Comments (16)
jptosso
commented on July 29, 2024
1
He @konstantin-921 I think you can use the xcaddy compiler to include coraza plugins, you could try -with github.com/jptosso/coraza-pcre
About the issue, it sounds like a bug, actually www.tosso.io is running the latest version of coraza-caddy but when you trigger an error all pages will return a 403 error for a few minutes.
Thank you for the information, I will keep you posted once I find the cause and fix.
from coraza-caddy.
konstantin-921
commented on July 29, 2024
It seems to be CRS, because the following configuration works and prevents URI /test5, /test6
{
debug
auto_https off
log {
output file /var/log/caddy-access.log
}
order coraza_waf first
}
example.domain.com {
coraza_waf {
directives `
SecAction "id:1,pass,log"
SecRule REQUEST_URI "/test5" "id:2, deny, log, phase:1"
SecRule REQUEST_URI "/test6" "id:4, deny, log, phase:3"
`
#include /etc/caddy/coraza.conf-recommended
#include /etc/caddy/coreruleset/crs-setup.conf.example
#include /etc/caddy/coreruleset/rules/*.conf
}
tls /etc/caddy/surelc.crt /etc/caddy/surelc.key
log {
output file /var/log/caddy-access.log
}
respond "Hello HTTPS from example.domain.com!"
}
But it is very important for me to run it with CSR
from coraza-caddy.
konstantin-921
commented on July 29, 2024
@jptosso Thanks for feedback. I'll follow your advice about using xcaddy. But as I understand this is unlikely to solve my main problem. I'll look forward to seeing how you deal with this.
from coraza-caddy.
konstantin-921
commented on July 29, 2024
I tried to build Caddy using this command:
xcaddy build --with github.com/jptosso/coraza-caddy --with github.com/jptosso/coraza-pcre --with github.com/jptosso/coraza-libinjection
Got an error:
root@nginx-test3-fl:~# xcaddy build --with github.com/jptosso/coraza-caddy github.com/jptosso/coraza-pcre github.com/jptosso/coraza-libinjection
2022/01/22 04:09:52 [ERROR] missing flag; caddy version already set at github.com/jptosso/coraza-pcre
root@nginx-test3-fl:~# xcaddy build --with github.com/jptosso/coraza-caddy --with github.com/jptosso/coraza-pcre --with github.com/jptosso/coraza-libinjection
2022/01/22 04:10:13 [INFO] Temporary folder: /tmp/buildenv_2022-01-22-0410.3712383977
2022/01/22 04:10:13 [INFO] Writing main module: /tmp/buildenv_2022-01-22-0410.3712383977/main.go
2022/01/22 04:10:13 [INFO] Initializing Go module
2022/01/22 04:10:13 [INFO] exec (timeout=10s): /usr/local/go/bin/go mod init caddy
go: creating new go.mod: module caddy
go: to add module requirements and sums:
go mod tidy
2022/01/22 04:10:13 [INFO] Pinning versions
2022/01/22 04:10:13 [INFO] exec (timeout=0s): /usr/local/go/bin/go get -d -v github.com/caddyserver/caddy/v2
go get: added github.com/beorn7/perks v1.0.1
go get: added github.com/caddyserver/caddy/v2 v2.4.6
go get: added github.com/caddyserver/certmagic v0.15.2
go get: added github.com/cespare/xxhash/v2 v2.1.1
go get: added github.com/golang/protobuf v1.5.2
go get: added github.com/google/uuid v1.3.0
go get: added github.com/klauspost/cpuid/v2 v2.0.9
go get: added github.com/libdns/libdns v0.2.1
go get: added github.com/matttproud/golang_protobuf_extensions v1.0.1
go get: added github.com/mholt/acmez v1.0.1
go get: added github.com/miekg/dns v1.1.43
go get: added github.com/prometheus/client_golang v1.11.0
go get: added github.com/prometheus/client_model v0.2.0
go get: added github.com/prometheus/common v0.26.0
go get: added github.com/prometheus/procfs v0.6.0
go get: added go.uber.org/atomic v1.7.0
go get: added go.uber.org/multierr v1.6.0
go get: added go.uber.org/zap v1.19.0
go get: added golang.org/x/crypto v0.0.0-20210915214749-c084706c2272
go get: added golang.org/x/net v0.0.0-20210913180222-943fd674d43e
go get: added golang.org/x/sys v0.0.0-20210915083310-ed5796bab164
go get: added golang.org/x/term v0.0.0-20210503060354-a79de5458b56
go get: added golang.org/x/text v0.3.7
go get: added google.golang.org/protobuf v1.27.1
2022/01/22 04:10:15 [INFO] exec (timeout=0s): /usr/local/go/bin/go get -d -v github.com/jptosso/coraza-caddy
go get: added github.com/antchfx/jsonquery v1.1.4
go get: added github.com/antchfx/xmlquery v1.3.6
go get: added github.com/antchfx/xpath v1.2.0
go get: added github.com/ip2location/ip2location-go/v9 v9.1.0
go get: added github.com/jptosso/aho-corasick v1.0.4
go get: added github.com/jptosso/coraza-caddy v1.1.0
go get: added github.com/jptosso/coraza-waf v1.1.0
go get: added github.com/oschwald/geoip2-golang v1.5.0
go get: added github.com/oschwald/maxminddb-golang v1.8.0
go get: added github.com/pcktdmp/cef v0.2.0
go get: upgraded github.com/sirupsen/logrus v1.7.0 => v1.8.1
go get: upgraded go.uber.org/atomic v1.7.0 => v1.9.0
go get: upgraded go.uber.org/multierr v1.6.0 => v1.7.0
2022/01/22 04:10:18 [INFO] exec (timeout=0s): /usr/local/go/bin/go get -d -v github.com/jptosso/coraza-pcre
go get: added github.com/cloudflare/ahocorasick v0.0.0-20210425175752-730270c3e184
go get: added github.com/gijsbers/go-pcre v0.0.0-20161214203829-a84f3096ab3c
go get: added github.com/jptosso/coraza-pcre v0.0.0-20211201204829-1bea0f044896
go get: added github.com/jptosso/coraza-waf/v2 v2.0.0-beta.2.0.20211201203316-49869b6ff2ea
go get: upgraded go.uber.org/zap v1.19.0 => v1.19.1
2022/01/22 04:10:19 [INFO] exec (timeout=0s): /usr/local/go/bin/go get -d -v github.com/jptosso/coraza-libinjection
go get: added github.com/jptosso/coraza-libinjection v0.0.0-20220109185528-78d7edbd2d9f
2022/01/22 04:10:19 [INFO] Build environment ready
2022/01/22 04:10:19 [INFO] Building Caddy
2022/01/22 04:10:19 [INFO] exec (timeout=0s): /usr/local/go/bin/go mod tidy
2022/01/22 04:10:20 [INFO] exec (timeout=0s): /usr/local/go/bin/go build -o /root/caddy -ldflags -w -s -trimpath
go build github.com/gijsbers/go-pcre: build constraints exclude all Go files in /root/go/pkg/mod/github.com/gijsbers/[email protected]
# github.com/jptosso/coraza-libinjection
/root/go/pkg/mod/github.com/jptosso/[email protected]/plugin.go:30:18: undefined: isSQLi
/root/go/pkg/mod/github.com/jptosso/[email protected]/plugin.go:43:9: undefined: isXSS
2022/01/22 04:10:21 [INFO] Cleaning up temporary folder: /tmp/buildenv_2022-01-22-0410.3712383977
2022/01/22 04:10:21 [FATAL] exit status 2
from coraza-caddy.
jptosso
commented on July 29, 2024
Hey, apparently you are using an old release, please use 9c2db28. coraza-caddy will be upgraded in a few days to coraza v2 stable.
from coraza-caddy.
konstantin-921
commented on July 29, 2024
Hey, apparently you are using an old release, please use 9c2db28. coraza-caddy will be upgraded in a few days to coraza v2 stable.
Ok. I'll try to install it after new release
from coraza-caddy.
jptosso
commented on July 29, 2024
Coraza-caddy was updated to the latest version, feel free to try it
from coraza-caddy.
konstantin-921
commented on July 29, 2024
Thanks I'll do it asap
from coraza-caddy.
robgordon89
commented on July 29, 2024
Having the same issue with caddy and the latest.
Caddy Version: v2.4.6
xcaddy build --with github.com/jptosso/coraza-caddy
CaddyFile:
{
order coraza_waf first
log {
output stdout
}
}
:8080 {
coraza_waf {
directives `
SecAction "id:1,pass,log"
`
include /etc/caddy/coraza/coraza.conf-recommended
include /etc/caddy/coraza/coreruleset/crs-setup.conf.example
include /etc/caddy/coraza/coreruleset/rules/*.conf
}
respond "Hello, world!"
}
results in
... 'waf': provision http.handlers.waf: cannot load waf directives invalid profile path
from coraza-caddy.
jptosso
commented on July 29, 2024
We have just created the v1.2.0 tag, which should fix the issue
from coraza-caddy.
robgordon89
commented on July 29, 2024
ok seem to be getting over this first initial bug now π€ but running into another issue its likely with the CRS
run: loading initial config: loading new config: loading http app module: provision http: server srv0: setting up route handlers: route 0: loading handler modules: position 0: loading module 'waf': provision http.handlers.waf: failed to compile rule (error parsing regexp: invalid or unsupported Perl syntax: `(?<`): FILES_NAMES|FILES "@rx (?<!&(?:[aAoOuUyY]uml)|&(?:[aAeEiIoOuU]circ)|&(?:[eEiIoOuUyY]acute)|&(?:[aAeEiIoOuU]grave)|&(?:[cC]cedil)|&(?:[aAnNoO]tilde)|&(?:amp)|&(?:apos));|['\"=]" "id:920120,phase:2,block,t:none,t:urlDecodeUni,msg:'Attempted multipart/form-data bypass',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',ver:'OWASP_CRS/3.3.2',severity:'CRITICAL',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
Also strangely any rules in CSR don't actually block the request just log π€
from coraza-caddy.
jptosso
commented on July 29, 2024
There are two ways to fix that, you could update to the latest CRS version
(from yesterday, as they just removed PCRE requirements) or you can install
the plugin https://github.com/jptosso/coraza-pcre
If the rules are not blocking, that's probably because of your
SecDefaultAction settings, you should set: SecDefaultAction
"phase:2,deny,status:403,log"
Regards
El miΓ©, 6 abr 2022 a la(s) 12:11, Bob Gordon ***@***.***)
escribiΓ³:
β¦ ok seem to be getting over this first initial bug now π€ but running into
another issue its likely with the CRS
run: loading initial config: loading new config: loading http app module: provision http: server srv0: setting up route handlers: route 0: loading handler modules: position 0: loading module 'waf': provision http.handlers.waf: failed to compile rule (error parsing regexp: invalid or unsupported Perl syntax: `(?<`): FILES_NAMES|FILES ***@***.*** (?<!&(?:[aAoOuUyY]uml)|&(?:[aAeEiIoOuU]circ)|&(?:[eEiIoOuUyY]acute)|&(?:[aAeEiIoOuU]grave)|&(?:[cC]cedil)|&(?:[aAnNoO]tilde)|&(?:amp)|&(?:apos));|['\"=]" "id:920120,phase:2,block,t:none,t:urlDecodeUni,msg:'Attempted multipart/form-data bypass',logdata:'%{MATCHED_VAR}',tag:'application-multi',tag:'language-multi',tag:'platform-multi',tag:'attack-protocol',tag:'paranoia-level/1',tag:'OWASP_CRS',tag:'capec/1000/210/272',ver:'OWASP_CRS/3.3.2',severity:'CRITICAL',setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
Also strangely any rules in CSR don't actually block the request just log
π€
β
Reply to this email directly, view it on GitHub
<#5 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAJN7TSQRFUVFQPWFZEXMQLVDWZTNANCNFSM5MO4ZSXQ>
.
You are receiving this because you were assigned.Message ID:
***@***.***>
from coraza-caddy.
robgordon89
commented on July 29, 2024
Hey π
oh that is what I was missing π
Yeah I tried the latest nightly but still issues with regex.
run: loading initial config: loading new config: loading http app module: provision http: server srv0: setting up route handlers: route 0: loading handler modules: position 0: loading module 'waf': provision http.handlers.waf: failed to compile rule (error parsing regexp: invalid repeat count: `{0,100}`): REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?is)\r\n\w{1,50}\b\ (?:S(?:E(?:ARCH(?: CHARSET [\w\-_\.]{1,40})? (?:(KEYWORD \x5c)?(?:ALL|ANSWERED|BCC|DELETED|DRAFT|FLAGGED|RECENT|SEEN|UNANSWERED|UNDELETED|UNDRAFT|UNFLAGGED|UNSEEN|NEW|OLD)|(?:TEXT .{1,255}|TO .{1,255}|UID [0-9,:\*]+?|UNKEYWORD (?:\x5c(Seen|Answered|Flagged|Deleted|Draft|Recent)))|(?:BEFORE|ON|SENTBEFORE|SENTON|SENTSINCE|SINCE) \"?\d{1,2}-\w{3}-\d{4}\"?|(?:OR .{1,255} .{1,255}|SMALLER \d{1,20}|SUBJECT .{1,255})|(?:(?:BODY|CC|FROM)|HEADER .{1,100}) .{1,255}|(?:LARGER \d{1,20}|NOT .{1,255}|[0-9,:\*]+))|LECT [\w\"\.\-\x5c\/%\*&#]+)|T(?:ORE [0-9,:\*]+? [+-]?FLAGS(?:\.SILENT)? (?:\(\x5c[A-Za-z]{1,20}\)){0,100}|ARTTLS)|UBSCRIBE [\w\"\.\-\x5c\/%\*&#]+)|L(?:IST [\w\"~\-\x5c\/\*#\.]+? [\w\"\.\-\x5c\/%\*&#]+|OG(?:IN [A-Z0-9-_\.\@]{1,40} .*? |OUT))|C(?:(?:OPY [0-9,:\*]+|REATE) [\w\"\.\-\x5c\/%\*&#]+|APABILITY|HECK|LOSE)|RENAME [\w\"\.\-\x5c\/%\*&#]+? [\w\"\.\-\x5c\/%\*&#]+|UN(?:SUBSCRIBE [\w\"\.\-\x5c\/%\*&#]+|AUTHENTICATE)|EX(?:AMINE [\w\"\.\-\x5c%\*&#]+|PUNGE)|DELETE [\w\"\.\-\x5c%\*&#]+|FETCH [0-9,:\*]+|NOOP)" "id:932311,phase:2,block,t:none,t:escapeSeqDecode,msg:'Remote Command Execution: IMAP Command Execution',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'application-multi',tag:'platform-multi',tag:'attack-rce',tag:'paranoia-level/3',tag:'OWASP_CRS',tag:'capec/137/134',tag:'PCI/6.5.2',ctl:auditLogParts=+E,ver:'OWASP_CRS/3.4.0-dev',severity:'CRITICAL',setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',setvar:'tx.anomaly_score_pl3=+%{tx.critical_anomaly_score}'"
I cant install the PCRE plugin with xcaddy it won't compile for some reason :(
removing that rule from the release seems to work π
/etc/caddy/coreruleset/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
from coraza-caddy.
jptosso
commented on July 29, 2024
Hey @robgordon89, sorry for the delay. the CRS team has solved that compatibility issue by replacing {0,100} with {,100}. It's some weird golang re2 bug.
from coraza-caddy.
robgordon89
commented on July 29, 2024
hey @jptosso no probs i did notice that and it works as expected now, thanks for your help on this. I do have a weird bug that I am trying to replicate, but I will likely open another issue for this.
from coraza-caddy.
jptosso
commented on July 29, 2024
Looking forward to it. Glad to help
from coraza-caddy.
Related Issues (20)
- ARGS_NAMES is Set Incorrectly with Multipart/related Request HOT 4
- parsing caddyfile tokens for 'coraza_waf': invalid key for filter directive: load_owasp_crs HOT 3
- Dependency Dashboard
- I am struggling to understand how to configure caddy with coraza. HOT 1
- Unix Socket Support?
- Short write errors on http.handlers.reverse_proxy HOT 6
- Feature Request: Ability to respond with a custom html file HOT 6
- Corazua v3 working with Caddyserver? HOT 2
- Document performance tweaks for this project
- Incomplete Anomaly Score Log: Missing Value for 'msg' Field with Rule ID 980170 HOT 1
- [Question] Do I need to download any ruleset? HOT 3
- Unable to remove Server header on Coraza module's response HOT 4
- Document how to override CRS variables HOT 2
- Response headers leakage during block in phase 4 HOT 1
- how to tell coraza not to buffer responses? HOT 4
- wrong client ip when using with cloudflared HOT 1
- Failed to parse server name, missing port in address HOT 1
- Attempt to build Caddy with Coraza V2 fails due to dead URL HOT 2
- How to install coraza plugins? HOT 1
- Pass error details to PHP
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from coraza-caddy.