Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to configure WAF for all paths #10

Open
rk9qn3j opened this issue Jun 4, 2024 · 4 comments
Open

Unable to configure WAF for all paths #10

rk9qn3j opened this issue Jun 4, 2024 · 4 comments

Comments

@rk9qn3j
Copy link

rk9qn3j commented Jun 4, 2024

Hi,

I'm currently trying to configure the WAF to apply to all paths (/*) for an app, but always seems to end up in faulty configuration, only protecting a specific path (SecRule) or the below error message.

Configuration:

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: traefik-mw-waf
  namespace: traefik
spec:
  plugin:
    coraza:
      directives:
      - SecRuleEngine On
      - SecDebugLog /dev/stdout
      - SecDebugLogLevel 9
      - Include @owasp_crs/**.conf
      - Include @crs-setup.conf.example

Results in:

traefik-87ff6ff56-cfh7k traefik 2024-06-04T19:38:09Z ERR [client "xxx.xx.xx.xxx"] Coraza: Access denied (phase 1). ModSecurity CRS is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before includi [file "@owasp_crs/REQUEST-901-INITIALIZATION.conf"] [line "24"] [id "901001"] [rev ""] [msg "ModSecurity CRS is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before includi"] [data ""] [severity "critical"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [hostname ""] [uri "/"] [unique_id "DgmnusgEbZkJtnAjpKl"] entryPointName=websecure middlewareName=traefik-traefik-mw-waf@kubernetescrd middlewareType=wasm routerName=websecure-xxxxxx-xxxx-ingress-xxxx-xxxx-xxxxxxxx-xxx@kubernetes

I would be grateful for some guidance with this! 🙏
@jcchavezs
Copy link
Owner

jcchavezs commented Jun 4, 2024 via email

@rk9qn3j
Copy link
Author

rk9qn3j commented Jun 5, 2024
edited
Loading

Changing places on - Include @owasp_crs/**.conf and - Include @crs-setup.conf.example removes the error message but doesn't seem to process any of the incoming requests at all (no logs generated by the plugin), but if I add - SecRule REQUEST_URI "@streq /test" "id:101,phase:1,log,deny,status:403" and try to access that path, I can clearly see that it's being denied by the plugin:

traefik-87ff6ff56-cfh7k traefik 2024-06-05T18:52:44Z ERR [client "xxx.xx.xx.xxx"] Coraza: Access denied (phase 1). [file ""] [line "8075"] [id "101"] [rev ""] [msg ""] [data ""] [severity "emergency"] [ver ""] [maturity "0"] [accuracy "0"] [hostname ""] [uri "/test"] [unique_id "JRxEVOUVWMVlEpEGjGs"] entryPointName=websecure middlewareName=traefik-traefik-mw-waf@kubernetescrd middlewareType=wasm routerName=websecure-xxxxxx-xxxx-ingress-xxxx-xxxx-xxxxxxxx-xxx@kubernetes

@jcchavezs
Copy link
Owner

@rk9qn3j try this:

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: traefik-mw-waf
  namespace: traefik
spec:
  plugin:
    coraza:
      directives:
      - SecRuleEngine On
      - SecDebugLog /dev/stdout
      - SecDebugLogLevel 9
      - Include @crs-setup.conf.example
      - Include @owasp_crs/**.conf

When you load - Include @crs-setup.conf.example after - SecRuleEngine On you are overriding the value to DetectionOnly.

@rk9qn3j
Copy link
Author

rk9qn3j commented Jun 6, 2024

I have tried that, tried to place - SecRuleEngine On after - Include @crs-setup.conf.example and as the last entry, but unfortunately, it doesn't make any difference.. 😐

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jcchavezs @rk9qn3j