Enables CRS early blocking #129
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
anuraaga
approved these changes
Jan 10, 2023
|
I guess this PR is enabling it only for two rules but ideally we should
enable for all of them? Can we enable this globally?
…On Wed, 11 Jan 2023, 00:55 Anuraag Agrawal, ***@***.***> wrote:
***@***.**** approved this pull request.
—
Reply to this email directly, view it on GitHub
<#129 (review)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAXOYAWTEBIAAQKJIPQI5M3WRXZH3ANCNFSM6AAAAAATXBXHUQ>
.
You are receiving this because your review was requested.Message ID:
***@***.***>
|
|
@jcchavezs The rules in this PR are configuration rules, they don't match and just set configuration globally |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Running the CRS in Anomaly Scoring Mode (default mode), the anomaly score evaluation happens at the end of phase 2 (request body) and phase 4 (response body). Enabling early blocking, the evaluation will happen also at the end of phase 1 (request header) and phase 3 (response headers).
I think that this feature is really handy for proxy-wasm in order to mitigate malicious payloads sent upstream: the earlier we raise an interruption, the better (See also #128).
As a matter of example: CRS rule
913100is triggered at phase 1 and looks for malicious User-Agents.Request:
curl -I --user-agent "Grabber/0.1 (X11; U; Linux i686; en-US; rv:1.7)" -H "Host: localhost" -H "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5" localhost:8080Before (early blocking disabled):
The request is just blocked at
http_response_headersphase, at that time the request already reached upstream.After (early blocking disabled):
The request is blocked at http_request_headers phase, right after the detection. It happens before sending anything upstream.