security - 如果未发送所需的 SSL 证书，则 modsecurity 不起作用

Question

我在 modsecurity 中有很多规则，但如果主机在 SSL https://SERVER_IP 中是数字，则没有任何规则有效，我得到这样的响应:

400 Bad Request No required SSL certificate was sent

我的 SSL 只对我的域名有效，但 modsecurity 无论如何都不应该工作吗？因为任何请求在进入应用程序或类似的东西之前都会通过 modsecurity。

问题:

1 - 我该如何解决？

2 - 为什么 modsecurity 不起作用，如果我不修复它我会变得脆弱吗？

这是我的 nginx.conf:

load_module modules/ngx_http_modsecurity_module.so;

user nobody;
worker_processes 1;
error_log               /var/log/nginx/error.log error;
pid                     /var/run/nginx.pid;

events {
    worker_connections  5000;
    use                 epoll;
    multi_accept        on;

}
http {
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;

    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsec/main.conf;

    client_header_timeout 20s;
    client_body_timeout 20s;
    client_max_body_size 20m;
    client_header_buffer_size 6k;
    client_body_buffer_size 128k;
    large_client_header_buffers 2 2k;

    send_timeout 10s;
    keepalive_timeout 30 30;
    reset_timedout_connection       on;
    server_names_hash_max_size 1024;
    server_names_hash_bucket_size 1024;
    ignore_invalid_headers on;
    connection_pool_size 256;
    request_pool_size 4k;
    output_buffers 4 32k;
    postpone_output 1460;

    include mime.types;
    default_type application/octet-stream;

    # SSL Settings
    ssl_certificate         /etc/nginx/ssl/cf_cert.pem;
    ssl_certificate_key     /etc/nginx/ssl/cf_key.pem;
    ssl_client_certificate /etc/nginx/ssl/origin-pull-ca.pem;
    ssl_verify_client on;
    ssl_verify_depth 5;

    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 1h;
    ssl_protocols       TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers        "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS";
    ssl_session_tickets on;
    ssl_session_ticket_key /etc/nginx/ssl/ticket.key;
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_ecdh_curve secp384r1;
    ssl_buffer_size 4k;

    # Logs
    log_format  main    '$remote_addr - $remote_user [$time_local] $request '
                        '"$status" $body_bytes_sent "$http_referer" '
                        '"$http_user_agent" "$http_x_forwarded_for"';
    log_format  bytes   '$body_bytes_sent';
    access_log off;

    # Cache bypass
    map $http_cookie $no_cache {
        default 0;
        ~SESS 1;
        ~wordpress_logged_in 1;
    }

    etag off;
    server_tokens off;

    # Headers
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Frame-Options deny always;

    server {
        listen 443 ssl http2; 
        server_name domain.com;

        root /home/user/public_html;
        index index.php index.html;

        access_log /var/log/domain/domain.com.bytes bytes;
        access_log /var/log/domain/domain.com.log combined;
        error_log /var/log/domain/domain.com.error.log warn;

        location / {
            location ~.*\.(jpeg|jpg|png|gif|bmp|ico|svg|css|js)$ {      
                expires max;     
            }

            location ~ [^/]\.php(/|$) {
                try_files $uri =404;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_pass    unix:/opt/alt/php-fpm73/usr/var/sockets/user.sock;
                fastcgi_index   index.php;
                include         /etc/nginx/fastcgi_params;
            }
        }
    }
}

Answer 1

简而言之:这与 modsecurity 无关。

您的服务器配置要求客户端发送客户端证书。如果客户端不发送此类证书，则 TLS 握手将失败 - 这就是您看到的错误。

modsecurity 仅分析 HTTP 级别的应用程序数据。使用 HTTPS，首先需要在交换任何应用程序数据之前成功完成 TLS 握手。由于在这种情况下，由于客户端没有发送证书，TLS 握手失败，连接在任何 HTTP 数据交换之前关闭，因此在使用 modsecurity 之前关闭。