Hello there,

I have notice that very randomly, traefik is not able to call the modsec plugin, even though it works most of the time. Honestly I'm not really sure what could trigger that. Here is the traefik log that shows the issue:

fail to send HTTP request to modsec: Get "http://owasp-modsec.default.svc.cluster.local:80/de": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

I did a load test (with very little users, just to have a constant load to try to trigger that error), and the load test was going well, the modsec was doing it's job correctly, but for a duration of 2 seconds in the middle of the loadtest, these errors appeared.

I searched a bit on traefik issues if I could find anything related to that, and all I could find in a couple issues is that:

the error context deadline exceeded comes because your plugin takes more than 5s to load.

Also, during the duration of "failure", modsec container does not show any log, which also shows that traffic is not reaching to it. The problem does not only appear during loadtest but also randomly during the day with "normal" requests.

Would you have any clue what could be causing that? I hope it's the right place to ask.

Hello,

Since I updated to 1.2.0, a simple post request (not uploading files) gives this error message: body max limit reached: http: request body too large

Reverting to 1.1.0 fixes the problem.

This PR implement a limit for body buffering in order to avoid resource exhaustion using a very large body (see #7). The default limit is 10MB (which should be enough for non-uploads requests), but it's configurable.

Currently, your plugin displays the error message returned by the go library when it fails to reach the modsecurity container.

This approach is interesting for debugging and it facilitates the setup of the plugin.

However, it also reveals information about the internal architecture that should remain hidden.

As an example, the message below reveals that I'm using kubernetes, that my modsecurity pod is deployed in my kube-system namespace, and that my CIDR looks like 172.20.X.X

By reading the source code of traefik and some other plugins, I see that it is more common to log the information and return only an HTTP error code without details.

So I propose a very simple modification here and I open the discussion.

Thanks in advance and thx for your time.

Signed-off-by: Benjamin Chenebault [email protected]

Right now, the plugin send back the whole response in the body from Modsec, not only the response body. We are seeing other stuff like headers in the body.

HTTP/1.1 404 Not Found
Content-Length: 13238
Connection: keep-alive
Content-Type: text/html
Date: Thu, 30 Dec 2021 14:32:50 GMT
Etag: "613f2f21-33b6"
Server: nginx

<!DOCTYPE html>
<html lang="en">

With this fix we copy the headers, status and body to the response. That way we can have the real Modsec reponse in the browser (body+headers+status).

Example for me:

VS

Here the code is reading the body of the request: https://github.com/acouvreur/traefik-modsecurity-plugin/blob/19cdb477b8cee1966ad95278d168ae90a93df663/modsecurity.go#L63

The problem of this technique is that an attacker can issue a request using an arbitrary body size (1 terabyte) and crash the server, creating a Denial-of-Service.

A possible mitigation is reading the body while using http.MaxBytesReader() function, to limit the maximum body size. Possibly, the maximum size should be configurable.

I'm not aware of any other solution (with this middleware architecture, see https://github.com/acouvreur/traefik-modsecurity-plugin/issues/2#issuecomment-1205788329).

Hi, I have some use cases where the backend responds in several seconds (e.g. it is building a zip file).

This PR allows to set a timeout in the config and uses it instead of the hardcoded value of 2 seconds.

Hello when I try to save my keepass database with the waf middleware in traefik it fails. I'm getting an error. If I disable the middleware it's ok. Can you check on it ? I can help with specific test.

Hello there, I am not sure if this or main plugin is correct place to ask about it but as Authelia is more of docker/traefik thing I will ask here.

I am having an issue with running this plugin, traefik, modsecurity and authelia together. They all seem to work fine but once modsecurity is added to the mix it seems to be blocking Authelia login page. The page loads but will always show incorrect username/password for the user as modsecurity is denying the request with method not allowed error:

- - [11/Oct/2022:11:28:43 +0000] "POST /api/firstfactor HTTP/1.1" 405 150 "https://auth.example.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0" "-"

From what I see the defauly ModSecurity config allows the POSt method. Does anyone use this combo of applications or might be able to help me what setting would I need to allow for Authelia to work? Once logged in and modsecurity enabled then there seem be no issue, just the login page.

Hi, thanks for your work, it's working great. I'm just curious why blocked requests get a response with the code 200. Only the body tells you, that the request resulted in a 403. I would expect that a blocked request gets a 403-response. Is this a design choice or are there technical difficulties in bypassing the http code?

current state:

$ http get "http://localhost:8000/website?path=../etc"
... 200 OK ...

expectation:

$ http get "http://localhost:8000/website?path=../etc"
... 403 forbidden ...

Thanks:) Lukas

I'm not sure if the plugin is causing this, or if it's the owasp container. That's why I opened the same issue on the owasp container: https://github.com/coreruleset/modsecurity-crs-docker/issues/85

I have a form which submits base64 images, so the request body size is somewhere in the 8Mb. On the owasp container, If I don't specify MODSEC_REQ_BODY_NOFILES_LIMIT with a big number, then I will see the modsec rule 200002 to fire. If I specify MODSEC_REQ_BODY_NOFILES_LIMIT with a big enough number (25Mb in my case), the modsec container will not show any errors, however my page will display a 500 Internal Server Error.

If I don't use modsec at all, my page does not show any error. Would anyone have a clue why this is happening?

To be clear, I'm not uploading files, just big text body content.

The reason I'm also posting here, is because the rule will correctly fire if I leave its default value of 128Kb. So I assume it can correctly handle such big request body. So if it can handle it, it must fail somewhere else I would guess. And when the rule correctly fires, I still see a 500 error on my webpage, so I assume there is still something wrong going on somewhere

I am using the plugin in its version 1.2.1, with maxBodySize: 26214400 I also tried version 1.1.0 with the same result

I see that the middleware is ignoring websocket requests here: https://github.com/acouvreur/traefik-modsecurity-plugin/blob/19cdb477b8cee1966ad95278d168ae90a93df663/modsecurity.go#L56

Why is that? A request for WebSocket is actually a valid HTTP request, which may contains spurious/malicious data.

Also, there is another problem with this technique: an attacker can send a Upgrade header while issuing a normal request to any web page, as the server can ignore the Upgrade header for any reason (e.g. no websocket is expected?) and continue to process the request as if the header does not exists. Which means that an attacker can add the Upgrade header to any request to bypass the security check.

I didn't test the code with WebSockets, so I don't know if there is any issue (probably something with the body?). In that case I propose two possible solutions:

1. have a configuration parameter where WebSocket endpoints can be specified; or
2. when a websocket is detected, the body buffering is skipped, and the request to the mod-security backend will be made without body

The 2nd solution is less secure, as we're still skipping the body in presence of an header, but we don't know if there is any WebSocket or not. So I prefer the 1st.

I may contribute in few weeks if you like, I'm quite busy at the moment :-)