Skip to content

Should we cancel Macro Expansion support to tag action? #1950

Closed
@weliu

Description

@weliu

This Macro Expansion support was discussed in #324, but I found that the example in that issue is not very convincing:
tag:'http://www.owasp.org/index.php?title=ModSecurity_CRS_RuleID-%{rule.id}
The rule id can be determined during writing this rule, so there is no need to get its value at run time.

I think we may cancel this Macro Expansion support to tag action because:
A. It impacts performance. If we remove this support, it can reduce the overhead of tag action with each hit rules, and SecRuleRemoveByTag/ruleRemoveByTag and SecRuleUpdateTargetByTag/ruleRemoveTargetByTag can be more efficient.

B. The scenario to use this Macro Expansion in tag is very rare. I only see two place in CRS:
# SecDefaultAction "phase:1,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'"
\ # SecDefaultAction "phase:2,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'"

C. If we do need this, we can use msg action instead which also supports Macro Expansion.

I can submit a PR if we decide to cancel Macro Expansion support to tag action eventually.

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions