# start crs-apache service
docker-compose up -d crs-apache
# this will work
curl http://localhost:80/?file=/etc/passwd
# this will crash the webserver
curl http://localhost:80/etc/passwd
That's because you haven't specified a backend. The container runs in proxy mode by default and the proxy is configured for localhost, hence the redirects.
The apache version does an infinite redirect if some
/etc/passwd
api/navigation
url is called.To Reproduce:
Take this docker file: https://github.com/coreruleset/modsecurity-crs-docker/blob/main/docker-compose.yaml
Docker logs: