Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Transfer GeoIP Plugin? #19

Open
logopk opened this issue Feb 17, 2024 · 13 comments
Open

Transfer GeoIP Plugin? #19

logopk opened this issue Feb 17, 2024 · 13 comments

Comments

@logopk
Copy link

logopk commented Feb 17, 2024

Hi @azurit,

do you plan to transfer the geoIP Plugin to the CRS plugin-registry?

Thanks

Peter
@azurit
Copy link
Member

azurit commented Feb 17, 2024

Hi @logopk, yes, of course i will try to do it (but it does not depend only on me).

@RedXanadu
Copy link
Member

RedXanadu commented Feb 19, 2024
edited
Loading

Hi @logopk,

Are you planning on using geo IP rules in your CRS setup? It would be good to understand your use case.

For what it's worth, there's a general feeling that geo IP logic does not belong in CRS, which is why it was removed. There are better places to handle geo IP-related logic (at the proxy level, at the web server, via a network firewall, at the edge, etc.)

It's a similar situation to anti-DoS rules: it is possible to implement via SecRules, but there are many better places to perform it, and the support varies between engines and engine versions (and the anti-DoS logic has also been removed from the core of CRS).

@logopk
Copy link
Author

logopk commented Feb 19, 2024

@RedXanadu Understood.
I am using maxminddb in apache. When I started I used rewrite rules but then I noticed the geoip plugin.
I had the impression that all security rules should be handled in on piece of software. So CRS seemed to be a good place.
Am I wrong?
Regards
Peter

@dune73
Copy link
Member

dune73 commented Feb 20, 2024

Hey @logopk, I think there are pros and cons here. CRS kicked the GeoIP stuff because it's no longer in line with the pattern based stuff we are doing. But your reasoning about the single place makes a lot of sense. Hence the plugin option.

@azurit : Moving the GeoIP stuff into our repo would be cool, I think. Where do you see the problems?

@RedXanadu
Copy link
Member

RedXanadu commented Feb 20, 2024
edited
Loading

There's the added complication that ModSec on Apache (assuming you're using v2, @logopk) does not handle the MaxMind database format. You would have to roll your own database files. Do-able (I maintained this for several years for customers who insisted on using MaxMind inside ModSec), but it's more steps and more complication.

The Apache MaxMind module is more flexible and more mature, if you want to keep everything in one place (Apache).

@dune73
Copy link
Member

dune73 commented Feb 20, 2024

Well, that ModSec2 shortcoming is not necessarily set in stone ...

@logopk
Copy link
Author

logopk commented Feb 21, 2024

I use modmaxmind with modsec2 and the database format is no problem.

@dune73
Copy link
Member

dune73 commented Feb 21, 2024

Well done.

I think the plugin should offer that option (or any other ENV variable) for full flexibility.

@azurit
Copy link
Member

azurit commented Feb 21, 2024

I think the plugin should offer that option (or any other ENV variable) for full flexibility.

It is offering it.

@dune73
Copy link
Member

dune73 commented Feb 21, 2024

Ready for the migration of the plugin, then I guess. :)

@fzipi
Copy link
Member

fzipi commented Jun 1, 2024

Can we close this one?

@logopk
Copy link
Author

logopk commented Jun 1, 2024

@fzipi I don't see it in the plugin registry yet!?

@azurit
Copy link
Member

azurit commented Jun 1, 2024

Let's keep this open until the plugin is included.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dune73 @azurit @fzipi @RedXanadu @logopk