diff --git a/pkg/acquisition/modules/appsec/appsec.go b/pkg/acquisition/modules/appsec/appsec.go index def6a6886ec..54e0da4469e 100644 --- a/pkg/acquisition/modules/appsec/appsec.go +++ b/pkg/acquisition/modules/appsec/appsec.go @@ -353,14 +353,18 @@ func (w *AppsecSource) appsecHandler(rw http.ResponseWriter, r *http.Request) { w.InChan <- parsedRequest response := <-parsedRequest.ResponseChannel + statusCode := http.StatusOK + if response.InBandInterrupt { + statusCode = http.StatusForbidden AppsecBlockCounter.With(prometheus.Labels{"source": parsedRequest.RemoteAddrNormalized, "appsec_engine": parsedRequest.AppsecEngine}).Inc() } appsecResponse := w.AppsecRuntime.GenerateResponse(response, logger) logger.Debugf("Response: %+v", appsecResponse) - rw.WriteHeader(appsecResponse.HTTPStatus) - body, err := json.Marshal(BodyResponse{Action: appsecResponse.Action}) + + rw.WriteHeader(statusCode) + body, err := json.Marshal(appsecResponse) if err != nil { logger.Errorf("unable to marshal response: %s", err) rw.WriteHeader(http.StatusInternalServerError) diff --git a/pkg/acquisition/modules/appsec/appsec_runner.go b/pkg/acquisition/modules/appsec/appsec_runner.go index 5c72974c1c1..fa907fe4217 100644 --- a/pkg/acquisition/modules/appsec/appsec_runner.go +++ b/pkg/acquisition/modules/appsec/appsec_runner.go @@ -119,6 +119,11 @@ func (r *AppsecRunner) processRequest(tx appsec.ExtendedTransaction, request *ap defer func() { request.Tx.ProcessLogging() //We don't close the transaction here, as it will reset coraza internal state and break variable tracking + + err := r.AppsecRuntime.ProcessPostEvalRules(request) + if err != nil { + r.logger.Errorf("unable to process PostEval rules: %s", err) + } }() //pre eval (expr) rules @@ -182,11 +187,6 @@ func (r *AppsecRunner) processRequest(tx appsec.ExtendedTransaction, request *ap r.logger.Debugf("rules matched for body : %d", in.RuleID) } - err = r.AppsecRuntime.ProcessPostEvalRules(request) - if err != nil { - r.logger.Errorf("unable to process PostEval rules: %s", err) - } - return nil } @@ -272,7 +272,7 @@ func (r *AppsecRunner) handleOutBandInterrupt(request *appsec.ParsedRequest) { r.logger.Errorf("unable to accumulate tx to event : %s", err) } if in := request.Tx.Interruption(); in != nil { - r.logger.Debugf("inband rules matched : %d", in.RuleID) + r.logger.Debugf("outband rules matched : %d", in.RuleID) r.AppsecRuntime.Response.OutOfBandInterrupt = true err = r.AppsecRuntime.ProcessOnMatchRules(request, evt) diff --git a/pkg/apiserver/middlewares/v1/api_key.go b/pkg/apiserver/middlewares/v1/api_key.go index 2f5f808caf8..ae7645e1b85 100644 --- a/pkg/apiserver/middlewares/v1/api_key.go +++ b/pkg/apiserver/middlewares/v1/api_key.go @@ -174,7 +174,8 @@ func (a *APIKey) MiddlewareFunc() gin.HandlerFunc { } } - if bouncer.IPAddress != c.ClientIP() && bouncer.IPAddress != "" { + //Don't update IP on HEAD request, as it's used by the appsec to check the validity of the API key provided + if bouncer.IPAddress != c.ClientIP() && bouncer.IPAddress != "" && c.Request.Method != http.MethodHead { log.Warningf("new IP address detected for bouncer '%s': %s (old: %s)", bouncer.Name, c.ClientIP(), bouncer.IPAddress) if err := a.DbClient.UpdateBouncerIP(c.ClientIP(), bouncer.ID); err != nil {