Coraza always returns 'allow'

[csuka]

I'm using Alma 8, go version go1.21.11, haproxy 2.8.10.
I've cloned the repo, created the coraza-spoa binary, and setup all config files, essentially following this guide.
I run the binary, and it's listening on port 9000.

When I do a curl request, e.g. curl http://localhost:80/\?x\=/etc/passwd, I see the request being denied by the owasp ruleset, but coraza returns an allow to haproxy. I've checked this using the debug option in haproxy: %[var(txn.coraza.action)].

I expected a deny, as the owasp ruleset flags the request as critical as well. Example of coraza message:

{"level":"error","ts":1722250000.55379,"msg":"[client \"127.0.0.1\"] Coraza: Warning. OS File Access Attempt [file \"/etc/coraza-spoa/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf\"] [line \"4360\"] [id \"930120\"] [rev \"\"] [msg \"OS File Access Attempt\"] [data \"Matched Data: etc/passwd found within ARGS:x: /etc/passwd\"] [severity \"critical\"] [ver \"OWASP_CRS/4.3.0\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-lfi\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/255/153/126\"] [tag \"PCI/6.5.4\"] [hostname \"127.0.0.1\"] [uri \"/?x=/etc/passwd\"] [unique_id \"927f0d12-a6d7-4ee0-8a2d-aa3813a9b126\"]\n"}

I actually think that this commit broke it.

Also, when using the docker container I get the same results.

[fsou]

Hi @csuka Have you tried changing SecRuleEngine to On on coraza.conf?

# Enable Coraza, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
#SecRuleEngine DetectionOnly
SecRuleEngine On