nginx: service needs to be restarted for modsecurity log rotation

osnyx · osnyx · commit 31476b90461c · 2024-04-04T10:39:25.000+02:00
Because modsecurity is not re-opening its logfile after rotation and continues to write into the same file descriptor, nginx needs to be restarted for the rotation to take effect.
Better handling of that situation is stuck upstream for several years.

We use the presence of `/var/log/modesc_*.log` as a heuristic for modsecurity being enabled, these files are now rotated with a restart of nginx.
Note that, due to overlapping wildcard matches, this specific case got a higher logrotate match priority and needs an `ignoreduplicates`.

Restarting nginx can have the impact of a very brief downtime and connections being dropped. logrotate.timer runs hourly, but as we've empirically observed that the majority of actual rotations takes place during the night, we refrain from restricting the logrotate runs to the night for now.

PL-132296
diff --git a/nixos/services/nginx/default.nix b/nixos/services/nginx/default.nix
@@ -469,16 +469,29 @@ in
         inherit virtualHosts;
       };
 
-      services.logrotate.settings = {
-        "/var/log/nginx/*.log" = {
+      services.logrotate.settings = let
+      commonRotate = {
           rotate = cfg.rotateLogs;
           create = "0644 ${nginxCfg.masterUser} nginx";
           su = "${nginxCfg.masterUser} nginx";
+        };
+        in {
+        "/var/log/nginx/modsec_*.log" = {
+          # need higher prio, because more-specific match.
+          # Our platform header options use priority 900, we need to chose a
+          # higher number here for using them.
+          ignoreduplicates = true;
+          priority = 901;
+          postrotate = ''
+            systemctl restart nginx
+          '';
+        } // commonRotate;
+        "/var/log/nginx/*.log" = {
           postrotate = ''
             systemctl kill nginx -s USR1 --kill-who=main || systemctl reload nginx
             chown ${nginxCfg.masterUser}:nginx /var/log/nginx/*
           '';
-        };
+        } // commonRotate;
       };
 
       # Z: Recursively change permissions if they already exist.
