1

The question mod_security with OWASP CRS: Custom rule for whitelisting googlebot provides the following rule as the answer to verify the client's hostname:

SecRule REMOTE_HOST “@rx google(bot|)\.com$” “id:50000,nolog,allow”

This rule was meant to be used on ModSecurity with Apache and required the directive HostnameLookups On configured on Apache. The MODSECURITY HANDBOOK says:

REMOTE_HOST
If the Apache directive HostnameLookups is set to On, then this variable will hold the remote hostname resolved through DNS. If the directive is set to Off, this variable will hold the remote IP address (same as REMOTE_ADDR). Possible uses for this variable include denying known bad client hosts or network blocks or, conversely, allowing authorized hosts in.

When using Nginx as reverse proxy without Apache is there a way to make REMOTE_HOST return the hostname resolved through DNS?

Ronaldo
  • 123
  • 4

1 Answers1

0

The remote IP address is already in the nginx variable $remote_addr and the ModSecurity variable REMOTE_ADDR. The reference manual says:

REMOTE_ADDR

This variable holds the IP address of the remote client.

SecRule REMOTE_ADDR "@ipMatch 192.168.1.101" "id:35"

You should use REMOTE_ADDR here (and probably Apache users also should).

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Thanks, Michael Hampton. But I need the DNS, not the IP address. I'm already getting the IP address due to the lack of the option `HostnameLookups` on Nginx. – Ronaldo Sep 28 '21 at 22:56
  • @Ronaldo I presume that by "the DNS" you actually mean the _hostname_? Apparently I missed that last bit in your post somehow. I think this can be done by breaking out some Lua to do the DNS lookup and executing it selectively (you can't do hostname lookups on every request because it will absolutely destroy your performance). I'll see if I can write something later. – Michael Hampton Sep 28 '21 at 23:28
  • I appreciate it. But before you take the effort to write something, can you tell me if there's a better option to add google bots to the whitelist? I'm a newbie when it comes to Nginx and ModSecurity and I could just be missing some basic configuration. I asked about getting the hostname because it was the only method I could find on the internet and apparently it no longer applies (as you said, hostname lookup is a performance killer). – Ronaldo Sep 29 '21 at 00:36
  • @Ronaldo Not really. Even Google doesn't have better solutions in their documentation about [verifying Googlebot](https://developers.google.com/search/docs/advanced/crawling/verifying-googlebot). The lookup does take time, but there is no need to do it for any requests that don't have Googlebot in the User-Agent string. And I don't really care about making a bot wait. – Michael Hampton Sep 29 '21 at 00:49
  • I see. So the idea is to check if there is Googlebot in the User-Agent string and only then check the hostname. – Ronaldo Sep 29 '21 at 12:53
  • Hello, Michael Hampton. I've learned how to skip a rule if it doesn't match a criteria (if User-Agent is not google), now I need to know how to get the hostname from the IP of the request. Could you give me some clue about that Lua script you mentioned? – Ronaldo Oct 06 '21 at 21:00