modsecurity: do not run for subreqs and after internal redirect

Author: pracj3am

src/ngx_http_modsecurity_common.h

@@ -77,7 +77,6 @@ typedef struct {
 
     unsigned waiting_more_body:1;
     unsigned body_requested:1;
-    unsigned processed:1;
     unsigned logged:1;
     unsigned intervention_triggered:1;
     unsigned pre_access_processed:1;

src/ngx_http_modsecurity_header_filter.c

@@ -51,13 +51,11 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r)
 
     ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
 
-    if (ctx == NULL || ctx->processed || ctx->intervention_triggered) {
+    if (ctx == NULL || ctx->intervention_triggered) {
         // nothing to be done
         return ngx_http_next_header_filter(r);
     }
 
-    ctx->processed = 1;
-
     part = &r->headers_out.headers.part;
     header = part->elts;
 
@@ -99,6 +97,7 @@ ngx_http_modsecurity_header_filter(ngx_http_request_t *r)
         return ngx_http_next_header_filter(r);
     }
     if (rc > 0) {
+        ctx->intervention_triggered = 1;
         return ngx_http_filter_finalize_request(r, &ngx_http_modsecurity_module, rc);
     }
 

src/ngx_http_modsecurity_pre_access.c

@@ -45,6 +45,10 @@ ngx_http_modsecurity_pre_access_handler(ngx_http_request_t *r)
     ngx_pool_t                  *old_pool;
     ngx_http_modsecurity_ctx_t  *ctx;
 
+    if (r != r->main || r->internal) {
+        return NGX_DECLINED;
+    }
+
     ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
 
     if (ctx == NULL

src/ngx_http_modsecurity_rewrite.c

@@ -51,6 +51,10 @@ ngx_http_modsecurity_rewrite_handler_internal(ngx_http_request_t *r)
     ngx_http_modsecurity_conf_t       *mcf;
     ngx_http_modsecurity_main_conf_t  *mmcf;
 
+    if (r != r->main || r->internal) {
+        return NGX_DECLINED;
+    }
+
     /*
     if (r->method != NGX_HTTP_GET &&
         r->method != NGX_HTTP_POST && r->method != NGX_HTTP_HEAD) {