Closed revellion closed 5 months ago
Interesting though in an earlier version before i updated this worked fine, so i wonder if something in the code has changed to cause this regression?
Technically:
We are not guaranteed that Uptime Kuma could be working on a special setup, so I changed it to help
.
Also the request is made by Socket.io, which unlikely can be fixed in our code base:
"uri": "/socket.io/?EIO=4&transport=polling&t=Oo3ELRm&sid=JPvAoyRDk_SFe1ygAP_J".
If you think it is a bug, you should transfer the issue to their repo with a minimal socket.io reproduce steps.
Note that this is our supported nginx configuration: https://github.com/louislam/uptime-kuma/wiki/Reverse-Proxy#nginx
If there are good reasons for including it in our configuration we can discuss this but currently I don't see them.
Note that the ruleset you are using is kind of infamous for the amount of false positives as far as I have read
Note that this is our supported nginx configuration: https://github.com/louislam/uptime-kuma/wiki/Reverse-Proxy#nginx
If there are good reasons for including it in our configuration we can discuss this but currently I don't see them.
Note that the ruleset you are using is kind of infamous for the amount of false positives as far as I have read
I've currently workedarounded it by adding an exception to just that request path for now. Gonna see if i can find any clues in the socket.io upstream project.
If you think it is a bug, you should transfer the issue to their repo with a minimal socket.io reproduce steps.
I am going to close this issue as I don't see how we can fix it on our side. As mentioned above: please report it upstream with a minimal reproducible ^^
β οΈ Please verify that this bug has NOT been raised before.
π‘οΈ Security Policy
Description
Whenever the dashboards establishes a websocket connection it does it with content-type: text/plain which trips ModSec since it should avoid using that content-type since it will prevent processing of the data to inspect it properly.
I haven't checked yet what content is returned in the POST to propose a proper type but the authors might have a better idea.
π Reproduction steps
Install Uptime Kuma Put it behind NGINX Reverse Proxy with ModSecurity and OWASP ruleset enabled.
π Expected behavior
Uptime Kuma works fine without any tweaks
π Actual Behavior
It errors on establishing websockets and returns a link to enable WebSockets support in the reverse proxy that is already enabled.
π» Uptime-Kuma Version
1.23.10
π» Operating System and Arch
Debian 12 x86_64
π Browser
Google Chrome and tested on Firefox aswell to rule out cookies/cache issues
π Docker Version
No response
π© NodeJS Version
No response
π Relevant log output