Closed Silur closed 3 years ago
fl0ppy-d1sk
commented
3 years ago Hello @Silur,
It might be related to ModSecurity. Can you to try to disable it just to confirm by adding USE_MODSECURITY=no ?
You can find an example on how to whitelist HTTP methods in modsecurity here : https://github.com/bunkerity/bunkerized-nginx/tree/master/examples/nextcloud
Silur
commented
3 years ago Disabling ModSec did not solve the issue. I also have antibot and fail2ban disabled in my setup, and I use a multi-site reverse proxy as follows:
environment:
- USE_REVERSE_PROXY=yes
- REVERSE_PROXY_URL_1=/
- REVERSE_PROXY_HOST_1=http://frontend
- REVERSE_PROXY_URL_2=/api
- REVERSE_PROXY_HOST_2=http://backend
- REVERSE_PROXY_URL_3=/docs
- REVERSE_PROXY_HOST_3=http://backend
- USE_FAIL2BAN=no
- ALLOWED_METHODS="GET|POST|HEAD|PROPFIND|DELETE|PUT|MKCOL|MOVE|COPY|PROPPATCH|REPORT|OPTIONS"
- USE_ANTIBOT=no
- USE_MODSECURITY=noI also checked in case if maybe the (backend) server behind the proxy is the one actually denying OPTIONS but after a quick curl test it showed not the be the culprit ( it has a wildcard "*" for allowed methods )
Silur
commented
3 years ago I also made a docker system prune -a after changing the modsec var, in the case the container writes something into the volume etc
Silur
commented
3 years ago is it normal that /owasp-crs/ is created with protocol enforcement rules even though I set modsec to be off?
# docker-compose exec nginx bash
bash-5.0# grep -r OPTIONS .
./owasp-crs/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf:# The default ones in ModSecurity are: GET HEAD POST OPTIONS
./owasp-crs/REQUEST-901-INITIALIZATION.conf: setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
./owasp-crs/REQUEST-905-COMMON-EXCEPTIONS.conf: SecRule REQUEST_LINE "@rx ^(?:GET /|OPTIONS \*) HTTP/[12]\.[01]$" \
./owasp-crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf:# It also outlines proper construction for CONNECT, OPTIONS and GET requests.
./owasp-crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf:# This is only allowed in combination with the OPTIONS method.
./owasp-crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf: SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
./owasp-crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf: SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
./owasp-crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf:# OPTIONS requests coming from known offending User-Agents via two
./owasp-crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf: SecRule REQUEST_METHOD "!@rx ^OPTIONS$" \
./owasp-crs.conf:# Default: GET HEAD POST OPTIONS
./owasp-crs.conf:# setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"
./server.conf: if ($request_method !~ ^("GET|POST|HEAD|PROPFIND|DELETE|PUT|MKCOL|MOVE|COPY|PROPPATCH|REPORT|OPTIONS")$)
./nginx.env:X_FRAME_OPTIONS=DENY
./nginx.env:X_CONTENT_TYPE_OPTIONS=nosniff
./nginx.env:ALLOWED_METHODS="GET|POST|HEAD|PROPFIND|DELETE|PUT|MKCOL|MOVE|COPY|PROPPATCH|REPORT|OPTIONS"
bash-5.0#Yes it's fine because it is not included from nginx configuration.
Can you try to remove the quotation marks from your compose and tell me if it changes something :
...
- ALLOWED_METHODS=GET|POST|HEAD|PROPFIND|DELETE|PUT|MKCOL|MOVE|COPY|PROPPATCH|REPORT|OPTIONS
...yes, removing the quotation marks worked, kinda trivial :D
Option methods return 405 regardless of the environment variable set
Will work with all methods except OPTIONS.