Open BHMath opened 1 year ago
acouvreur
commented
1 year ago Hi @BHMath ,
Could you please share your configuration ?
As this middleware is only supposed to intercept incoming http connections, I'm not sure how it could break ths kind of behavior.
Please share some more details, logs, compose files etc.
BHMath
commented
1 year ago My waf is configure like this
- PARANOIA=1
- ANOMALY_INBOUND=10
- ANOMALY_OUTBOUND=5And my router is like this
[http.routers]
[http.routers.webdav]
rule = "Host(`webdav.mycompany.com`)"
service = "webdav"
entrypoints = ["websecure"]
middlewares = ["waf@docker"]
[http.routers.webdav.tls]
certresolver = "myresolver"
[http.services]
[http.services.webdav.loadBalancer]
[[http.services.webdav.loadBalancer.servers]]
url = "https://myip:5006/"Here the log
28/11/2022 14:40:19
[Mon Nov 28 14:40:19.142199 2022] [:error] [pid 19:tid 139733371959040] [client 172.18.0.1:33714] [client 172.18.0.1] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "736"] [id "920350"] [msg "Host header is a numeric IP address"] [data "172.17.0.1:666"] [severity "WARNING"] [ver "OWASP_CRS/3.3.4"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "172.17.0.1"] [uri "/webdav/folder/mydb.kdbx"] [unique_id "Y4S6Q-rfCYuT94nJXn6jxQAAABU"]
28/11/2022 14:40:19
audit_data.engine_mode=ENABLEDaudit_data.error_messages=[file "apache2_util.c"] [line 271] [level 3] [client 172.18.0.1] ModSecurity: Warning. Pattern match "^[\\\\\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "736"] [id "920350"] [msg "Host header is a numeric IP address"] [data "172.17.0.1:666"] [severity "WARNING"] [ver "OWASP_CRS/3.3.4"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "172.17.0.1"] [uri "/webdav/folder/mydb.kdbx"] [unique_id "Y4S6Q-rfCYuT94nJXn6jxQAAABU"]audit_data.handler=proxy-serveraudit_data.messages=Warning. Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "736"] [id "920350"] [msg "Host header is a numeric IP address"] [data "172.17.0.1:666"] [severity "WARNING"] [ver "OWASP_CRS/3.3.4"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"]audit_data.producer=ModSecurity for Apache/2.9.6 (http://www.modsecurity.org/),OWASP_CRS/3.3.4audit_data.response_body_dechunked=trueaudit_data.server=Apacheaudit_data.stopwatch.gc=0audit_data.stopwatch.l=0audit_data.stopwatch.p1=616audit_data.stopwatch.p2=1795audit_data.stopwatch.p3=95audit_data.stopwatch.p4=257audit_data.stopwatch.p5=149audit_data.stopwatch.sr=166audit_data.stopwatch.sw=1request.headers.Accept-Encoding=gziprequest.headers.Authorization=Basic a2VlcGFzczpLMzNQQHNzMDE=request.headers.Cache-Control=no-store,no-cacherequest.headers.Host=172.17.0.1:666request.headers.Pragma=no-cacherequest.headers.User-Agent=Go-http-client/1.1request.headers.X-Forwarded-Host=webdav.mycompany.comrequest.headers.X-Forwarded-Port=443request.headers.X-Forwarded-Proto=httpsrequest.headers.X-Forwarded-Server=vps-da6b9d4crequest.headers.X-Real-Ip=165.225.205.15request.request_line=GET /webdav/folder/mydb.kdbx HTTP/1.1response.body=Hostname: d345eec86f29 IP: 127.0.0.1 IP: 172.18.0.4 RemoteAddr: 172.18.0.1:37302 GET /webdav/folder/mydb.kdbx HTTP/1.1 Host: 172.17.0.1:666 User-Agent: Go-http-client/1.1 Authorization: Basic a2VlcGFzczpLMzNQQHNzMDE= Cache-Control: no-store,no-cache Connection: close Pragma: no-cache X-Forwarded-For: 172.18.0.1 X-Forwarded-Host: webdav.mycompany.com, 172.17.0.1:666 X-Forwarded-Port: 443 X-Forwarded-Proto: https X-Forwarded-Server: vps-da6b9d4c, localhost X-Real-Ip: 172.18.0.1 X-Unique-Id: Y4S6Q-rfCYuT94nJXn6jxQAAABUresponse.headers.Content-Length=536response.headers.Content-Type=text/plain; charset=utf-8response.protocol=HTTP/1.1response.status=200transaction.local_address=172.18.0.3transaction.local_port=80transaction.remote_address=172.18.0.1transaction.remote_port=33714transaction.time=28/Nov/2022:14:40:19.146858 +0100transaction.transaction_id=Y4S6Q-rfCYuT94nJXn6jxQAAABU
28/11/2022 14:40:22
[Mon Nov 28 14:40:22.489246 2022] [:error] [pid 64027:tid 139733673965312] [client 172.18.0.1:45610] [client 172.18.0.1] ModSecurity: Request body no files data length is larger than the configured limit (131072). [hostname "172.17.0.1"] [uri "/webdav/folder/mydb.kdbx.tmp"] [unique_id "Y4S6RmKEEGrk-9egGHU24AAAAUM"]
28/11/2022 14:40:22
[Mon Nov 28 14:40:22.489771 2022] [:error] [pid 64027:tid 139733673965312] [client 172.18.0.1:45610] [client 172.18.0.1] ModSecurity: Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_ERROR" required. [file "/etc/modsecurity.d/modsecurity.conf"] [line "72"] [id "200002"] [msg "Failed to parse request body."] [data "Request body no files data length is larger than the configured limit (131072)."] [severity "CRITICAL"] [hostname "172.17.0.1"] [uri "/webdav/folder/mydb.kdbx.tmp"] [unique_id "Y4S6RmKEEGrk-9egGHU24AAAAUM"]
28/11/2022 14:40:22
audit_data.action.intercepted=trueaudit_data.action.message=Match of "eq 0" against "REQBODY_ERROR" required.audit_data.action.phase=2audit_data.engine_mode=ENABLEDaudit_data.error_messages=[file "apache2_util.c"] [line 271] [level 3] [client 172.18.0.1] ModSecurity: Request body no files data length is larger than the configured limit (131072). [hostname "172.17.0.1"] [uri "/webdav/folder/mydb.kdbx.tmp"] [unique_id "Y4S6RmKEEGrk-9egGHU24AAAAUM"],[file "apache2_util.c"] [line 271] [level 3] [client 172.18.0.1] ModSecurity: Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_ERROR" required. [file "/etc/modsecurity.d/modsecurity.conf"] [line "72"] [id "200002"] [msg "Failed to parse request body."] [data "Request body no files data length is larger than the configured limit (131072)."] [severity "CRITICAL"] [hostname "172.17.0.1"] [uri "/webdav/folder/mydb.kdbx.tmp"] [unique_id "Y4S6RmKEEGrk-9egGHU24AAAAUM"]audit_data.handler=proxy-serveraudit_data.messages=Request body no files data length is larger than the configured limit (131072).,Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_ERROR" required. [file "/etc/modsecurity.d/modsecurity.conf"] [line "72"] [id "200002"] [msg "Failed to parse request body."] [data "Request body no files data length is larger than the configured limit (131072)."] [severity "CRITICAL"]audit_data.producer=ModSecurity for Apache/2.9.6 (http://www.modsecurity.org/),OWASP_CRS/3.3.4audit_data.response_body_dechunked=trueaudit_data.server=Apacheaudit_data.stopwatch.gc=0audit_data.stopwatch.l=0audit_data.stopwatch.p1=1115audit_data.stopwatch.p2=16audit_data.stopwatch.p3=0audit_data.stopwatch.p4=0audit_data.stopwatch.p5=211audit_data.stopwatch.sr=307audit_data.stopwatch.sw=0request.body=٢�g�K�,;�y�vAn��G|�&�!^�n���M_�S��R֙ľѫ�R�3=q�毪j�" �>�
N
�G
���>�8�zS�b��E�(�����B- �C�zed�D�/�ܙ$�sÌG�Yn�E�$f�T�H,>nY�,�
$�J�A�G����a��2��}��j���'$����5�e��ي�<�@t�m��[�܅\g�~�qu|��Ó�R�X(OS1��Ǟ�)nY[^q1�m���H60�P,�S�o�rf�*��IچGq���9� ����"4��h�,��# �j�&��!/1��)![
v
7(��+�
wSEW�wWZoH'`
�k�?YL�)����֊�(iAEɥ9�C�%0q#�^��s����T싑zM���е�XLm�~�z1yKOF� �#
yT> s�J5��~���*SĒ� V�����2΅2����?
E�1:�}f ��@���T�1�sA�s�
9�<��g��b�J���]^nK'
�z|'g�x�+}?UJI ��oMIU
��]��~�R�뙈�̕��1��V����wH
�~q��<��$vͺc("�
��\���۶GCNL�R8
Y,V�,�\�cW�P��Bb�ᘀ��������j'y�ю*
�@��*�?��6YC Q
��ÃE�=��<$��>q��R���!ϋ+��^�s�J&�_=��X^T�����h�0�r��t����
�zHZ�.��+M���8��uE�s�N�$l]T>�߇��v���
߹]Hk�1�\#Evi
}"Y���>wj҈�|Ux[�,�
S�_P�s���L�o1r���܅/ћ\ҵ��]���
�Sh}�h�8x�#_y
̗�<��<�i�B�����b9(+��/P��{Z�}�yT߳��O,��QUa(�ܞ��
�}O���X�]ñw 69��7˔�/4�/�nqV�MzPQ�K-��DO�����
Q�E��-2q���B��k����!>��Se��8��T(��
�r˰�nV�JiMj�ݚƢι��E��eT�s2꠆qw=��N [�{�Hv2�����X�4L#s��UT��hT��[;,a�̧���W*%+d�n
�&��o���c��l�m9/�ߟ5�ߌ�@܇��MB~�����P�<
U�~�������M��_�xW�Z� ���;$S��}M.E�����Ҽ,�"�������)`�Q��-l2�%�|�}HvUzE������h۟���9��Z�\�����%���Ys%����
�ɒ�/5 \j�&H��y��U�]~�ǻ�p�6�b
����3��+
U[�BI�Oi,��{E~X� @i��D�N���rm +�K�4FptFB'cס,���c��/䴋`�;�h"���<�3(
�Lm
L-n��k �7��t�2oMa$5�[|W
��C�#҃��RW`�>�"g��/;s��"M�FW6�mX��۵���^e���LQ%��ύ^Af�?K��x�µI�d�.�a��&�����v�h�կ=
rg
J) �������no��Oӡԗ��⹌uI�">��bݼC��t�|]�����]_�����`i
�*b�6�f����G��F�J�sث
�����T�n��aqR�VQN�����2���1<
!o�� 8G��
�m�3L�� g1�e�1kRM�p1cE�|e���$�����Y9Yn}*B#�M��mM t���W�%Q���Wze�ȃ�6���J������uN�_��1����e&�o�Q =/}vx
�[kDX� u�+�P��`�>
�q� ����- I��j �Yq���y�^�!+���9>d�I|9�C���p�B�_5Մ2X�$��)5ؒ-�%�����p�0�C���lZ��>�>�[��HD-���J���w�.��tSSf�t�����eQ� yD�XԎ��/7t��YB�#�BZ��/0N�y]�^@;��,,���u��I�J9K��I �$]�=+��uy
��S�[C���x�瓝E��D+��h����C��
t�rV��a3�9J|�ְ�8���{j �������"�GE5�
���� ��B\���?��D�p���m���~��˯$b�����k�td2�aM�Vݤ�1��/{ɽ��t�,��Ó�Iz�1�7��#�s����G>����TVj
)�o�r
���(p 93�K {_WXJU��r�As�6l��� 1�q���-".��n01�Q��}���s���4k�y��Y~���.����hd�jZ@�� ��7��(����
-��CkS\��%,W���~�M������}�71Z$��D��/."9�J�Hʷ�O��zC��&_����<J��%�m6�@�0�H6��$�v59�^ ,�p''��> #x�#)�,�p��}d���;�A� l3����_��M2�ǃQ�R5AXT��
��gt��*�-է
��z�a������7��T����%�� [��/ץ. ���x
���B���/ʷ���A���"i&�ɇHE9ݮ���c���\�V�L��XxwxrC�,$��^� �� ���E�f�Z�� ��G�>ȃk��c���g�.BsУ�Ck̺����AkV�$�OH�+5X;x�T旵-�x �4�~��j��*�����ʝAZ�NQ�A�
��
�;ž��_kB�e�F�Kj�t�Zz�}��s�$y"i,}�b��&<�S�ۇ
�es\���:�Tz¥����⠝��Ǔ�_D��<��dx�����KD�/�|�j����0�s�بee�+�n+� ��W,�8Gc.�Gs�g{���)��h��*G�d�:E���P�;����
��
� 8�=o'5�߳Fc\�����m���V�v'Y��� ��7�@����Ǝ�r��X���K����>��c�t�����J�ա�Y�^MA� s��pd��
H���*��Y
�q�u��e`�?
����!�7S `���R ;�}^�l*ya��&�.�߾�8��v�y��n�
��yu0/�0���j� �F������츔��x3Ĝ��Z�E�oMz,�}+
���N8y20�>�{�{+�M����Yۂ����}���ӓS#k:a̼��ץqLGȪO,� �%~��>`��
�,5���$�CCt����cMm��`T��qƼU�8��&��Bb�EC�N%Ԇ����N+��I�q�>ڗު��7��%y�� TA�U���Ɲ_��
��`��7���
����1��o�2ic~)]���
믕4y wv�^�
"�v���|a~&!{�
H�9Y!E*�x8S�2�L�o�lT���:��K��ҵF�:dI5�F�������60�`�
8K�p���k����-T� �q�
� �� �5_j�k�D��;�JtEf�v������^�r�
���QQ���u��Q���Yj�U�f��m;*��o 2-���Fx���E>�l~�����b�
.1 ��^rI.��5s��i�V���_���7���t�C�������P�j��T��eBU�(k��3�F=ĭ����;�䒕u��?&��0�PH�t���e�Qߎ-�Ɵ!������}��my�C{+�wq�&�� b�D�8d��k�^�;4��,���!�Os_��}��o�������ub"���'�E�ɕYU�I��"�X��'���fjA��#�/ hy����̕nLԋ��� �x���h�6�Q]��3�~
�Ƃ��ل���A�e�����*�T�))����u0T���H�z ��_��0;5��ݜ!�������8����4�M$�
�|^�#2����]#��u<+�
�Х�����[gj��v�6ު ����6m����#���&�
`�u����c� ��,"����S�"�� iH�kX~A��.bT<�?��d��Fp����cO��H(,������?�&70��<^��y���נ5KR�R��9�
�k��_��2��M�H������x����� �
��į��؞*Dl1iafx!���]p}�������!3� ��P|ttq�=�,,e�镱ƃ ����v���)��loz�#�0��"m+S:
�e�v7���+=�i�3�S�y�w��������� A�O��g�Җ��lQ^�6ל�nx+�9�Z�A��K\�����f
,+۰L�k7�"��[��e�;:!��WIdJg9���I\*'j@I��B�
����m��}~����R�\ ' ^'�f�
������H���C��v�F���
�Y7��
"r˜蘝� �
lW�:���ܧn
ׄ���
��8�Ƿ$k�BD�����Θ�Y/��!�p�쀁)H���6��_X��}iO�./~`��E&ڋ υ��1uic6F����+���GG��N~��п�+�ul:�T������%������ÀMV$
�t���܋�/�58�
�R��>���.����*�ijP�:���,��ӝz����\�,ϡpbg�|P���D����H���;�L�'�ӉiK��ؤ2�t�7�?(���o
|a�_4��#�� �� Y@~O�b�SF��� *́
������W�{v<��4� TX�y��ccT+��Ƞ��%nY�*k�4'��(�] �1(��Ku[����W
��
���(� N����0��L�˜� ����x%���
ZҐښ�+[�V$?D��Q�} �ZE�f�_�88���5g<սE`_��
B�����vR+}���[��9
��9�P��ı2 Gc/������*ň��V�b��z�y[?ME��MK�04��t��l\/�o���J�^ahxk
~�ɓ�����N��c��k��
�y#�-bQtMtOk7�{lq��wh����s�!a�9ҷb�u�/�~p�x]��g��Cb�j���7����$*�������
a4��}h�<����;�b�F�ŎsR������{�4�7xΤeZp�1�5�] )�}B�WO�
����ٌqU
�~(�F{uh�����mT����)��n�]�����k�HdʶB|�=/»z�=v�j�D �
J����(��/{|�V�0�T�6��1@��!�� 1\r2PUШ�g�z[I�-z�����F�&�ئ�wh�� �p�1�-��&�Y%��ʎ�l؛W������vvz���ޑ���.��u������}�4vN0���ګ��R�R;;1request.headers.Accept-Encoding=gziprequest.headers.Authorization=Basic a2VlcGFzczpLMzNQQHNzMDE=request.headers.Cache-Control=no-store,no-cacherequest.headers.Content-Length=228565request.headers.Expect=100-continuerequest.headers.Host=172.17.0.1:666request.headers.Pragma=no-cacherequest.headers.User-Agent=Go-http-client/1.1request.headers.X-Forwarded-Host=webdav.mycompany.comrequest.headers.X-Forwarded-Port=443request.headers.X-Forwarded-Proto=httpsrequest.headers.X-Forwarded-Server=vps-da6b9d4crequest.headers.X-Real-Ip=165.225.205.15request.request_line=PUT /webdav/folder/mydb.kdbx.tmp HTTP/1.1response.body=
Bad Request
Your browser sent a request that this server could not understand.
response.headers.Connection=closeresponse.headers.Content-Length=226response.headers.Content-Type=text/html; charset=iso-8859-1response.protocol=HTTP/1.1response.status=400transaction.local_address=172.18.0.3transaction.local_port=80transaction.remote_address=172.18.0.1transaction.remote_port=45610transaction.time=28/Nov/2022:14:40:22.491726 +0100transaction.transaction_id=Y4S6RmKEEGrk-9egGHU24AAAAUMIf i missed personnal data pm me I'll update it.
acouvreur
commented
1 year ago Well it says the following:
[data "Request body no files data length is larger than the configured limit (131072)."]Please configure your owasp container with correct rules
Hello when I try to save my keepass database with the waf middleware in traefik it fails. I'm getting an error. If I disable the middleware it's ok. Can you check on it ? I can help with specific test.