search

bunkerity / bunkerweb

🛡️ Open-source and next-generation Web Application Firewall (WAF)
https://www.bunkerweb.io
GNU Affero General Public License v3.0
6.54k stars 371 forks source link

[BUG] WHITELIST_COUNTRY doesn't seem to do anything #1583

Closed leberrem closed 1 month ago

leberrem commented 1 month ago

What happened?

It seems that since the upgrade to version 1.5.10, the WHITELIST_COUNTRY configuration key can no longer be used to block countries. Have you noticed any problems?

How to reproduce?

configure WHITELIST_COUNTRY and test call with 'https://globalping.io'

Configuration file(s) (yaml or .env)

IS_LOADING=no
USE_BUNKERNET=no
HTTP_PORT=80
HTTPS_PORT=443
HTTP2=no
DNS_RESOLVERS=127.0.0.1
API_LISTEN_IP=127.0.0.1
API_WHITELIST_IP=0.0.0.0/0
DISABLE_DEFAULT_SERVER=no
CLAMAV_HOST=127.0.0.1
CLAMAV_PORT=3310
CLAMAV_TIMEOUT=10000
MULTISITE=yes
REDIRECT_HTTP_TO_HTTPS=yes
LISTEN_HTTP=yes
SERVER_NAME=xxxx-sddc-bunkerweb.node.ovh waf-xxxx-sddc-recette.mgcloud.fr
# ISO 3166-2    label
# FR    France
# BE    Belgique
# BL    St. Barthélemy
# GP    Guadeloupe
# MF    St. Martin
# MQ    Martinique
# NC    New Caledonia
# PF    French Polynesia
# PM    St. Pierre & Miquelon
# RE    Réunion
# TF    French Southern Territories
# WF    Wallis & Futuna
# MC    Monaco

# ------------------------------------------
# xxxx-sddc-bunkerweb.node.ovh
# ------------------------------------------
xxxx-sddc-bunkerweb.node.ovh_USE_UI=no
xxxx-sddc-bunkerweb.node.ovh_USE_REVERSE_PROXY=yes
xxxx-sddc-bunkerweb.node.ovh_REVERSE_PROXY_URL=/
xxxx-sddc-bunkerweb.node.ovh_REVERSE_PROXY_HOST=https://xxx.xxx.xxx.xxx:7000
xxxx-sddc-bunkerweb.node.ovh_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
xxxx-sddc-bunkerweb.node.ovh_USE_CUSTOM_SSL=yes
xxxx-sddc-bunkerweb.node.ovh_CUSTOM_SSL_CERT=/etc/bunkerweb/node.ovh.cer
xxxx-sddc-bunkerweb.node.ovh_CUSTOM_SSL_KEY=/etc/bunkerweb/node.ovh.key

# ------------------------------------------
# waf-xxxx-sddc-recette.mgcloud.fr
# ------------------------------------------
waf-xxxx-sddc-recette.mgcloud.fr_USE_UI=no
waf-xxxx-sddc-recette.mgcloud.fr_USE_CLAMAV=yes
waf-xxxx-sddc-recette.mgcloud.fr_USE_REVERSE_PROXY=yes
waf-xxxx-sddc-recette.mgcloud.fr_REVERSE_PROXY_URL=/
waf-xxxx-sddc-recette.mgcloud.fr_REVERSE_PROXY_HOST=https://xxx.xxx.xxx.xxx
waf-xxxx-sddc-recette.mgcloud.fr_INTERCEPTED_ERROR_CODES=405 413 429 501 502 503 504
waf-xxxx-sddc-recette.mgcloud.fr_USE_BAD_BEHAVIOR=yes
waf-xxxx-sddc-recette.mgcloud.fr_BAD_BEHAVIOR_STATUS_CODES=403 405 429 444
waf-xxxx-sddc-recette.mgcloud.fr_BAD_BEHAVIOR_THRESHOLD=25
waf-xxxx-sddc-recette.mgcloud.fr_ALLOWED_METHODS=GET|POST|PUT|DELETE|HEAD|PATCH
waf-xxxx-sddc-recette.mgcloud.fr_USE_LIMIT_REQ=no
waf-xxxx-sddc-recette.mgcloud.fr_USE_LIMIT_CONN=no
waf-xxxx-sddc-recette.mgcloud.fr_USE_CLIENT_CACHE=no
waf-xxxx-sddc-recette.mgcloud.fr_CLIENT_CACHE_EXTENSIONS=jpg|jpeg|png|bmp|ico|svg|tif|css|js|otf|ttf|eot|woff|woff2
waf-xxxx-sddc-recette.mgcloud.fr_CLIENT_CACHE_ETAG=no
waf-xxxx-sddc-recette.mgcloud.fr_CLIENT_CACHE_CONTROL=public, max-age=15552000
waf-xxxx-sddc-recette.mgcloud.fr_USE_MODSECURITY=yes
waf-xxxx-sddc-recette.mgcloud.fr_USE_MODSECURITY_CRS=yes
waf-xxxx-sddc-recette.mgcloud.fr_MODSECURITY_SEC_RULE_ENGINE=DetectionOnly
waf-xxxx-sddc-recette.mgcloud.fr_USE_CUSTOM_SSL=yes
waf-xxxx-sddc-recette.mgcloud.fr_CUSTOM_SSL_CERT=/etc/bunkerweb/mgcloud.fr.cer
waf-xxxx-sddc-recette.mgcloud.fr_CUSTOM_SSL_KEY=/etc/bunkerweb/mgcloud.fr.key
waf-xxxx-sddc-recette.mgcloud.fr_WHITELIST_COUNTRY=FR BE MC BL GP MF MQ NC PF PM RE TF WF
waf-xxxx-sddc-recette.mgcloud.fr_REVERSE_PROXY_WS=no
waf-xxxx-sddc-recette.mgcloud.fr_USE_REAL_IP=yes
waf-xxxx-sddc-recette.mgcloud.fr_COOKIE_FLAGS=* SameSite
waf-xxxx-sddc-recette.mgcloud.fr_FEATURE_POLICY=accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; execution-while-not-rendered 'none'; execution-while-out-of-viewport 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; layout-animation 'none'; legacy-image-formats 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; navigation-override 'none'; payment 'none'; picture-in-picture 'none'; publickey-credentials-get 'none'; speaker-selection 'none'; sync-xhr 'self' https://waf-xxxx-sddc-recette.mgcloud.fr; unoptimized-images 'none'; unsized-media 'none'; usb 'none'; screen-wake-lock 'none'; web-share 'none'; xr-spatial-tracking 'none';
waf-xxxx-sddc-recette.mgcloud.fr_MAX_CLIENT_SIZE=10m

Relevant log output

No response

BunkerWeb version

1.5.10

What integration are you using?

Linux

Linux distribution (if applicable)

Rocky Linux release 8.10

Removed private data

Code of Conduct

leberrem commented 1 month ago

using https://pagespeedplus.com gives much better results. And we can see 403 pages.