search

coreruleset / modsecurity-crs-docker

Official ModSecurity Docker + Core Rule Set (CRS) images
https://coreruleset.org
Apache License 2.0
237 stars 62 forks source link

Regression in apache-202404131004: Connection reset by peer #233

Closed 8u closed 2 months ago

8u commented 2 months ago

Using owasp/modsecurity-crs:apache in a simple non-TLS proxy configuration:

crs-apache:

image: owasp/modsecurity-crs:4.1.0-apache-202404070904

image: owasp/modsecurity-crs:apache

image: owasp/modsecurity-crs:4.1.0-apache-202404131004 ports:

  • "80:80" volumes:
  • /path/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf:/etc/modsecurity.d/owasp-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
  • /path/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf:/etc/modsecurity.d/owasp-crs/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf environment:
  • PROXY=1
  • BACKEND=http://wp # (tried removing all the optional params below, no improvement)
  • MODSEC_PCRE_MATCH_LIMIT=5000000
  • MODSEC_PCRE_MATCH_LIMIT_RECURSION=5000000
  • MODSEC_AUDIT_LOG_PARTS=ABIJDFHZ
  • PROXY_SSL=off
  • SSL_ENGINE=off
  • SSL_OCSP_STAPLING=off
  • LOGLEVEL=debug

4.1.0-apache-202404070904 was functioning normally:

wget http://127.0.0.1/ --2024-04-23 18:05:53-- http://127.0.0.1/ Connecting to 127.0.0.1:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://example.com/ [following] HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘index.html’

4.1.0-apache-202404131004 with the same configuration fails however:

wget http://127.0.0.1/ --2024-04-23 18:07:30-- http://127.0.0.1/ Connecting to 127.0.0.1:80... connected. HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.

Attaching both debug logs. The only visible difference is the (incorrect) warning present in the old and working 202404070904, but missing in the affected 202404131004:

Init: (localhost:443) You configured HTTP(80) on the standard HTTPS(443) port!

4.1.0-apache-202404131004.debug.log.txt 4.1.0-apache-202404070904.debug.log.txt

fzipi commented 2 months ago

Maybe this is your problem?

Both nginx and httpd containers now run with an unprivileged user. This means that we cannot bind to ports below 1024, so you might need to correct your PORT and SSL_PORT settings. Now the defaults for both nginx and httpd are 8080 and 8443

We probably need to have this more prominent in the docs.

To solve it, try using

...
ports:
- "80:8080"
theseion commented 2 months ago

The default port in the image is now 8080. Either you use that too (- "80:8080") or you need to set the PORT variable to PORT=80 (will probably not work on Linux).

8u commented 2 months ago

That was the reason, thank you.