After building a custom docker image with the new version of nginx, the modsecurity page is turned on and it becomes messy!

[kejilion]

Describe the bug

The latest version of nginx, I built my own docker image and used GitHub workflow to automatically execute it. Turning on modsecurity in the newly built nginx image will cause page loading errors. Turning off modsecurity will restore to normal.

As long as waf is turned on, the page will be messed up. I checked the waf warehouse and it has not been updated, but the nginx image has been updated. I hope it can be fixed. I did not have this problem when I built it in early January. Today, the page is messed up after turning on waf. This is how I build the image: https://github.com/kejilion/docker/blob/main/nginx/Dockerfile-waf

Logs and dumps

I just didn't see any relevant error logs. At first I thought it was WAF interception that caused the page display to be disordered, but there was no interception log, nor in the nginx log.

To Reproduce

https://github.com/kejilion/nginx/blob/main/nginx10.conf
https://github.com/kejilion/nginx/blob/main/wordpress.com.conf

Expected behavior

The version of nginx at the beginning of the month does not have page confusion when WAF is enabled, but the docker image built today will have problems. The build method is exactly the same as before. I hope it will return to normal and display the page content correctly.

Additional context

/ # nginx -V
nginx version: nginx/1.27.3
built by gcc 13.2.1 20240309 (Alpine 13.2.1_git20240309)
built with OpenSSL 3.3.0 9 Apr 2024 (running with OpenSSL 3.3.2 3 Sep 2024)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --with-perl_modules_path=/usr/lib/perl5/vendor_perl --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-Os -fstack-clash-protection -Wformat -Werror=format-security -g' --with-ld-opt=-Wl,--as-needed,-O1,--sort-common

[airween]

Hi @kejilion,

seems like this issue is the same as other users ran into and described in ModSecurity-nginx issue #336. Please take a look at that, and if you think it's the same, close this issue.

[kejilion]

Hi @kejilion,

seems like this issue is the same as other users ran into and described in ModSecurity-nginx issue #336. Please take a look at that, and if you think it's the same, close this issue.

Thank you for giving me hope. Thank you very much. I hope it can be fixed or a solution can be provided soon.

[ne20002]

I ran into this today with the latest nginx version from docker hub.

I worked around by going back to the version 4.10-nginx-202501050801. Having this problem existing in a version published on docker hub is unfortunate.

[ksmv-7]

Hi everyone,

Anyone here would have an explanation how comes we get the output from the screenshot when modsecurity is on but if it off everything works correctly? The catch is that our nginx docker image is 1.23.1-alpine and we are using the ModSecurity tag 3.0.8 => both versions being from 2 years ago.
My issue looks similar to what OP has but my version are way too old, so I cannot explain or fix it.

[airween]

@ksmv-7,

both versions being from 2 years ago.

which versions do you think? Libmodsecurity3 (which is old with version 3.0.8, indeed), and what? Nginx connector?

Anyway, it does not matter really, if those are too old, then I'm afraid nobody can help. Perhaps you should upgrade to the newest released versions, both libmodsecurity3 and the connector.

[adiva2433]

@ksmv-7 we also face it its related to https://github.com/SpiderLabs/ModSecurity something had been change and we cant figure out why its suddenly happen

[ksmv-7]

@airween I am saying that we build and image from nginx:1.23.1-alpine which is an image from 2 years ago. In the build process we git clone this repository using the tag v3.0.8 which is also from 3 years ago. OP is using latest versions but we have pretty much the same issue, hence I am wondering how is it possible that on the old versions I am using I am getting what OP describes for the latest versions.
Indeed, we might upgrade our versions, which I initially tried in order to solve my issue but it didn't solve it anyway.

[ksmv-7]

@adiva2433 Yup, started happening all of a sudden without any major code changes nor any changes to the build process at all. Are you also using old versions?

[adiva2433]

@ksmv-7 yes we use old version

[airween]

Can we close this issue?

[kejilion]

Can we close this issue?

Can you help me shut it down? I don't know how to do it.

[airween]

Can you help me shut it down? I don't know how to do it.

I think if you upgrade libmodsecurity3 library to 3.0.14, then this issue will disappear.