nixos/tests/nginx-modsecurity.nix at 23.05-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

nixpkgs / nixos / tests / nginx-modsecurity.nix

at 23.05-pre 1.3 kB view raw

 1import ./make-test-python.nix ({ pkgs, lib, ... }: {
 2  name = "nginx-modsecurity";
 3
 4  nodes.machine = { config, lib, pkgs, ... }: {
 5    services.nginx = {
 6      enable = true;
 7      additionalModules = [ pkgs.nginxModules.modsecurity-nginx ];
 8      virtualHosts.localhost =
 9        let modsecurity_conf = pkgs.writeText "modsecurity.conf" ''
10          SecRuleEngine On
11          SecDefaultAction "phase:1,log,auditlog,deny,status:403"
12          SecDefaultAction "phase:2,log,auditlog,deny,status:403"
13          SecRule REQUEST_METHOD   "HEAD"        "id:100, phase:1, block"
14          SecRule REQUEST_FILENAME "secret.html" "id:101, phase:2, block"
15        '';
16        testroot = pkgs.runCommand "testroot" {} ''
17          mkdir -p $out
18          echo "<html><body>Hello World!</body></html>" > $out/index.html
19          echo "s3cret" > $out/secret.html
20        '';
21      in {
22        root = testroot;
23        extraConfig = ''
24          modsecurity on;
25          modsecurity_rules_file ${modsecurity_conf};
26        '';
27      };
28    };
29  };
30  testScript = ''
31    machine.wait_for_unit("nginx")
32
33    response = machine.wait_until_succeeds("curl -fvvv -s http://127.0.0.1/")
34    assert "Hello World!" in response
35
36    machine.fail("curl -fvvv -X HEAD -s http://127.0.0.1/")
37    machine.fail("curl -fvvv -s http://127.0.0.1/secret.html")
38  '';
39})