Check for HTTP 403 Unauthorized:
+        self.assertEqual(out[0], "403")
diff --git a/support/testing/tests/package/test_nginx_modsecurity/overlay/etc/nginx/modsecurity-rules.conf b/support/testing/tests/package/test_nginx_modsecurity/overlay/etc/nginx/modsecurity-rules.conf
new file mode 100644
index 0000000000..94a132a9c7
--- /dev/null
+++ b/support/testing/tests/package/test_nginx_modsecurity/overlay/etc/nginx/modsecurity-rules.conf
@@ -0,0 +1,7 @@
+SecRuleEngine On
+SecRule REQUEST_URI "@contains blockme" \
+    "id:100001, \
+    phase:2, \
+    deny, \
+    status:403, \
+    msg:'Blocked request with forbidden keyword in URI.'"
diff --git a/support/testing/tests/package/test_nginx_modsecurity/overlay/etc/nginx/nginx.conf b/support/testing/tests/package/test_nginx_modsecurity/overlay/etc/nginx/nginx.conf
new file mode 100644
index 0000000000..3d1b990557
--- /dev/null
+++ b/support/testing/tests/package/test_nginx_modsecurity/overlay/etc/nginx/nginx.conf
@@ -0,0 +1,15 @@
+events {
+    worker_connections 1024;
+}
+
+http {
+    server {
+        modsecurity on;
+        listen 80;
+        location / {
+            root   html;
+            index  index.html index.htm;
+            modsecurity_rules_file /etc/nginx/modsecurity-rules.conf;
+        }
+    }
+}
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 2/2] package/nginx-modsecurity: bump to version 1.0.4

[Raphaël Mélotte via buildroot]

Changelog:
https://github.com/owasp-modsecurity/ModSecurity-nginx/blob/v1.0.4/CHANGES

Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
---
 package/nginx-modsecurity/nginx-modsecurity.hash | 4 ++--
 package/nginx-modsecurity/nginx-modsecurity.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/nginx-modsecurity/nginx-modsecurity.hash b/package/nginx-modsecurity/nginx-modsecurity.hash
index 34e7b87f41..1d80138b94 100644
--- a/package/nginx-modsecurity/nginx-modsecurity.hash
+++ b/package/nginx-modsecurity/nginx-modsecurity.hash
@@ -1,4 +1,4 @@
-# From https://github.com/owasp-modsecurity/ModSecurity-nginx/releases/download/v1.0.3/modsecurity-nginx-v1.0.3.tar.gz.sha256
-sha256  ae811c7208ac029cb7a99d6f63e03d3971797607517187f47620df39c1f78add  modsecurity-nginx-v1.0.3.tar.gz
+# From https://github.com/owasp-modsecurity/ModSecurity-nginx/releases/download/v1.0.4/modsecurity-nginx-v1.0.4.tar.gz.sha256
+sha256  6bdc7570911be884c1e43aaf85046137f9fde0cfa0dd4a55b853c81c45a13313  modsecurity-nginx-v1.0.4.tar.gz
 # Locally calculated
 sha256  c71d239df91726fc519c6eb72d318ec65820627232b2f796219e87dcf35d0ab4  LICENSE
diff --git a/package/nginx-modsecurity/nginx-modsecurity.mk b/package/nginx-modsecurity/nginx-modsecurity.mk
index 42a50ca39f..c1cd50cf9d 100644
--- a/package/nginx-modsecurity/nginx-modsecurity.mk
+++ b/package/nginx-modsecurity/nginx-modsecurity.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-NGINX_MODSECURITY_VERSION = 1.0.3
+NGINX_MODSECURITY_VERSION = 1.0.4
 NGINX_MODSECURITY_SOURCE = modsecurity-nginx-v$(NGINX_MODSECURITY_VERSION).tar.gz
 NGINX_MODSECURITY_SITE = https://github.com/owasp-modsecurity/ModSecurity-nginx/releases/download/v$(NGINX_MODSECURITY_VERSION)
 NGINX_MODSECURITY_LICENSE = Apache-2.0
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/2] support/testing: add new test for nginx-modsecurity

[Julien Olivain via buildroot]

On 27/06/2025 14:19, Raphaël Mélotte via buildroot wrote:
> This test verifies that we can run nginx with the modsecurity
> directives.
> It also checks a very simple rule that blocks requests containing the
> keyword "blockme".
> 
> Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>

Series applied to master, thanks.

For info, I did few minor changes, see:
https://gitlab.com/buildroot.org/buildroot/-/commit/5cda85cb566bfcd9d7a6c5bd701d326a47cb725b

Best regards,

Julien.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/2] support/testing: add new test for nginx-modsecurity

[Raphaël Mélotte via buildroot]

Hi Julien,

On 6/28/25 14:22, Julien Olivain wrote:
> For info, I did few minor changes, see:
> https://gitlab.com/buildroot.org/buildroot/-/commit/5cda85cb566bfcd9d7a6c5bd701d326a47cb725b
> 

Good to know for next time!

Thanks,

Raphaël
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/2] support/testing: add new test for nginx-modsecurity

[Thomas Perale via buildroot]

In reply of:
> This test verifies that we can run nginx with the modsecurity
> directives.
> It also checks a very simple rule that blocks requests containing the
> keyword "blockme".
> 
> Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>

Applied to 2025.02.x. Thanks

> ---
>  DEVELOPERS                                    |  2 ++
>  .../tests/package/test_nginx_modsecurity.py   | 36 +++++++++++++++++++
>  .../overlay/etc/nginx/modsecurity-rules.conf  |  7 ++++
>  .../overlay/etc/nginx/nginx.conf              | 15 ++++++++
>  4 files changed, 60 insertions(+)
>  create mode 100644 support/testing/tests/package/test_nginx_modsecurity.py
>  create mode 100644 support/testing/tests/package/test_nginx_modsecurity/overlay/etc/nginx/modsecurity-rules.conf
>  create mode 100644 support/testing/tests/package/test_nginx_modsecurity/overlay/etc/nginx/nginx.conf
> 
> diff --git a/DEVELOPERS b/DEVELOPERS
> index d127364a58..5731b4bbe0 100644
> --- a/DEVELOPERS
> +++ b/DEVELOPERS
> @@ -2850,6 +2850,8 @@ F:	support/testing/tests/package/sample_python_sdbus.py
>  F:	support/testing/tests/package/sample_python_sdbus_networkmanager.py
>  F:	support/testing/tests/package/sample_python_urllib3.py
>  F:	support/testing/tests/package/test_python_jmespath.py
> +F:	support/testing/tests/package/test_nginx_modsecurity
> +F:	support/testing/tests/package/test_nginx_modsecurity.py
>  F:	support/testing/tests/package/test_python_pymupdf.py
>  F:	support/testing/tests/package/test_python_rsa.py
>  F:	support/testing/tests/package/test_python_s3transfer.py
> diff --git a/support/testing/tests/package/test_nginx_modsecurity.py b/support/testing/tests/package/test_nginx_modsecurity.py
> new file mode 100644
> index 0000000000..1b34c08e20
> --- /dev/null
> +++ b/support/testing/tests/package/test_nginx_modsecurity.py
> @@ -0,0 +1,36 @@
> +import os
> +
> +import infra.basetest
> +
> +
> +class TestNginxModsecurity(infra.basetest.BRTest):
> +    overlay = infra.filepath("tests/package/test_nginx_modsecurity/overlay")
> +    config = infra.basetest.BASIC_TOOLCHAIN_CONFIG + \
> +        f"""
> +        BR2_TOOLCHAIN_EXTERNAL=y
> +        BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
> +        BR2_USE_MMU=y
> +        BR2_TARGET_ROOTFS_CPIO=y
> +        BR2_TARGET_ROOTFS_CPIO_GZIP=y
> +        BR2_ROOTFS_OVERLAY="{overlay}"
> +        BR2_PACKAGE_NGINX=y
> +        BR2_PACKAGE_NGINX_HTTP=y
> +        BR2_PACKAGE_NGINX_MODSECURITY=y
> +        """
> +
> +    def test_run(self):
> +        cpio_file = os.path.join(self.builddir, "images", "rootfs.cpio")
> +        self.emulator.boot(arch="armv5",
> +                           kernel="builtin",
> +                           options=["-initrd", cpio_file])
> +        self.emulator.login()
> +
> +        self.assertRunOk("nginx -V")
> +        self.assertRunOk("wget http://localhost/index.html")
> +        self.assertRunOk("grep -F 'Welcome to nginx!' index.html")
> +        cmd = "wget -q -O /dev/null --server-response 2>&1 " \
> +            "http://localhost/blockme/ 2>&1 | awk '/^  HTTP/{print $2}'"
> +        out, ret = self.emulator.run(cmd)
> +        self.assertEqual(ret, 0)
> +        # Check for HTTP 403 Unauthorized:
> +        self.assertEqual(out[0], "403")
> diff --git a/support/testing/tests/package/test_nginx_modsecurity/overlay/etc/nginx/modsecurity-rules.conf b/support/testing/tests/package/test_nginx_modsecurity/overlay/etc/nginx/modsecurity-rules.conf
> new file mode 100644
> index 0000000000..94a132a9c7
> --- /dev/null
> +++ b/support/testing/tests/package/test_nginx_modsecurity/overlay/etc/nginx/modsecurity-rules.conf
> @@ -0,0 +1,7 @@
> +SecRuleEngine On
> +SecRule REQUEST_URI "@contains blockme" \
> +    "id:100001, \
> +    phase:2, \
> +    deny, \
> +    status:403, \
> +    msg:'Blocked request with forbidden keyword in URI.'"
> diff --git a/support/testing/tests/package/test_nginx_modsecurity/overlay/etc/nginx/nginx.conf b/support/testing/tests/package/test_nginx_modsecurity/overlay/etc/nginx/nginx.conf
> new file mode 100644
> index 0000000000..3d1b990557
> --- /dev/null
> +++ b/support/testing/tests/package/test_nginx_modsecurity/overlay/etc/nginx/nginx.conf
> @@ -0,0 +1,15 @@
> +events {
> +    worker_connections 1024;
> +}
> +
> +http {
> +    server {
> +        modsecurity on;
> +        listen 80;
> +        location / {
> +            root   html;
> +            index  index.html index.htm;
> +            modsecurity_rules_file /etc/nginx/modsecurity-rules.conf;
> +        }
> +    }
> +}
> -- 
> 2.49.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/2] support/testing: add new test for nginx-modsecurity

[Thomas Perale via buildroot]

In reply of:
> This test verifies that we can run nginx with the modsecurity
> directives.
> It also checks a very simple rule that blocks requests containing the
> keyword "blockme".
> 
> Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>

Applied to 2025.05.x. Thanks

> ---
>  DEVELOPERS                                    |  2 ++
>  .../tests/package/test_nginx_modsecurity.py   | 36 +++++++++++++++++++
>  .../overlay/etc/nginx/modsecurity-rules.conf  |  7 ++++
>  .../overlay/etc/nginx/nginx.conf              | 15 ++++++++
>  4 files changed, 60 insertions(+)
>  create mode 100644 support/testing/tests/package/test_nginx_modsecurity.py
>  create mode 100644 support/testing/tests/package/test_nginx_modsecurity/overlay/etc/nginx/modsecurity-rules.conf
>  create mode 100644 support/testing/tests/package/test_nginx_modsecurity/overlay/etc/nginx/nginx.conf
> 
> diff --git a/DEVELOPERS b/DEVELOPERS
> index d127364a58..5731b4bbe0 100644
> --- a/DEVELOPERS
> +++ b/DEVELOPERS
> @@ -2850,6 +2850,8 @@ F:	support/testing/tests/package/sample_python_sdbus.py
>  F:	support/testing/tests/package/sample_python_sdbus_networkmanager.py
>  F:	support/testing/tests/package/sample_python_urllib3.py
>  F:	support/testing/tests/package/test_python_jmespath.py
> +F:	support/testing/tests/package/test_nginx_modsecurity
> +F:	support/testing/tests/package/test_nginx_modsecurity.py
>  F:	support/testing/tests/package/test_python_pymupdf.py
>  F:	support/testing/tests/package/test_python_rsa.py
>  F:	support/testing/tests/package/test_python_s3transfer.py
> diff --git a/support/testing/tests/package/test_nginx_modsecurity.py b/support/testing/tests/package/test_nginx_modsecurity.py
> new file mode 100644
> index 0000000000..1b34c08e20
> --- /dev/null
> +++ b/support/testing/tests/package/test_nginx_modsecurity.py
> @@ -0,0 +1,36 @@
> +import os
> +
> +import infra.basetest
> +
> +
> +class TestNginxModsecurity(infra.basetest.BRTest):
> +    overlay = infra.filepath("tests/package/test_nginx_modsecurity/overlay")
> +    config = infra.basetest.BASIC_TOOLCHAIN_CONFIG + \
> +        f"""
> +        BR2_TOOLCHAIN_EXTERNAL=y
> +        BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
> +        BR2_USE_MMU=y
> +        BR2_TARGET_ROOTFS_CPIO=y
> +        BR2_TARGET_ROOTFS_CPIO_GZIP=y
> +        BR2_ROOTFS_OVERLAY="{overlay}"
> +        BR2_PACKAGE_NGINX=y
> +        BR2_PACKAGE_NGINX_HTTP=y
> +        BR2_PACKAGE_NGINX_MODSECURITY=y
> +        """
> +
> +    def test_run(self):
> +        cpio_file = os.path.join(self.builddir, "images", "rootfs.cpio")
> +        self.emulator.boot(arch="armv5",
> +                           kernel="builtin",
> +                           options=["-initrd", cpio_file])
> +        self.emulator.login()
> +
> +        self.assertRunOk("nginx -V")
> +        self.assertRunOk("wget http://localhost/index.html")
> +        self.assertRunOk("grep -F 'Welcome to nginx!' index.html")
> +        cmd = "wget -q -O /dev/null --server-response 2>&1 " \
> +            "http://localhost/blockme/ 2>&1 | awk '/^  HTTP/{print $2}'"
> +        out, ret = self.emulator.run(cmd)
> +        self.assertEqual(ret, 0)
> +        # Check for HTTP 403 Unauthorized:
> +        self.assertEqual(out[0], "403")
> diff --git a/support/testing/tests/package/test_nginx_modsecurity/overlay/etc/nginx/modsecurity-rules.conf b/support/testing/tests/package/test_nginx_modsecurity/overlay/etc/nginx/modsecurity-rules.conf
> new file mode 100644
> index 0000000000..94a132a9c7
> --- /dev/null
> +++ b/support/testing/tests/package/test_nginx_modsecurity/overlay/etc/nginx/modsecurity-rules.conf
> @@ -0,0 +1,7 @@
> +SecRuleEngine On
> +SecRule REQUEST_URI "@contains blockme" \
> +    "id:100001, \
> +    phase:2, \
> +    deny, \
> +    status:403, \
> +    msg:'Blocked request with forbidden keyword in URI.'"
> diff --git a/support/testing/tests/package/test_nginx_modsecurity/overlay/etc/nginx/nginx.conf b/support/testing/tests/package/test_nginx_modsecurity/overlay/etc/nginx/nginx.conf
> new file mode 100644
> index 0000000000..3d1b990557
> --- /dev/null
> +++ b/support/testing/tests/package/test_nginx_modsecurity/overlay/etc/nginx/nginx.conf
> @@ -0,0 +1,15 @@
> +events {
> +    worker_connections 1024;
> +}
> +
> +http {
> +    server {
> +        modsecurity on;
> +        listen 80;
> +        location / {
> +            root   html;
> +            index  index.html index.htm;
> +            modsecurity_rules_file /etc/nginx/modsecurity-rules.conf;
> +        }
> +    }
> +}
> -- 
> 2.49.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot