initial commit to skip the body inspection

thekief · thekief · commit af17ac8aacb2 · 2025-12-30T18:39:49.000+01:00
diff --git a/README.md b/README.md
@@ -45,7 +45,7 @@ Further information about nginx third-party add-ons support are available [here]
 # Usage
 
 ModSecurity for nginx extends your nginx configuration directives.
-It adds four new directives and they are:
+It adds six new directives and they are:
 
 modsecurity
 -----------
@@ -184,6 +184,60 @@ modsecurity_use_error_log
 **default:** *on*
 
 Turns on or off ModSecurity error log functionality.
+modsecurity_skip_req_body_filter
+-----------------
+**syntax:** *modsecurity_skip_req_body_filter on | off*
+
+**context:** *http, server, location*
+
+**default:** *off*
+
+Allows to skip the caching of the request body and subsequently its inspection.
+Useful in cases, where `SecRequestBodyAccess` or `ctl:requestBodyAccess` is set, due to, e.g. encrypted data, as the caching causes an unneeded memory overhead.
+
+
+```nginx
+server {
+    modsecurity on;
+    modsecurity_rules_file /etc/my_modsecurity_rules.conf;
+
+    location / {
+        root /var/www/html;
+    }
+
+    location = /special/unchecked/path {
+        # skip the inspection of the request body
+        modsecurity_skip_req_body_filter on;
+    }
+}
+```
+
+modsecurity_skip_res_body_filter
+-----------------
+**syntax:** *modsecurity_skip_res_body_filter on | off*
+
+**context:** *http, server, location*
+
+**default:** *off*
+
+Allows to skip the caching of the request body and subsequently its inspection.
+Useful in cases, where `SecResponseBodyAccess` is set, due to, e.g. encrypted data, as the caching causes an unneeded memory overhead.
+
+```nginx
+server {
+    modsecurity on;
+    modsecurity_rules_file /etc/my_modsecurity_rules.conf;
+
+    location / {
+        root /var/www/html;
+    }
+
+    location = /special/unchecked/path {
+        # skip the inspection of the response body
+        modsecurity_skip_res_body_filter on;
+    }
+}
+```
 
 # Contributing
 
diff --git a/src/ngx_http_modsecurity_body_filter.c b/src/ngx_http_modsecurity_body_filter.c
@@ -39,8 +39,8 @@ ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
 {
     ngx_chain_t *chain = in;
     ngx_http_modsecurity_ctx_t *ctx = NULL;
+    ngx_http_modsecurity_conf_t *mcf = NULL;
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-    ngx_http_modsecurity_conf_t *mcf;
     ngx_list_part_t *part = &r->headers_out.headers.part;
     ngx_table_elt_t *data = part->elts;
     ngx_uint_t i = 0;
@@ -50,7 +50,19 @@ ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
         return ngx_http_next_body_filter(r, in);
     }
 
-    ctx = ngx_http_modsecurity_get_module_ctx(r);
+    mcf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity_module);
+
+    if (mcf == NULL){
+        dd("failed to get configuration");
+        return NGX_HTTP_INTERNAL_SERVER_ERROR;
+    }
+
+    if (mcf->skip_res_body_filter) {
+        dd("Skipping response body filter");
+        return ngx_http_next_body_filter(r, in);
+    }
+
+    ctx = ngx_http_get_module_ctx(r, ngx_http_modsecurity_module);
 
     dd("body filter, recovering ctx: %p", ctx);
 
@@ -63,8 +75,7 @@ ngx_http_modsecurity_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
     }
 
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
-    mcf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity_module);
-    if (mcf != NULL && mcf->sanity_checks_enabled != NGX_CONF_UNSET)
+    if (mcf->sanity_checks_enabled != NGX_CONF_UNSET)
     {
 #if 0
         dd("dumping stored ctx headers");
diff --git a/src/ngx_http_modsecurity_common.h b/src/ngx_http_modsecurity_common.h
@@ -124,6 +124,8 @@ typedef struct {
 #endif
 
     ngx_http_complex_value_t  *transaction_id;
+    ngx_flag_t                 skip_req_body_filter;
+    ngx_flag_t                 skip_res_body_filter;
 } ngx_http_modsecurity_conf_t;
 
 
diff --git a/src/ngx_http_modsecurity_module.c b/src/ngx_http_modsecurity_module.c
@@ -527,6 +527,19 @@ static ngx_command_t ngx_http_modsecurity_commands[] =  {
     ngx_conf_set_flag_slot,
     NGX_HTTP_LOC_CONF_OFFSET,
     offsetof(ngx_http_modsecurity_conf_t, use_error_log),
+    ngx_string("modsecurity_skip_req_body_filter"),
+    NGX_HTTP_LOC_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_MAIN_CONF|NGX_CONF_FLAG,
+    ngx_conf_set_flag_slot,
+    NGX_HTTP_LOC_CONF_OFFSET,
+    offsetof(ngx_http_modsecurity_conf_t, skip_req_body_filter),
+    NULL
+  },
+  {
+    ngx_string("modsecurity_skip_res_body_filter"),
+    NGX_HTTP_LOC_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_MAIN_CONF|NGX_CONF_FLAG,
+    ngx_conf_set_flag_slot,
+    NGX_HTTP_LOC_CONF_OFFSET,
+    offsetof(ngx_http_modsecurity_conf_t, skip_res_body_filter),
     NULL
   },
   ngx_null_command
@@ -724,6 +737,8 @@ ngx_http_modsecurity_create_conf(ngx_conf_t *cf)
     conf->pool = cf->pool;
     conf->transaction_id = NGX_CONF_UNSET_PTR;
     conf->use_error_log = NGX_CONF_UNSET;
+    conf->skip_req_body_filter = NGX_CONF_UNSET;
+    conf->skip_res_body_filter = NGX_CONF_UNSET;
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
     conf->sanity_checks_enabled = NGX_CONF_UNSET;
 #endif
@@ -764,6 +779,8 @@ ngx_http_modsecurity_merge_conf(ngx_conf_t *cf, void *parent, void *child)
     ngx_conf_merge_value(c->enable, p->enable, 0);
     ngx_conf_merge_ptr_value(c->transaction_id, p->transaction_id, NULL);
     ngx_conf_merge_value(c->use_error_log, p->use_error_log, 1);
+    ngx_conf_merge_value(c->skip_req_body_filter, p->skip_req_body_filter, 0);
+    ngx_conf_merge_value(c->skip_res_body_filter, p->skip_res_body_filter, 0);
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
     ngx_conf_merge_value(c->sanity_checks_enabled, p->sanity_checks_enabled, 0);
 #endif
diff --git a/src/ngx_http_modsecurity_pre_access.c b/src/ngx_http_modsecurity_pre_access.c
