-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Some services return a blank 200 page with Coraza enabled #71
Comments
Could you include in the directives and tell us about the logs?
|
@jcchavezs Just tried adding those lines in the directive, but I didn't see any additional lines in either the Docker logs ( |
Could you also I crease the log level in caddy? Coraza uses underneath the caddy log level so although you can set coraza log level to trace it depends on caddy's log level (we need to document this). Maybe set to debug? |
@jcchavezs the only log level I found was inside the One interesting thing I found is that only the |
No clue. But you may want to test with curl to be really sure what is sent across the wire. |
OK, I checked a bit more with curl on Windows (which seems to be a PowerShell wrapper of some kind). At first I misread the output and thought everything was working as it should. So I tested some more and got the following behavior from the browsers:
So it seems like redirection is broken with Coraza, as Overseerr fails to redirect from In fact, this is exactly what I was misreading from the curl output from before. When requesting the root
We see that the 307 response sent by Caddy has been changed to 200, and the redirect location has been written to the |
Funny output for curl, but I confirm that a browser is very likely to ignore a Location header if it comes with status code 200. Also, I do not like the Transfer-Encoding header instead of Content-Length. Not illegal per se, but unusual. Apparently depends on the application or Caddy or what not. |
@ericswpark could you please try to reproduce the error using the example? https://github.com/corazawaf/coraza-caddy/blob/main/example/docker-compose.yml it uses httpbin which would help you to replicate whatever response the /login endpoint returns. |
@jcchavezs sorry, but the server that I'm running the services on doesn't have Docker Compose support. I can try and replicate it on my local machine but that might take a while. If you guys want to test on your end, it's really easy as the Overseerr service is available as a Docker image and configuration required to reach the login/main page is pretty minimal. |
I will try with https://docs.overseerr.dev/getting-started/installation#docker |
Definitely seems like this is an issue in Coraza. If I comment out all Coraza related stuff from my caddyfile I start to see my |
@ericswpark @KorvinSzanto could you please try this branch #85 and check if this solves your problem? |
@jcchavezs unfortunately I am unable to test this because I moved away from Caddy altogether (I also had some other issues unrelated to Coraza that I was unable to solve in time). Sorry :( I will keep the issue open for @KorvinSzanto and others that are still running into the bug. |
It doesn't seem to be working but perhaps we're not running xcaddy properly. Can you should the xcaddy command you'd expect us to use to test out that branch? |
Directly pointing to the specific commit should work fine: |
Using that commit we still see the 302 redirects flowing out as 200s so unfortunately still not working. |
Hi, we have also experienced this issue, and it appears to be related to the processResponse call. I have forked this repo with response processing disabled and this issue is "fixed". You can test it with
Of course, this is not a real "fix", but rather a stopgap until this issue is fixed |
Hi @KorvinSzanto and @megalan247 I just tried redirection following this local env https://github.com/corazawaf/coraza-caddy#local and calling and following the redirect locations as described in https://github.com/ahmetb/go-httpbin
In the three of them I got this response from curl:
But of course if fails if I use the UPDATE: after further investigations I realized I was doing the reverse proxy incorrectly. Now it works as expected. |
@jcchavezs Caddy wouldn't happen to be redirecting to |
You mean because of |
I just tried the following:
where :8083 is just an http server that returns a 302 and a Location and it did work correctly. Could any of you @KorvinSzanto or @megalan247 come up with a caddy file and a setup where I can reproduce the error? |
This url simulates the same scenario and it works https://tosso.io/redirect?type=publication&id=2 |
@jcchavezs In general, Caddy redirects HTTP to HTTPS when auto-HTTPS is engaged. This happens when a site is served with a domain name, for example. So in your reproducer config above, you use the site name of I'm just guessing though, since the redirect location was redacted. |
An example of a broken config is
And this returns for me
Notice the 200 OK with the Location header. Of course, curling https://mail.google.com directly, returns the same HTML and Location header, but with a 301 status set, which is correct. |
I'm starting to believe that as @mholt mentioned, this is a TLS issue, I added the following to tosso.io:
You can try here: https://tosso.io/experiment/redirect Curl result:
This is my Dockerfile, updated today to latest:
|
Some services that I use through the reverse proxy feature on Caddy break when I enable Coraza. One example that I've run into is with Overseerr
Reproduction steps
Caddyfile
configurationExpected behavior
Site loads properly and redirects to
/login
endpointActual behavior
Site returns a blank 200 page. Developer tools say that no response was returned from the server.
No logs are generated to indicate why the request has failed.
Access logs say that a 307 response code was returned, but browsers report a 200 response code (tested with Firefox and Edge).
Configuration used
Caddyfile
:Logs
Caddy
stdout
:Caddy
access.log
:The text was updated successfully, but these errors were encountered: