Closed Saperlu closed 1 year ago
Hey @Saperlu thank you for your report. Before debugging, can you validate the directory /tmp/coraza/tmp
exists and that the user running caddy has access to write to it?
Well played, this dir was not on the container where I was trying to replicate the bug, sorry for that.
So I tried on the prod container (the dir exists on that container) and it seems that setting SecResponseBodyAccess
to Off
works. Is there a way to disable this for a custom URI only ?
Also, this shouldn't have this behaviour, I guess, so here are caddy logs :
error http.log.error EOF {"request": {"remote_ip": "[redacted]", "remote_port": "65182", "proto": "HTTP/2.0", "method": "POST", "host": "[redacted]", "uri": "/fr/imce", "headers": {"X-Requested-With": ["XMLHttpRequest"], "Sec-Ch-Ua-Platform": ["\"macOS\""], "Sec-Fetch-Site": ["same-origin"], "Sec-Fetch-Dest": ["empty"], "Content-Length": ["16389"], "Sec-Ch-Ua": ["\"Google Chrome\";v=\"107\", \"Chromium\";v=\"107\", \"Not=A?Brand\";v=\"24\""], "Accept-Encoding": ["gzip, deflate, br"], "Accept-Language": ["fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"], "Referer": ["https://[redacted]/imce"], "Sec-Ch-Ua-Mobile": ["?0"], "Origin": ["https://[redacted]"], "Cookie": [], "Accept": ["application/json, text/javascript, */*; q=0.01"], "Content-Type": ["multipart/form-data; boundary=----WebKitFormBoundaryoiUZBSJxElcPL8SO"], "Sec-Fetch-Mode": ["cors"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "www.bookbeo.com"}}, "duration": 0.241701613, "status": 502, "err_id": "3mucdx5hf", "err_trace": "reverseproxy.statusError (reverseproxy.go:1271)"}
Interesting finding. Worth to check cc @anuraaga @m4tteoP
On Thu, 10 Nov 2022, 14:23 Lucien Charleux, @.***> wrote:
Well played, this dir was not on the container where I was trying to replicate the bug.
So I tried on the prod container (the dir exists on that container) and it seems that setting SecResponseBodyAccess to Off works. Is there a way to disable this for a custom URI only ?
Also, this shouldn't have this behaviour, I guess, so here are caddy logs :
error http.log.error EOF {"request": {"remote_ip": "172.16.40.100", "remote_port": "65182", "proto": "HTTP/2.0", "method": "POST", "host": "www.bookbeo.com", "uri": "/fr/imce", "headers": {"X-Requested-With": ["XMLHttpRequest"], "Sec-Ch-Ua-Platform": ["\"macOS\""], "Sec-Fetch-Site": ["same-origin"], "Sec-Fetch-Dest": ["empty"], "Content-Length": ["16389"], "Sec-Ch-Ua": ["\"Google Chrome\";v=\"107\", \"Chromium\";v=\"107\", \"Not=A?Brand\";v=\"24\""], "Accept-Encoding": ["gzip, deflate, br"], "Accept-Language": ["fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"], "Referer": ["https://www.bookbeo.com/fr/imce"], "Sec-Ch-Ua-Mobile": ["?0"], "Origin": ["https://www.bookbeo.com"], "Cookie": [], "Accept": ["application/json, text/javascript, /; q=0.01"], "Content-Type": ["multipart/form-data; boundary=----WebKitFormBoundaryoiUZBSJxElcPL8SO"], "Sec-Fetch-Mode": ["cors"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "www.bookbeo.com"}}, "duration": 0.241701613, "status": 502, "err_id": "3mucdx5hf", "err_trace": "reverseproxy.statusError (reverseproxy.go:1271)"}
— Reply to this email directly, view it on GitHub https://github.com/corazawaf/coraza-caddy/issues/29#issuecomment-1310276642, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXOYAR7QL2PB7BYZPVGU2LWHTZMZANCNFSM6AAAAAAR4M3BIM . You are receiving this because you are subscribed to this thread.Message ID: @.***>
Caddy connector is using an old version of coraza. There is a draft PR to upgrade to the new immutability pattern.
Fully Upgraded in https://github.com/corazawaf/coraza-caddy/releases/tag/v1.2.2
Could you please check again @Saperlu ?
We completely rewrite the connector. Could you please try it again?
This issue has been open 30 days waiting for feedback. Remove the stale label or comment, or this will be closed in 14 days.
This issue was closed because it has been inactive for 14 days since being marked as stale.
Hi, I found out files over 120 kB cant be uploaded when coraza is enabled, and it is not about a CRS rule file because I disabled them.
create the file with :
dd if=/dev/zero of=file.pdf bs=10K count=13
caddy configuration
coraza.conf
I tried uping
SecRequestBodyLimit
and settingSecRequestBodyAccess
but this has no effectcaddy logs
I get this error when triggering the 500 error (
/tmp/coraza/tmp
isSecTmpDir
) :