Comments (4)
Hey ! First of all, thank you for the detailed issue. It's way easier to debug this way.
I will validate but I think chunk transfers are removed from the http request objects in golang, which means coraza will never have access to it in this connector. Probably coraza receives the full buffered request.
I think @M4tteoP has information on this
from coraza-caddy.
Hi, many thanks for taking the time on providing lots of details!
I will validate but I think chunk transfers are removed from the http request objects in golang, which means Coraza will never have access to it in this connector.
I really think this is the issue. 920171-2
and 920171-3
are two of the few CRS tests that are still failing against the go/http middleware (that is the same used by the latest commit in the caddy connector). The Go library removes the Transfer-Encoding
header (see here), and this is exactly what the 920171
rule is looking for (SecRule &REQUEST_HEADERS:Transfer-Encoding "!@eq 0"
).
What we should maybe do is understand if it is possible from the http.Request
to read the Chunked boolean. If so we can populate again the header. But I don't know if it is feasible or if the HTTP library makes the Chunked logic completely transparent.
Update: https://github.com/golang/go/blob/master/src/net/http/transfer.go#L586 this line is definitely interesting. Maybe something like the following code can fix it.
if r.TransferEncoding != nil && r.TransferEncoding[0] == "chunked" {
r.Header.Set("Transfer-Encoding", "chunked")
}
I will give it a go next week :)
from coraza-caddy.
Thank you for your fast response!
@M4tteoP This could do the trick and you should definitively give it a shot!
In my opinion however, it is not a problem of this connector but of the go/http library which gives you a HTTP request without a header that indicates a body is available. As the RFC says, Content-Length
and Transfer-Encoding
are responsible for that. So a more cleaner solution would be, if the go/http library replaces the Transfer-Encoding
with a appropriate Content-Length
header instead of removing it completely. This should trigger CRS rule 920170 then. So maybe we should populate this problem to the devs of go/http?
from coraza-caddy.
I believe the behavior Go is going for is that, because the body that is provided doesn't have chunked headers, the header is removed - I guess the idea is to present to business logic in the same way regardless of encoding.
But even so the body is still streamed so it can't compute a content length.
There doesn't seem to be a great reason to remove the encoding header anyways but I guess they'll keep the behavior for backwards compatibility.
Probably synthesizing the header for the coraza transaction is going to be the way to go if it's possible. Otherwise maybe a phase 2 rule could be added that checks &REQUEST_BODY
.
from coraza-caddy.
Related Issues (20)
- Build issue with QUIC HOT 5
- ARGS_NAMES is Set Incorrectly with Multipart/related Request HOT 4
- parsing caddyfile tokens for 'coraza_waf': invalid key for filter directive: load_owasp_crs HOT 4
- Dependency Dashboard
- I am struggling to understand how to configure caddy with coraza. HOT 1
- Unix Socket Support?
- Short write errors on http.handlers.reverse_proxy HOT 6
- Feature Request: Ability to respond with a custom html file HOT 6
- Corazua v3 working with Caddyserver? HOT 2
- Document performance tweaks for this project
- Incomplete Anomaly Score Log: Missing Value for 'msg' Field with Rule ID 980170 HOT 1
- [Question] Do I need to download any ruleset? HOT 3
- Unable to remove Server header on Coraza module's response HOT 4
- Document how to override CRS variables HOT 3
- Response headers leakage during block in phase 4 HOT 1
- how to tell coraza not to buffer responses? HOT 4
- wrong client ip when using with cloudflared HOT 4
- Failed to parse server name, missing port in address HOT 1
- Attempt to build Caddy with Coraza V2 fails due to dead URL HOT 2
- How to install coraza plugins? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from coraza-caddy.