bunkerity / bunkerweb

🛡️ Open-source and next-generation Web Application Firewall (WAF)
https://www.bunkerweb.io
GNU Affero General Public License v3.0
6.51k stars 364 forks source link

[BUG] Whitelisted IP is banned when sending requests with a different Host header #448

Closed quentin-fougereau closed 1 year ago

quentin-fougereau commented 1 year ago

Description I am using bunkerweb as a reverse-proxy, and I would like to scan my website with the Acunetix security scanner. Unfortunately, the IP address of the scanner always got banned despite it is in the whitelist. The reason is, during the scan, Acunetix sends a lot of requests with a "weird" Host header, which is different from the server name.

How to reproduce Sending multiples requests with a different Host header (test.com) than the SERVER_NAME value (app1.example.com), from a whitelisted IP address, trigger a ban by bad behavior. Here is a sample configuration that you can use to observe the bug :

version: '3'

services:
  bunkerweb:
    image: bunkerity/bunkerweb:1.4.8
    ports:
      - 80:8080
      - 443:8443
    environment:
      - SERVER_NAME=app1.example.com
      - AUTO_LETS_ENCRYPT=no
      - DISABLE_DEFAULT_SERVER=yes
      - USE_REAL_IP=yes
      - USE_REVERSE_PROXY=yes
      - REVERSE_PROXY_URL=/
      - REVERSE_PROXY_HOST=http://myservice
      - USE_MODSECURITY=yes
      - USE_BUNKERNET=no
      - USE_BAD_BEHAVIOR=yes
      - USE_LIMIT_REQ=yes
      - LIMIT_REQ_RATE=1r/s
      - WHITELIST_IP=172.23.0.1
      - ALLOWED_METHODS=GET|POST|PUT|DELETE
    volumes:
      - bw_data:/data
  myservice:
    image: tutum/hello-world

volumes:
  bw_data:

Logs

bunkerweb_1  | 2023/04/25 15:08:34 [notice] 675#675: *10 [ACCESS] whitelist returned status 0 : client IP 172.23.0.1 is in whitelist, client: 172.23.0.1, server: app1.example.com, request: "GET / HTTP/1.1", host: "app1.example.com"
bunkerweb_1  | app1.example.com 172.23.0.1 - - [25/Apr/2023:15:08:34 +0000] "GET / HTTP/1.1" 200 490 "-" "curl/7.81.0"
bunkerweb_1  | test.com 172.23.0.1 - - [25/Apr/2023:15:08:57 +0000] "GET / HTTP/1.1" 403 8488 "-" "curl/7.81.0"
bunkerweb_1  | test.com 172.23.0.1 - - [25/Apr/2023:15:08:59 +0000] "GET / HTTP/1.1" 403 8488 "-" "curl/7.81.0"
bunkerweb_1  | test.com 172.23.0.1 - - [25/Apr/2023:15:08:59 +0000] "GET / HTTP/1.1" 403 8488 "-" "curl/7.81.0"
bunkerweb_1  | test.com 172.23.0.1 - - [25/Apr/2023:15:09:00 +0000] "GET / HTTP/1.1" 403 8488 "-" "curl/7.81.0"
bunkerweb_1  | test.com 172.23.0.1 - - [25/Apr/2023:15:09:00 +0000] "GET / HTTP/1.1" 403 8488 "-" "curl/7.81.0"
bunkerweb_1  | test.com 172.23.0.1 - - [25/Apr/2023:15:09:01 +0000] "GET / HTTP/1.1" 403 8488 "-" "curl/7.81.0"
bunkerweb_1  | test.com 172.23.0.1 - - [25/Apr/2023:15:09:01 +0000] "GET / HTTP/1.1" 403 8488 "-" "curl/7.81.0"
bunkerweb_1  | test.com 172.23.0.1 - - [25/Apr/2023:15:09:02 +0000] "GET / HTTP/1.1" 403 8488 "-" "curl/7.81.0"
bunkerweb_1  | test.com 172.23.0.1 - - [25/Apr/2023:15:09:02 +0000] "GET / HTTP/1.1" 403 8488 "-" "curl/7.81.0"
bunkerweb_1  | test.com 172.23.0.1 - - [25/Apr/2023:15:09:03 +0000] "GET / HTTP/1.1" 403 8488 "-" "curl/7.81.0"
bunkerweb_1  | 2023/04/25 15:09:03 [warn] 675#675: *26 [BAD-BEHAVIOR] IP 172.23.0.1 is banned for 86400s (11/10) while logging request, client: 172.23.0.1, server: _, request: "GET / HTTP/1.1", host: "test.com"
bunkerweb_1  | test.com 172.23.0.1 - - [25/Apr/2023:15:09:03 +0000] "GET / HTTP/1.1" 403 8488 "-" "curl/7.81.0"
bunkerweb_1  | test.com 172.23.0.1 - - [25/Apr/2023:15:09:04 +0000] "GET / HTTP/1.1" 403 8488 "-" "curl/7.81.0"
bunkerweb_1  | 2023/04/25 15:09:04 [warn] 675#675: *27 [BAD-BEHAVIOR] IP 172.23.0.1 is banned for 86400s (12/10) while logging request, client: 172.23.0.1, server: _, request: "GET / HTTP/1.1", host: "test.com"
bunkerweb_1  | 2023/04/25 15:09:04 [warn] 675#675: *28 [BAD-BEHAVIOR] IP 172.23.0.1 is banned for 86400s (13/10) while logging request, client:

Thank you for your help.

TheophileDiot commented 1 year ago

Hello @quentin-fougereau

This is fixed in the last 1.5.0 release.

Thanks again !