Peer closed connection: I/O error
csuka opened this issue · 0 comments
I'm using the latest version as of now, 0.13.
I've setup docker to run, and configured haproxy to use this tool.
My haproxy config:
frontend http_front
mode http
bind *:80
filter spoe engine modsecurity config /etc/haproxy/spoe-modsecurity.conf
http-request deny if { var(txn.modsec.code) -m int gt 0 }
default_backend http_back
All works beautifully, when i send an example request like this:
[root@vm-local-1 ~]# curl 'http://localhost:80/?foo=/etc/passwd&bar=/bin/sh' -k
<html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.
I see the docker logs that the request is denied as well:
1721067956.818297 [00] [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Matched phrase "...[tag ....
And then haproxy provides me with a 403, all is good.
Now, when i try the following:
[root@vm-local-1 log]# telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
POST /test HTTP/1.1
Host: test
So, I provide the arguments to telnet
POST /test HTTP/1.1
Host: test
Then, the request gets sends through the backend, with a proper response.
This is undesired, as i expected a 403 again.
The docker logs:
1721068085.616785 [00] [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 1). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/modsecurity/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "252"] [id "920180"] [msg "POST without Content-Length or Transfer-Encoding headers"] [data "0"] [severity "WARNING"] [ver "OWASP_CRS/4.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "5cb4346453ee"] [uri "http://test/test"] [unique_id ""]
1721068090.620010 [05] <15> Peer closed connection: I/O error
So what i'm seeing is a bit weird.
This command request gets blocked as it should:
curl 'http://localhost:80/?foo=/etc/passwd&bar=/bin/sh'
However, when using telnet, the message is Peer closed connection: I/O error
.
I've also tested this using your previous image, there i didn't had that error.