Open gdlwolf opened 4 days ago
@gdlwolf: Thanks for opening an issue, it is currently awaiting triage.
In the meantime, you can:
Hi 👋🏻
Thank you for a detailed report and steps, we managed to reproduce the issue and can pinpoint the code at fault.
We will work on a patch for the next update 1.6.4
thanks
What happened?
Crowdsec + appsec + Modsecurity rule:SecRule REMOTE_ADDR "@ipMatch 127.0.0.1,192.168.200.1" "id:900101,phase:1,pass,nolog,allow" The value of REMOTE_ADDR is 127.0.0.1:48926, and 48926 is a random port. Therefore Modsecurity's rules for ip whitelisting are invalid.
What did you expect to happen?
Modsecurity's rules for ip whitelisting are invalid. Because I found that the variable REMOTE_ADDR is not the expected client ip, but 127.0.0.1: random port number
How can we reproduce it (as minimally and precisely as possible)?
os:AlmaLinux release 9.3 (Shamrock Pampas Cat)
nginx version: nginx version: openresty/1.25.3.2 built by gcc 11.4.1 20231218 (Red Hat 11.4.1-3) (GCC) built with OpenSSL 1.1.1w 11 Sep 2023 TLS SNI support enabled configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt=-O2 --add-module=../ngx_devel_kit-0.3.3 --add-module=../iconv-nginx-module-0.14 --add-module=../echo-nginx-module-0.63 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.33 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.09 --add-module=../srcache-nginx-module-0.33 --add-module=../ngx_lua-0.10.26 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.37 --add-module=../array-var-nginx-module-0.06 --add-module=../memc-nginx-module-0.20 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.9 --add-module=../rds-json-nginx-module-0.16 --add-module=../rds-csv-nginx-module-0.09 --add-module=../ngx_stream_lua-0.0.14 --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -L/usr/local/lib -ljemalloc' --user=www --group=www --with-http_stub_status_module --with-http_perl_module --with-http_ssl_module --with-http_gzip_static_module --with-http_sub_module --with-http_realip_module --with-http_addition_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-threads --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_ssl_preread_module --with-http_slice_module --with-mail=dynamic --with-mail_ssl_module --with-file-aio --with-http_v2_module --with-pcre=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/pcre-8.45 --with-zlib=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/zlib-1.3.1 --with-openssl=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/openssl-1.1.1w --with-http_perl_module=dynamic --add-module=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/ngx_cache_purge-2.3 --add-module=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/ngx_healthcheck_module-master --add-dynamic-module=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/ngx_http_geoip2_module-3.4 --add-dynamic-module=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/ip2location/ip2location-nginx-8.6.0 --add-module=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/nginx-ssl-fingerprint --add-module=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/ModSecurity-nginx --add-module=/home/soft/openresty-1.25.3.2/openresty-1.25.3.2/../modules/nginx-module-vts-0.2.2 --with-openssl-opt=-g --with-pcre-opt=-g --with-zlib-opt=-g --with-stream --without-pcre2
Crowdsec:v1.6.3
nginx.conf config: ` http{
include /usr/local/openresty/nginx/conf/conf.d/crowdsec_openresty.conf;
} `
listen_addr: 127.0.0.1:7422 appsec_config: crowdsecurity/appsec-default name: myAppSecComponent source: appsec labels: type: appsec log_level: debug
name: crowdsecurity/virtual-patching default_remediation: ban inband_rules:
`
download Modsecurity:
git clone https://github.com/coreruleset/coreruleset.git
cd /home/soft git clone https://github.com/coreruleset/coreruleset.git mkdir -pv /var/lib/crowdsec/data/coreruleset/rules cp /home/soft/coreruleset/rules/.conf /var/lib/crowdsec/data/coreruleset/rules/ cp /home/soft/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /var/lib/crowdsec/data/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf cp /home/soft/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example /var/lib/crowdsec/data/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf cp /home/soft/coreruleset/rules/.data /var/lib/crowdsec/data/coreruleset/
Finally, the rule for ip whitelisting: secRule REMOTE_ADDR “@ipMatch 127.0.0.1,192.168.200.1” “id:900101,phase:1,pass,nolog,allow” was added to the /var/lib/crowdsec/data/ coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf file.
systemctl restart crowdsec systemctl restart nginx
Anything else we need to know?
No response
Crowdsec version
OS version
Enabled collections and parsers
Acquisition config
Config show
Prometheus metrics
Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.