pyrox.dev
1import ./make-test-python.nix ({ pkgs, lib, ... }: {
2 name = "nginx-modsecurity";
3
4 nodes.machine = { config, lib, pkgs, ... }: {
5 services.nginx = {
6 enable = true;
7 additionalModules = [ pkgs.nginxModules.modsecurity ];
8 virtualHosts.localhost =
9 let modsecurity_conf = pkgs.writeText "modsecurity.conf" ''
10 SecRuleEngine On
11 SecDefaultAction "phase:1,log,auditlog,deny,status:403"
12 SecDefaultAction "phase:2,log,auditlog,deny,status:403"
13 SecRule REQUEST_METHOD "HEAD" "id:100, phase:1, block"
14 SecRule REQUEST_FILENAME "secret.html" "id:101, phase:2, block"
15 '';
16 testroot = pkgs.runCommand "testroot" {} ''
17 mkdir -p $out
18 echo "<html><body>Hello World!</body></html>" > $out/index.html
19 echo "s3cret" > $out/secret.html
20 '';
21 in {
22 root = testroot;
23 extraConfig = ''
24 modsecurity on;
25 modsecurity_rules_file ${modsecurity_conf};
26 '';
27 };
28 };
29 };
30 testScript = ''
31 machine.wait_for_unit("nginx")
32
33 response = machine.wait_until_succeeds("curl -fvvv -s http://127.0.0.1/")
34 assert "Hello World!" in response
35
36 machine.fail("curl -fvvv -X HEAD -s http://127.0.0.1/")
37 machine.fail("curl -fvvv -s http://127.0.0.1/secret.html")
38 '';
39})