Open dkhokhlov opened 1 month ago
Unfortunately it's impossible to process the request with blocking capabilities without buffering. Modsecurity tried a streaming mode but it never really worked, the same applies for coraza. Also CRS breaks if we stops processing request body phase
double checking - you are talking about response? buffering a request and then processing its body etc is ok. but buffering corresponding response from the server is the problem.
Same applies for responses, but it might not affect CRS unless you enable anomaly scoring mode. I think it wouldn't damage to allow users to stream the response body. We could even use an action to tell the connector to stream
@jcchavezs @fzipi
You can disable request body inspection and that should do the trick but that is a big risk as malicious request payload will get to upstream.
On Sun, May 12, 2024 at 8:08 AM Dmitri Khokhlov @.***> wrote:
I am using caddy as https reverse proxy with coraza. my app streams response. w/o coraza I see page rendered gradually. with coraza I get whole page after delay. Even with empty coraza config it is still buffering.
how to tell coraza not to buffer responses?
myhost:1443 { tls /etc/caddy/my.crt /etc/caddy/my.key reverse_proxy localhost:8080 header Access-Control-Allow-Methods "POST, GET, OPTIONS" header Access-Control-Allow-Headers "*" encode zstd gzip log { level DEBUG } coraza_waf { directives Include @. Include @. Include @._crs/.conf SecRuleEngine On SecDebugLog /dev/stdout SecDebugLogLevel 9 SecRule REQUEST_URI **@. /admin" "id:101,phase:1,t:lowercase,deny,status:403" SecRule REQUEST_BODY @. maliciouspayload" "id:102,phase:2,t:lowercase,deny,status:403" } }
— Reply to this email directly, view it on GitHub https://github.com/corazawaf/coraza-caddy/issues/148, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXOYATXRRQN23CYTMMVSZDZB4BOJAVCNFSM6AAAAABHSRDNRSVHI2DSMVQWIX3LMV43ASLTON2WKOZSGI4TCMJYGQYDSOI . You are receiving this because you are subscribed to this thread.Message ID: @.***>
I am using caddy as https reverse proxy with coraza. my app streams response. w/o coraza I see page rendered gradually. with coraza I get whole page after delay. Even with empty coraza config it is still buffering.
how to tell coraza not to buffer responses?