search

corazawaf / coraza-caddy

OWASP Coraza middleware for Caddy. It provides Web Application Firewall capabilities
https://www.coraza.io/
Apache License 2.0
284 stars 35 forks source link

Document how to override CRS variables #145

Open jpds opened 2 months ago

jpds commented 2 months ago

Given the following error:

Apr 29 17:00:20 caddy caddy[468]: {"level":"error","ts":1714410020.510198,"logger":"http.handlers.waf","msg":"[client \"[2a03:...]\"] Coraza: Warning. Request content type is not allowed by policy [file \"@owasp_crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\"] [line \"1968\"] [id \"920420\"] [rev \"\"] [msg \"Request content type is not allowed by policy\"] [data \"|application/octet-stream|\"] [severity \"critical\"] [ver \"OWASP_CRS/4.0.0-rc1\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/255/153\"] [tag \"PCI/12.1\"] [hostname \"\"] [uri \"/..."] [unique_id \"tMztcPmYICGNyugn\"]\n"}

It's not clear to me from the example how I'm suppose to override this variable in the Caddy configuration:

      coraza_waf {
        load_owasp_crs
        directives `
          Include @coraza.conf-recommended
          Include @crs-setup.conf.example
          Include @owasp_crs/*.conf
          SecRuleEngine DetectionOnly
        `
      }

If I add this before the Include lines:

SecAction \
    "id:920420,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    setvar:'tx.content_type=|application/x-www-form-urlencoded| |multipart/form-data| |multipart/related| |text/xml| |application/xml| |application/soap+xml| |application/json| |application/cloudevents+json| |application/cloudevents-batch+json| |application/octet-stream|'"

Then Caddy simply returns this error message:

provision http.handlers.waf: invalid WAF config from string: failed to parse string: failed to compile the directive "secrule": there is a another rule with id 920420
semzor commented 3 weeks ago

Did you find a solution for tihs? @jpds

jptosso commented 3 weeks ago

The rule is failing because of the duplicated rule id. Just use a single rule to override all variables you want and make sure the id is unique. The same rule with a different id should work Also make sure the rule is added before including crs