Implement Phase 4 handling for ModSecurity-nginx

README.md

@@ -45,7 +45,7 @@ Further information about nginx third-party add-ons support are available [here]
 # Usage
 
 ModSecurity for nginx extends your nginx configuration directives.
-It adds four new directives and they are:
+It adds eight directives and they are:
 
 modsecurity
 -----------
@@ -175,6 +175,31 @@ using the same unique identificator.
 
 String can contain variables.
 
+
+modsecurity_phase4_mode
+------------------------
+**syntax:** *modsecurity_phase4_mode minimal | safe | strict*
+
+**context:** *http, server, location*
+
+Controls how phase 4 interventions are handled when response headers were already sent.
+
+modsecurity_phase4_content_types_file
+--------------------------------------
+**syntax:** *modsecurity_phase4_content_types_file <path>*
+
+**context:** *http, server, location*
+
+Loads the list of response content types that are in scope for phase 4 handling from a file.
+
+modsecurity_phase4_log
+----------------------
+**syntax:** *modsecurity_phase4_log <path>*
+
+**context:** *http, server, location*
+
+Sets the file used for phase 4 JSON event logging.
+
 modsecurity_use_error_log
 -----------
 **syntax:** *modsecurity_use_error_log on | off*

docs/examples/phase4-content-types.conf

@@ -0,0 +1,16 @@
+# phase4-content-types.conf
+#
+# Format rules:
+# 1) Exactly one MIME type per line.
+# 2) Lines starting with # are comments.
+# 3) Wildcards are not supported (e.g. text/* is invalid).
+# 4) Parameters (e.g. "; charset=utf-8") do not need separate entries.
+#    The module normalizes response Content-Type and compares the base type.
+# 5) Keep this list focused on body types you actually want to scope.
+
+text/html
+text/plain
+application/json
+application/problem+json
+application/xml
+application/xhtml+xml

docs/examples/phase4-minimal.conf

@@ -0,0 +1,31 @@
+# Production example: phase-4 mode "minimal"
+# Use when response continuity is more important than forced connection aborts
+# for late phase:4 interventions (after headers were already sent).
+
+http {
+    upstream app_backend {
+        server 127.0.0.1:8081;
+    }
+
+    server {
+        listen 80;
+        server_name example.local;
+
+        modsecurity on;
+        modsecurity_phase4_mode minimal;
+        modsecurity_phase4_log /var/log/nginx/modsecurity-phase4.log;
+        modsecurity_phase4_content_types_file /etc/modsecurity/phase4-content-types.conf;
+
+        # Inline rule sample for demonstration.
+        # In production, you can keep using modsecurity_rules_file as usual.
+        modsecurity_rules '
+            SecRuleEngine On
+            SecResponseBodyAccess On
+            SecRule RESPONSE_BODY "@rx sensitive-marker" "id:940101,phase:4,deny,log,status:403"
+        ';
+
+        location / {
+            proxy_pass http://app_backend;
+        }
+    }
+}

docs/examples/phase4-safe.conf

@@ -0,0 +1,29 @@
+# Production example: phase-4 mode "safe"
+# Default mode in this module. Recommended baseline if you need phase:4
+# visibility while avoiding forced disconnects on late interventions.
+
+http {
+    upstream app_backend {
+        server 127.0.0.1:8081;
+    }
+
+    server {
+        listen 80;
+        server_name example.local;
+
+        modsecurity on;
+        modsecurity_phase4_mode safe;
+        modsecurity_phase4_log /var/log/nginx/modsecurity-phase4.log;
+        modsecurity_phase4_content_types_file /etc/modsecurity/phase4-content-types.conf;
+
+        modsecurity_rules '
+            SecRuleEngine On
+            SecResponseBodyAccess On
+            SecRule RESPONSE_BODY "@rx sensitive-marker" "id:940102,phase:4,deny,log,status:403"
+        ';
+
+        location / {
+            proxy_pass http://app_backend;
+        }
+    }
+}

docs/examples/phase4-strict.conf

@@ -0,0 +1,29 @@
+# Production example: phase-4 mode "strict"
+# Use only if connection aborts are operationally acceptable, because
+# late phase:4 interventions may terminate the connection.
+
+http {
+    upstream app_backend {
+        server 127.0.0.1:8081;
+    }
+
+    server {
+        listen 80;
+        server_name example.local;
+
+        modsecurity on;
+        modsecurity_phase4_mode strict;
+        modsecurity_phase4_log /var/log/nginx/modsecurity-phase4.log;
+        modsecurity_phase4_content_types_file /etc/modsecurity/phase4-content-types.conf;
+
+        modsecurity_rules '
+            SecRuleEngine On
+            SecResponseBodyAccess On
+            SecRule RESPONSE_BODY "@rx sensitive-marker" "id:940103,phase:4,deny,log,status:403"
+        ';
+
+        location / {
+            proxy_pass http://app_backend;
+        }
+    }
+}