Join Log in
Score:1
Ronaldo avatar Server

How to get the remote hostname resolved through DNS when using Nginx and ModSecurity?

br flag
Ronaldo

The question mod_security with OWASP CRS: Custom rule for whitelisting googlebot provides the following rule as the answer to verify the client's hostname:

SecRule REMOTE_HOST “@rx google(bot|)\.com$” “id:50000,nolog,allow”

This rule was meant to be used on ModSecurity with Apache and required the directive HostnameLookups On configured on Apache. The MODSECURITY HANDBOOK says:

REMOTE_HOST
If the Apache directive HostnameLookups is set to On, then this variable will hold the remote hostname resolved through DNS. If the directive is set to Off, this variable will hold the remote IP address (same as REMOTE_ADDR). Possible uses for this variable include denying known bad client hosts or network blocks or, conversely, allowing authorized hosts in.

When using Nginx as reverse proxy without Apache is there a way to make REMOTE_HOST return the hostname resolved through DNS?

169
0 + 0
Score:0
Michael Hampton avatar Server
cz flag
Michael Hampton

The remote IP address is already in the nginx variable $remote_addr and the ModSecurity variable REMOTE_ADDR. The reference manual says:

REMOTE_ADDR

This variable holds the IP address of the remote client.

SecRule REMOTE_ADDR "@ipMatch 192.168.1.101" "id:35"

You should use REMOTE_ADDR here (and probably Apache users also should).

0 + 0
Ronaldo avatar
br flag
Ronaldo
Thanks, Michael Hampton. But I need the DNS, not the IP address. I'm already getting the IP address due to the lack of the option `HostnameLookups` on Nginx.
0
Reply
Michael Hampton avatar
cz flag
Michael Hampton
@Ronaldo I presume that by "the DNS" you actually mean the _hostname_? Apparently I missed that last bit in your post somehow. I think this can be done by breaking out some Lua to do the DNS lookup and executing it selectively (you can't do hostname lookups on every request because it will absolutely destroy your performance). I'll see if I can write something later.
0
Reply
Ronaldo avatar
br flag
Ronaldo
I appreciate it. But before you take the effort to write something, can you tell me if there's a better option to add google bots to the whitelist? I'm a newbie when it comes to Nginx and ModSecurity and I could just be missing some basic configuration. I asked about getting the hostname because it was the only method I could find on the internet and apparently it no longer applies (as you said, hostname lookup is a performance killer).
0
Reply
Michael Hampton avatar
cz flag
Michael Hampton
@Ronaldo Not really. Even Google doesn't have better solutions in their documentation about [verifying Googlebot](https://developers.google.com/search/docs/advanced/crawling/verifying-googlebot). The lookup does take time, but there is no need to do it for any requests that don't have Googlebot in the User-Agent string. And I don't really care about making a bot wait.
0
Reply
Ronaldo avatar
br flag
Ronaldo
I see. So the idea is to check if there is Googlebot in the User-Agent string and only then check the hostname.
0
Reply
Ronaldo avatar
br flag
Ronaldo
Hello, Michael Hampton. I've learned how to skip a rule if it doesn't match a criteria (if User-Agent is not google), now I need to know how to get the hostname from the IP of the request. Could you give me some clue about that Lua script you mentioned?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.