nixpkgs/nixos/tests/nginx-modsecurity.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

52 lines
1.5 KiB
Nix
Raw Normal View History

2022-02-14 23:10:37 +00:00
import ./make-test-python.nix (
{ pkgs, lib, ... }:
{
name = "nginx-modsecurity";
2022-03-20 23:15:30 +00:00
nodes.machine =
{
config,
lib,
pkgs,
...
}:
{
2022-02-14 23:10:37 +00:00
services.nginx = {
enable = true;
additionalModules = [ pkgs.nginxModules.modsecurity ];
2022-02-14 23:10:37 +00:00
virtualHosts.localhost =
let
modsecurity_conf = pkgs.writeText "modsecurity.conf" ''
SecRuleEngine On
SecDefaultAction "phase:1,log,auditlog,deny,status:403"
SecDefaultAction "phase:2,log,auditlog,deny,status:403"
SecRule REQUEST_METHOD "HEAD" "id:100, phase:1, block"
SecRule REQUEST_FILENAME "secret.html" "id:101, phase:2, block"
'';
testroot = pkgs.runCommand "testroot" { } ''
mkdir -p $out
echo "<html><body>Hello World!</body></html>" > $out/index.html
echo "s3cret" > $out/secret.html
'';
in
{
root = testroot;
extraConfig = ''
modsecurity on;
modsecurity_rules_file ${modsecurity_conf};
'';
};
};
2022-02-14 23:10:37 +00:00
};
testScript = ''
machine.wait_for_unit("nginx")
response = machine.wait_until_succeeds("curl -fvvv -s http://127.0.0.1/")
assert "Hello World!" in response
machine.fail("curl -fvvv -X HEAD -s http://127.0.0.1/")
machine.fail("curl -fvvv -s http://127.0.0.1/secret.html")
'';
}
)