search

corazawaf / coraza-caddy

OWASP Coraza middleware for Caddy. It provides Web Application Firewall capabilities
https://www.coraza.io/
Apache License 2.0
355 stars 41 forks source link

wrong client ip when using with cloudflared #150

Open berkansivri opened 6 months ago

berkansivri commented 6 months ago

I am running caddy and cloudflared in containers. I expose the app through cloudflare tunnel. Even though I see correct IP address for the user in the client_ip field in caddy HTTP access logs, I only see my local IP where my cloudflared container is running in "client" field in coraza's logs. 

ERR ts=1715890755.5588253 logger=http.handlers.waf msg=[client "172.19.0.2"] Coraza: Access denied (phase 1). Restricted File Access Attempt [file "@owasp_crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "3004"] [id "930130"] [rev ""] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /backup/.env"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [tag "PCI/6.5.4"] [hostname ""] [uri "/backup/.env"] [unique_id "cMcEsZeHrZypdcza"]
ERR ts=1715890755.5638793 logger=http.handlers.waf msg=[client "172.19.0.2"] Coraza: Access denied (phase 2). Inbound Anomaly Score Exceeded (Total Score: 5) [file "@owasp_crs/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "6836"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "emergency"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname ""] [uri "/backup/.env"] [unique_id "cMcEsZeHrZypdcza"]
ERR ts=1715901998.4102561 logger=http.handlers.waf msg=[client "172.19.0.2"] Coraza: Access denied (phase 1). Restricted File Access Attempt [file "@owasp_crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "3004"] [id "930130"] [rev ""] [msg "Restricted File Access Attempt"] [data "Matched Data: /.env found within REQUEST_FILENAME: /server/.env"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [tag "PCI/6.5.4"] [hostname ""] [uri "/server/.env"] [unique_id "gtdfrphGnOfXfwZS"]
ERR ts=1715901998.8870468 logger=http.handlers.waf msg=[client "172.19.0.2"] Coraza: Access denied (phase 2). Inbound Anomaly Score Exceeded (Total Score: 5) [file "@owasp_crs/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "6836"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "emergency"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname ""] [uri "/server/.env"] [unique_id "gtdfrphGnOfXfwZS"]

In caddy logs, remote_ip field refers to 172.19.0.2 (my local cloudflared) As far as I remember caddy recommends to use "client_ip" field rather than "remote_ip" for the addons. that might be the case.

vcarus commented 5 months ago

It wold be better if we have an option to pass client_ip to coraza.

M4tteoP commented 3 months ago

Hi, the related code is https://github.com/corazawaf/coraza-caddy/blob/main/http.go#L24-L33, we are currently using http.Request.RemoteAddr to fill the client address.

As far as I remember caddy recommends to use "client_ip" field rather than "remote_ip" for the addons. that might be the case.

Will have to explore how to extract the client_ip somehow provided by Caddy instead, any pointer would be appreciated!

Related issue: https://caddy.community/t/getting-real-ip-with-caddy-behind-a-reverse-proxy/24518

samdelong commented 3 months ago

That's my post on caddy community I was able to solve the issue by making some small changes to http.go, you can see the commits on my fork here

M4tteoP commented 3 months ago

Hey @samdelong, thanks for chiming in. I see that your solution is based on X-Real-IP which looks like it has to be explicitly configured (https://caddy.community/t/how-to-add-x-real-ip-header/11172). Is it something you configured in your Caddy config? Could there be a solution based on X-Forwarded-For that according to https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#defaults is always present?

samdelong commented 2 months ago

I didn't have to add anything to my Caddyfile config. I dont have any PRs to reference, but since that post was from 3 years ago its seems the X-Real-IP header is forwarded by default now. Ideally the solution would check for both headers