The redirect action in coreruleset is not supported in coraza WAF

[sky9090]

Hi,

I did some tests on the settings in the coreruleset/crs-setup.conf.example file and included this file in the Coraza-Server config.yml file, and found that the coreruleset redirect action is not support in coraza WAF. Please have a took and give me some advice.

• coraza-server config.yml

log_level: debug
agents:
  -
    transactions_active_limit: 100000
    transaction_ttl: 3
    bind: 0.0.0.0:9000
    protocol: spoa
    include:
      - ./docs/coraza.conf-recommended
      - ./coreruleset/crs-setup.conf.example
      - ./coreruleset/rules/*.conf

• coraza.conf-recommended

SecRuleEngine On
SecRequestBodyAccess On

SecAuditEngine On
SecAuditLogType Serial
SecAuditLog /var/log/nginx/modsec_audit.log
SecAuditLogParts BCFGHIJK

• Case: the coreruleset redirect action is not support in coraza WAF
  • set coreruleset/crs-setup.conf.example

    SecDefaultAction "phase:1,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'"
    SecDefaultAction "phase:2,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'"
    
    SecCollectionTimeout 600
    
    SecAction \
        "id:900990,\
        phase:1,\
        nolog,\
        pass,\
        t:none,\
        setvar:tx.crs_setup_version=340"
    

  • execute config.yml

    # go run cmd/coraza-server/main.go -f config.yml
    INFO[0000] Initializing waf                             
    FATA[0000] Failed to compile rule (invalid action "redirect"): id:900990,phase:1,nolog,pass,t:none,setvar:tx.crs_setup_version=340 
    exit status 1
    

[ShiMing-Q]

Check https://github.com/jptosso/coraza-waf/tree/v2/master/actions, no redirect there, so this is a new feature request

[jptosso]

Hey! Thank you both. So this is a major discussion, modsecurity 2 is embedded to apache and that's why it can enforce redirection, for libmodsecurity3 the interruption object contains the redirection instructions.

I don't want to overwhelm developers with such implementation complexity, that's why I haven't implemented the action until I get an idea on how to make it easier.
It can be implemented as plugin, I Will post the gist on this issue.

Feel free to share your ideas on how it would be easier for you to interact with redirect.

The most natural thing would be to ser interruption action to redirect and interruption data to the URL.

[jptosso]

This is an example of the implementation, assuming the action generates the following interruption:

// redirect:https://some-url.com/
types.Interruption{
Action: "redirect",
Data: "https://some-url.com/"
}

We can handle the redirection like this:

switch tx.Interruption {
case "deny":
  showError(tx.Interruption.Status)
case "redirect":
  redirectUser(tx.Interruption.Data)
}

In the following versions interruption.Action will become an enum. Probably.

[sts]

The redirect action was just merged in coraza v3 and should be included in the upcoming release.

 SecRule REQUEST_URI "/redirect" 
       "phase:1,id:1,status:302,redirect:https://www.example.com"