-
-
Notifications
You must be signed in to change notification settings - Fork 344
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Apache 403 Forbidden error handling and duplicate HTTP response headers #3679
Comments
I was not able to reproduce this on Alma 9.3 with a similar configuration |
Hi @ablanken. Thanks for the detailed report.
This line says that your |
That's what's odd - it should be using the default value of 4 as I have not changed the value. I can attempt to set it to any value in the crs-setup.conf file but that makes no difference. |
This is very odd. I think you need to dump the value of This is either a funny malfunction or you have some additional configuration laying around. Here is how to dump a value:
|
Thanks @dune73 - it seems like this logging only works for requests to allowed proxy paths. I enabled level 9 debug logging which shows that quite a few steps are missing for requests to disallowed paths. Variable initialisation only happens with requests to allowed paths:
|
I just tried the same tests using v3.3.5 with the debug log turned on & that also skips the variable init steps when trying to access disallowed paths so that might be a red herring? |
Just a guess: it looks like the response rules may be run for all requests but init and request rules only for allowed requests. Not sure how you managed to do that :) The duplicate headers may be coming from the internal response redirect, which might traverse your |
This might be true. This is all a very complicated case. It deserves some investigation, but this could be quite time consuming and at least I have no time to dig into this. I guess this will fall back on @ablanken. |
Thanks - I'll see what I can do. If it makes things easier for someone to jump in, I could probably stand up a repro in an Azure VM accessible via RDP or SSH. |
Containers would be great, maybe with a docker-compose file. That way, if we break something, we can just star over. |
@ablanken ping. |
I was able to reproduce the problem without the CRS components loaded so we may be able to close the issue here. The next step for me will be to write up my findings and post to the Apache Lounge forums and/or modsec repo for further assistance. I haven't been able to repro with non-Windows releases to date. |
@ablanken Thank you for letting us know! |
Describe the bug
I'm using Apache httpd on Windows to proxy requests to Tomcat for specific subdirectories, but not /.
Requests for any other resource paths should return the standard Forbidden response.
When CRS 4.1.0 is loaded with the default config, requests for undefined resource paths return an unusual error message appended to the bottom of the usual 403 Forbidden page, and custom HTTP response headers are duplicated.
Request handling for defined proxy request paths (both standard and 'bad' requests e.g. ?/bin/bash etc) appears to be fine.
The issue does not seem to occur with v3.3.5.
Steps to reproduce
The following PowerShell (run as admin) on Win 10/Server 2019 and above will help to set up a repro. Note that you may need to disable AV scanning or add specific exceptions if the Defender AV exclusions aren't appropriate for your machine.
Expected behaviour
Browse to "http://localhost/"
Actual behaviour
Additional context
This issue does not occur with v.3.3.5.
Here's a debug log entry:
If rule id:959100 is removed, expected behaviour returns.
It appears that during the 959100 rule evaluation, the outbound anomaly limit is empty so defaults to 0.
Your Environment
The text was updated successfully, but these errors were encountered: