search

corazawaf / coraza-caddy

OWASP Coraza middleware for Caddy. It provides Web Application Firewall capabilities
https://www.coraza.io/
Apache License 2.0
329 stars 41 forks source link

Unable to remove Server header on Coraza module's response #144

Closed to-kr closed 1 day ago

to-kr commented 5 months ago

I'm currently using Caddy server with the coraza module for web application firewall (WAF) capabilities. I've configured Caddy to remove the Server header using the header directive, but it seems that the Server header persists when the coraza module returns a 403 Forbidden response.

image

Caddyfile:

{
    http_port 8080
    order coraza_waf first
}

:8080 {
    header {
        -Server
        -Alt-Svc
    }

    handle {
        respond 404
    }

    coraza_waf {
        load_owasp_crs
        directives `
            Include /etc/caddy/*.conf
            Include @coraza.conf-recommended
            Include @crs-setup.conf.example
            Include @owasp_crs/*.conf

            SecRuleEngine On
        `
    }
}

Steps to Reproduce:

  1. Start Caddy server with the provided Caddyfile configuration.
  2. Send a request that triggers a 403 Forbidden response from the coraza module. 
    curl -v "http://127.0.0.1:8080?id=1;DELETE%20FROM"
  3. Check the response headers and observe that the Server header is still present.

Expected Behavior: The Server header should be removed from the response when the coraza module returns a 403 Forbidden response, as specified in the Caddyfile configuration.

Actual Behavior: The Server header persists in the response even after configuring Caddy to remove it.

Additional Information:

jcchavezs commented 5 months ago

Interesting. What happens when you do SecRuleEngine Off?

On Mon, Apr 8, 2024 at 12:51 PM to-kr @.***> wrote:

I'm currently using Caddy server with the coraza module for web application firewall (WAF) capabilities. I've configured Caddy to remove the Server header using the header directive, but it seems that the Server header persists when the coraza module returns a 403 Forbidden response.

image.png (view on web) https://github.com/corazawaf/coraza-caddy/assets/6631729/8ccb2f35-bddb-4ba8-98ac-42bd627d1707

Caddyfile:

{ http_port 8080 order coraza_waf first }

:8080 { header { -Server -Alt-Svc }

handle {
    respond 404
}

coraza_waf {
    load_owasp_crs
    directives `
        Include /etc/caddy/*.conf
        Include @coraza.conf-recommended
        Include @crs-setup.conf.example
        Include @owasp_crs/*.conf

        SecRuleEngine On
    `
}

}

Steps to Reproduce:

  1. Start Caddy server with the provided Caddyfile configuration.
  2. Send a request that triggers a 403 Forbidden response from the coraza module.

curl -v "http://127.0.0.1:8080?id=1;DELETE%20FROM"

  1. Check the response headers and observe that the Server header is still present.

Expected Behavior: The Server header should be removed from the response when the coraza module returns a 403 Forbidden response, as specified in the Caddyfile configuration.

Actual Behavior: The Server header persists in the response even after configuring Caddy to remove it.

Additional Information:

  • Caddy version: 2.7.6
  • Coraza module version: v2.0.0-rc.3

— Reply to this email directly, view it on GitHub https://github.com/corazawaf/coraza-caddy/issues/144, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXOYAT3YQISJ7NGMJMJ7WDY4JZDPAVCNFSM6AAAAABF4OUAOKVHI2DSMVQWIX3LMV43ASLTON2WKOZSGIZTAOBXGY3DSMQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

to-kr commented 5 months ago

It returns 404 without Server header.

image

jcchavezs commented 2 months ago

Could it be the case that the middleware that removes server header happens after coraza does its job? cc @mholt

mholt commented 2 months ago

Yeah. order coraza_waf first causes it to be executed before any other directives, which is probably not what you want. If coraza_waf terminates the handler chain (i.e. responds to the request), the header directive won't even be evaluated.

zdeneksvarc commented 3 days ago

We can configure WAF header from handle_errors 403 { … } like this:

{
        admin off
        auto_https off
        order coraza_waf first
}

:80 {
        coraza_waf {
                load_owasp_crs
                directives `
                Include @coraza.conf-recommended
                Include @crs-setup.conf.example
                Include @owasp_crs/*.conf
                SecRuleEngine On
                `
        }

        header {
                -Server
        }

        handle_errors 403 {
               header X-Blocked "true"
               header Server "WAF"
#              header -Server
        }

        reverse_proxy http://whoami:2001
}

Returns:

HTTP/1.1 403 Forbidden
Server: WAF
X-Blocked: true
Date: Mon, 30 Sep 2024 12:42:35 GMT

and

HTTP/1.1 200 OK
Content-Length: 269
Content-Type: text/plain; charset=utf-8
Date: Mon, 30 Sep 2024 12:42:36 GMT
to-kr commented 1 day ago

Thank You. It works.

jcchavezs commented 1 day ago

Can we close this?

On Wed, Oct 2, 2024 at 2:34 PM to-kr @.***> wrote:

Thank You. It works.

— Reply to this email directly, view it on GitHub https://github.com/corazawaf/coraza-caddy/issues/144#issuecomment-2388530433, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXOYAQCAGXPG7ERHAGODETZZPR33AVCNFSM6AAAAABF4OUAOKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGOBYGUZTANBTGM . You are receiving this because you commented.Message ID: @.***>

to-kr commented 1 day ago

Yes, handle_errors solves the problem