@abtnode/router-provider 1.16.38-beta-20250118-033334-2da05ae8 → 1.16.38-beta-20250120-112111-55c032e8

package/README.md

@@ -54,7 +54,13 @@ There are various ways for you to contribute to this package, such as adding sup
 - [ ] Openresty
 - [ ] Tengine
 - [ ] AWS ELB
-- [ ] Node.js
+- [x] Node.js
 - [x] Nginx: supported
 
 If you are working with the nginx routing engine, you may found this tool useful: <https://nginx.viraptor.info/>
+
+## How to update the CRS rules
+
+1. Pull the latest rules from the CRS repository
+2. Copy the rules in the `lib/nginx/includes/security/crs4/rules` directory
+3. Disable rules for windows in `lib/nginx/includes/security/crs4/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf`

package/lib/nginx/includes/proxy.raw

@@ -5,6 +5,7 @@ proxy_send_timeout 3600;
 proxy_pass_header server;
 
 proxy_headers_hash_bucket_size 512;
+proxy_buffering off;
 proxy_buffer_size 10k;
 proxy_next_upstream error timeout invalid_header;
 proxy_redirect off;

package/lib/nginx/includes/security/crs4/rules/{REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example → REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf}

@@ -185,16 +185,40 @@
 # - id: 920350 (IP address in host header)
 # - tag: attack-disclosure (all RESPONSE-*-DATA-LEAKAGES rules)
 #
-# SecRule REMOTE_ADDR "@ipMatch 10.0.0.0/8" \
-#    "id:1005,\
-#    phase:1,\
-#    pass,\
-#    nolog,\
-#    chain"
-#    SecRule REQUEST_METHOD "@pm GET HEAD" "chain"
-#       SecRule REQUEST_HEADERS:User-Agent "@pm ELB-HealthChecker" \
-#           "ctl:ruleRemoveById=911100,\
-#           ctl:ruleRemoveById=913100,\
-#           ctl:ruleRemoveById=920280,\
-#           ctl:ruleRemoveById=920350,\
-#           ctl:ruleRemoveByTag=attack-disclosure"
+SecRule REMOTE_ADDR "@ipMatch 10.0.0.0/8" \
+   "id:1005,\
+   phase:1,\
+   pass,\
+   nolog,\
+   chain"
+   SecRule REQUEST_METHOD "@pm GET HEAD" "chain"
+      SecRule REQUEST_HEADERS:User-Agent "@pm ELB-HealthChecker" \
+          "ctl:ruleRemoveById=911100,\
+          ctl:ruleRemoveById=913100,\
+          ctl:ruleRemoveById=920280,\
+          ctl:ruleRemoveById=920350,\
+          ctl:ruleRemoveByTag=attack-disclosure"
+
+# Disable some rules for GraphQL API endpoint for blocklet server and service
+SecRule REQUEST_FILENAME "@endsWith /api/gql" \
+   "id:1006,\
+   phase:1,\
+   pass,\
+   nolog,\
+   chain"
+   SecRule REQUEST_METHOD "@pm POST" \
+       "ctl:ruleRemoveByTag=attack-sqli,\
+        ctl:ruleRemoveByTag=attack-rce,\
+        ctl:ruleRemoveByTag=attack-xss"
+
+# Disable some rules for websocket endpoint for blocklet server and service
+SecRule REQUEST_FILENAME "@endsWith /websocket" \
+   "id:1007,\
+   phase:1,\
+   pass,\
+   nolog,\
+   chain"
+   SecRule REQUEST_METHOD "@pm GET" \
+   "chain"
+      SecRule REQUEST_HEADERS:Upgrade "@streq websocket" \
+          "ctl:ruleRemoveByTag=attack-protocol"

package/lib/nginx/includes/security/crs4/rules/{RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example → RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf}

@@ -28,6 +28,7 @@
 #
 # ModSecurity Rule Exclusion: Disable PHP injection rules
 # SecRuleRemoveByTag "attack-injection-php"
+SecRuleRemoveByTag "platform-windows"
 
 #
 # Example Exclusion Rule: To unconditionally remove parameter "foo" from

package/lib/nginx/index.js

@@ -11,6 +11,7 @@ const getPort = require('get-port');
 const uniqBy = require('lodash/uniqBy');
 const pick = require('lodash/pick');
 const camelCase = require('lodash/camelCase');
+const lowerCase = require('lodash/lowerCase');
 const isEmpty = require('lodash/isEmpty');
 const formatBackSlash = require('@abtnode/util/lib/format-back-slash');
 const {
@@ -386,7 +387,7 @@ class NginxProvider extends BaseProvider {
 
     if (config['add-module']) {
       const modulePaths = Array.isArray(config['add-module']) ? config['add-module'] : [config['add-module']];
-      capabilities.modsecurity = modulePaths.some((x) => x.includes('modsecurity'));
+      capabilities.modsecurity = modulePaths.some((x) => lowerCase(x).includes('modsecurity'));
     }
 
     return capabilities;

package/lib/nginx/templates/security/crs4/crs-setup.conf.js

@@ -98,8 +98,8 @@ module.exports = ({
 # - In Apache, you can use ErrorDocument to show a friendly error page or
 #   perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html
 #
-SecDefaultAction "phase:1,log,auditlog,pass"
-SecDefaultAction "phase:2,log,auditlog,pass"
+# SecDefaultAction "phase:1,log,auditlog,pass"
+# SecDefaultAction "phase:2,log,auditlog,pass"
 
 # Example: Anomaly Scoring mode, log only to ModSecurity audit log
 # - By default, offending requests are blocked with an error 403 response.
@@ -118,8 +118,8 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 # - In Apache, you can use ErrorDocument to show a friendly error page or
 #   perform a redirect: https://httpd.apache.org/docs/2.4/custom-error.html
 #
-# SecDefaultAction "phase:1,log,auditlog,deny,status:403"
-# SecDefaultAction "phase:2,log,auditlog,deny,status:403"
+SecDefaultAction "phase:1,log,auditlog,deny,status:403"
+SecDefaultAction "phase:2,log,auditlog,deny,status:403"
 
 # Example: Self-contained mode, redirect back to homepage on blocking
 # - In this configuration the 'tag' action includes the Host header data in the

package/lib/nginx/templates/security/modsecurity.conf.js

@@ -226,16 +226,16 @@ SecDataDir ${tmpDir}
 
 
 # -- Debug log configuration -------------------------------------------------
-SecDebugLog ${logDir}/modsecurity.log
+SecDebugLog ${logDir}/modsecurity-debug.log
 SecDebugLogLevel ${logLevel}
 
 # -- Audit log configuration -------------------------------------------------
 SecAuditEngine RelevantOnly
 SecAuditLogRelevantStatus "^(?:5|4(?!04))"
 SecAuditLogParts ABIJDEFHZ
-SecAuditLogType Concurrent
-SecAuditLog /dev/null
-# SecAuditLog ${logDir}/modsecurity-audit.log
+SecAuditLogType Serial
+SecAuditLogFormat Native
+SecAuditLog ${logDir}/modsecurity.log
 
 SecArgumentSeparator &
 SecCookieFormat 0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@abtnode/router-provider",
-  "version": "1.16.38-beta-20250118-033334-2da05ae8",
+  "version": "1.16.38-beta-20250120-112111-55c032e8",
   "description": "Routing engine implementations for abt node",
   "author": "polunzh <polunzh@gmail.com>",
   "homepage": "https://github.com/ArcBlock/blocklet-server#readme",
@@ -32,10 +32,10 @@
     "url": "https://github.com/ArcBlock/blocklet-server/issues"
   },
   "dependencies": {
-    "@abtnode/constant": "1.16.38-beta-20250118-033334-2da05ae8",
-    "@abtnode/logger": "1.16.38-beta-20250118-033334-2da05ae8",
-    "@abtnode/router-templates": "1.16.38-beta-20250118-033334-2da05ae8",
-    "@abtnode/util": "1.16.38-beta-20250118-033334-2da05ae8",
+    "@abtnode/constant": "1.16.38-beta-20250120-112111-55c032e8",
+    "@abtnode/logger": "1.16.38-beta-20250120-112111-55c032e8",
+    "@abtnode/router-templates": "1.16.38-beta-20250120-112111-55c032e8",
+    "@abtnode/util": "1.16.38-beta-20250120-112111-55c032e8",
     "@arcblock/http-proxy": "^1.19.1",
     "@arcblock/is-valid-domain": "^1.0.5",
     "axios": "^1.7.9",
@@ -60,5 +60,5 @@
     "bluebird": "^3.7.2",
     "fs-extra": "^11.2.0"
   },
-  "gitHead": "55a983304e72e5e54d6425acd0e2dad1f710aad3"
+  "gitHead": "adcb4f0e35157f6645e10e7ef53f8fdeff6953ec"
 }