search

tempesta-tech / tempesta-test

Test suite for Tempesta FW
11 stars 4 forks source link

empty_reply on frang #269

Closed pale-emperor closed 2 years ago

pale-emperor commented 2 years ago

Steps to reproduce

  1. Test runs with this config: 
    
listen 443 proto=h2;
access_log on;

server 127.0.0.1:8000; tls_certificate /tmp/tempesta/cert.pem; tls_certificate_key /tmp/tempesta/key.pem;

**result:**

wh1te@ubuntu:~$ curl -k https://127.0.0.1/ -o /dev/null -s -w "%{http_code}\n"

We got 502 (right error_code) cause no backend on 127.0.0.1:8000

502


2. Adding frang_limits directive we turn tempesta into `Empty reply from server`

frang_limits { ip_block off; http_uri_len 10; }


Tempesta-fw says in dmesg:

[21514.715289] [tempesta fw] Warning: frang: Host header field contains IP address for 127.0.0.1 [21514.715634] [tempesta fw] Warning: parsed request has been filtered out: 127.0.0.1 [21514.715969] [tempesta fw] 127.0.0.1 "default" "GET / HTTP/2.0" 403 0 "-" "curl/7.68.0"


**result**

wh1te@ubuntu:~$ curl -k https://127.0.0.1/ -o /dev/null -s -w "%{http_code}\n"

000 - Here is: (52) Empty reply from server


000

it doesn't matter if we set values
krizhanovsky commented 2 years ago

Probably can be fixed with just adding http_host_required false to the frang config

pale-emperor commented 2 years ago

Its really works, ty