nixos/tests/nginx-modsecurity.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / nginx-modsecurity.nix
at 25.11-pre 1.4 kB view raw
 1{ ... }:
 2{
 3  name = "nginx-modsecurity";
 4
 5  nodes.machine =
 6    {
 7      config,
 8      lib,
 9      pkgs,
10      ...
11    }:
12    {
13      services.nginx = {
14        enable = true;
15        additionalModules = [ pkgs.nginxModules.modsecurity ];
16        virtualHosts.localhost =
17          let
18            modsecurity_conf = pkgs.writeText "modsecurity.conf" ''
19              SecRuleEngine On
20              SecDefaultAction "phase:1,log,auditlog,deny,status:403"
21              SecDefaultAction "phase:2,log,auditlog,deny,status:403"
22              SecRule REQUEST_METHOD   "HEAD"        "id:100, phase:1, block"
23              SecRule REQUEST_FILENAME "secret.html" "id:101, phase:2, block"
24            '';
25            testroot = pkgs.runCommand "testroot" { } ''
26              mkdir -p $out
27              echo "<html><body>Hello World!</body></html>" > $out/index.html
28              echo "s3cret" > $out/secret.html
29            '';
30          in
31          {
32            root = testroot;
33            extraConfig = ''
34              modsecurity on;
35              modsecurity_rules_file ${modsecurity_conf};
36            '';
37          };
38      };
39    };
40  testScript = ''
41    machine.wait_for_unit("nginx")
42
43    response = machine.wait_until_succeeds("curl -fvvv -s http://127.0.0.1/")
44    assert "Hello World!" in response
45
46    machine.fail("curl -fvvv -X HEAD -s http://127.0.0.1/")
47    machine.fail("curl -fvvv -s http://127.0.0.1/secret.html")
48  '';
49}