search

corazawaf / coraza-caddy

OWASP Coraza middleware for Caddy. It provides Web Application Firewall capabilities
https://www.coraza.io/
Apache License 2.0
284 stars 35 forks source link

how to tell coraza not to buffer responses? #148

Open dkhokhlov opened 1 month ago

dkhokhlov commented 1 month ago

I am using caddy as https reverse proxy with coraza. my app streams response. w/o coraza I see page rendered gradually. with coraza I get whole page after delay. Even with empty coraza config it is still buffering.

how to tell coraza not to buffer responses?

myhost:1443 {
    tls /etc/caddy/my.crt /etc/caddy/my.key
    reverse_proxy localhost:8080
    header Access-Control-Allow-Methods "POST, GET, OPTIONS"
    header Access-Control-Allow-Headers "*"
    encode zstd gzip
    log {
        level  DEBUG
    }
  coraza_waf {
    directives `
      Include /etc/caddy/coraza-coreruleset/rules/@coraza.conf-recommended
      Include /etc/caddy/coraza-coreruleset/rules/@crs-setup.conf.example
      Include /etc/caddy/coraza-coreruleset/rules/@owasp_crs/*.conf
      SecRuleEngine On
      SecDebugLog /dev/stdout
      SecDebugLogLevel 9
      SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,t:lowercase,deny,status:403"
      SecRule REQUEST_BODY "@rx maliciouspayload" "id:102,phase:2,t:lowercase,deny,status:403"
    `
  }
}
jptosso commented 1 month ago

Unfortunately it's impossible to process the request with blocking capabilities without buffering. Modsecurity tried a streaming mode but it never really worked, the same applies for coraza. Also CRS breaks if we stops processing request body phase

dkhokhlov commented 1 month ago

double checking - you are talking about response? buffering a request and then processing its body etc is ok. but buffering corresponding response from the server is the problem.

jptosso commented 1 month ago

Same applies for responses, but it might not affect CRS unless you enable anomaly scoring mode. I think it wouldn't damage to allow users to stream the response body. We could even use an action to tell the connector to stream

@jcchavezs @fzipi

jcchavezs commented 1 month ago

You can disable request body inspection and that should do the trick but that is a big risk as malicious request payload will get to upstream.

On Sun, May 12, 2024 at 8:08 AM Dmitri Khokhlov @.***> wrote:

I am using caddy as https reverse proxy with coraza. my app streams response. w/o coraza I see page rendered gradually. with coraza I get whole page after delay. Even with empty coraza config it is still buffering.

how to tell coraza not to buffer responses?

myhost:1443 { tls /etc/caddy/my.crt /etc/caddy/my.key reverse_proxy localhost:8080 header Access-Control-Allow-Methods "POST, GET, OPTIONS" header Access-Control-Allow-Headers "*" encode zstd gzip log { level DEBUG } coraza_waf { directives Include @. Include @. Include @._crs/.conf SecRuleEngine On SecDebugLog /dev/stdout SecDebugLogLevel 9 SecRule REQUEST_URI **@. /admin" "id:101,phase:1,t:lowercase,deny,status:403" SecRule REQUEST_BODY @. maliciouspayload" "id:102,phase:2,t:lowercase,deny,status:403" } }

— Reply to this email directly, view it on GitHub https://github.com/corazawaf/coraza-caddy/issues/148, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXOYATXRRQN23CYTMMVSZDZB4BOJAVCNFSM6AAAAABHSRDNRSVHI2DSMVQWIX3LMV43ASLTON2WKOZSGI4TCMJYGQYDSOI . You are receiving this because you are subscribed to this thread.Message ID: @.***>