search

keeweb / keeweb

Free cross-platform password manager compatible with KeePass
https://keeweb.info
Other
12.24k stars 1.09k forks source link

[Bug] Newest version doesn't work properly when using Nginx Reverse Proxy with OWASP CoreRuleSet in ModSecurity (WAF) #1702

Open cwchristerw opened 3 years ago

cwchristerw commented 3 years ago

Describe the bug Enabling OWASP CoreRuleSet in ModSecurity (WAF) will cause latest KeeWeb versions code to split into unusable code due to some reason (more in Logs)

To Reproduce I have copied gh-pages branch in to folder that served by antelle/keeweb docker container with own changes. There is Nginx with OWASP CoreRuleSet in ModSecurity enabled as load balancer/reverse proxy. You can find, how code looks when browser received it here – https://etherpad.cwinfo.org/p/fXOoO1qVDKLflR50feuA

Expected behavior Working correctly as in previous versions. Nothing else has changed except KeeWeb code.

Environment Nginx with OWASP CoreRuleSet in ModSecurity as reverse proxy

Logs

2021/02/03 00:28:38 [error] 73#73: *26075 [client REDACTED] ModSecurity: Access denied with code 403 (phase 4). Matched "Operator `Ge' with parameter `4' against variable `TX:OUTBOUND_ANOMALY_SCORE' (Value: `4' ) [file "/etc/nginx/modsec/sources/coreruleset/rules/RESPONSE-959-BLOCKING-EVALUATION.conf"] [line "68"] [id "959100"] [rev ""] [msg "Outbound Anomaly Score Exceeded (Total Score: 4)"] [data ""] [severity "0"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "2001:41d0:2:c44a:51:255:223:60"] [uri "/"] [unique_id "161231211835.589532"] [ref ""] while sending to client, client: REDACTED, server: keeweb.cwinfo.org, request: "GET / HTTP/2.0", upstream: "https://[fd80:deaf:1::10]:443/", host: "keeweb.cwinfo.org"
2021/02/03 00:28:38 [alert] 73#73: *26075 header already sent while sending to client, client: 2001:14ba:a701:34ee::1, server: keeweb.cwinfo.org, request: "GET / HTTP/2.0", upstream: "https://[fd80:deaf:1::10]:443/", host: "keeweb.cwinfo.org"
antelle commented 3 years ago

Hi! I don't understand the log, what does it check?

antelle commented 3 years ago

Another question, if you put two keeweb versions into different folders, does one of them work?

cwchristerw commented 3 years ago

It will work without Web Application Firewall

antelle commented 3 years ago

How is this WAF set up, what does it check and what it doesn't like?