Exclude logs from K8s to /healthz

Signed-off-by: Manuel Hutter <manuel@hutter.io>
vshn · Aug 12, 2024 · 37ef42c · 37ef42c
1 parent d0483c0
commit 37ef42c
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 20 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -21,7 +21,9 @@ ENV ACCESSLOG=/dev/stdout \
     MODSEC_REQ_BODY_LIMIT=100000000 \
     MODSEC_REQ_BODY_NOFILES_LIMIT=5242880 \
     MODSEC_RESP_BODY_LIMIT=500000000 \
-    CLAMD_DEBUG_LOG=off
+    CLAMD_DEBUG_LOG=off \
+    # Use the default docker subnet as the default \
+    HEALTHZ_CIDRS=172.18.0.0/24
 
 USER root
 

diff --git a/README.md b/README.md
@@ -6,25 +6,6 @@ Based on the official [coreruleset/modsecurity-crs-docker](https://github.com/co
 - Sets opinionated default configurations
 - Includeds the [ClamAV anti-virus scanner](https://www.clamav.net/) client
 
-## Status
-
-This image is currently being reworked.
-
-### Backlog
-
-- [x] rudimentary development environment
-- [x] use the `alpine` upstream image
-- [x] build & push to GHCR
-- [x] automated updates via Renovate
-- [x] can run on OpenShift
-- [ ] ModSecurity configuration defaults (& documented)
-- [x] JSON AccessLog
-- [x] JSON ModSecurity log
-- [x] custom rules support (`init`, `before`, `after`)
-- [x] contains ClamAV
-- [ ] automated release (tagging) process
-- [ ] migrate other random configurations from the v3 image
-
 ## Usage
 
 The latest image can be pulled from
@@ -60,6 +41,13 @@ Most aspects can be configured using environment variables.
 For a full list of supported environment variables, see the [upstream documentation][upstream].
 We use the Apache Alpine image.
 
+### Extra configuration variables
+
+- `HEALTHZ_CIDRS` - CIDR from which requests to the `/healthz` endpoint should be whitelisted.
+  This should usually be set to your Kubernetes host subnet range.
+  Multiple CIDR ranges can be specified.
+  Example: `1.2.3.4/24,5.6.7.8/24`
+
 ## License
 
 This project itself is licensed under BSD 3-Clause, see [LICENSE](./LICENSE).

diff --git a/custom-rules/before-crs.dist/cleanlogs.conf b/custom-rules/before-crs.dist/cleanlogs.conf
@@ -0,0 +1,13 @@
+# === Exempt frequent well-known requests from logging, e.g. health checks (ids: 40000 - 40100)
+
+# Ignore requests coming from Kubernetes going to the health check endpoint.
+# - don't log
+# - allow request
+# - don't write an audit log for the request
+SecRule REQUEST_URI "@streq /healthz" "phase:1,id:40099,nolog,allow,ctl:auditEngine=Off,chain"
+    SecRule REMOTE_ADDR "@ipMatch ${HEALTHZ_CIDRS}"
+
+# Ignore requests coming from localhost. This is useful if there are request issued via Shell or
+# from a sidecar that provide limited or no customization in the request headers (e.g. Apache exporter).
+SecRule REMOTE_ADDR "@ipMatch 127.0.0.1" "phase:1,id:40001,nolog,allow,ctl:auditEngine=Off"
+SecRule REMOTE_ADDR "@ipMatch ::1" "phase:1,id:40002,nolog,allow,ctl:auditEngine=Off"