jcmoraisjr/modsecurity-spoa

Peer closed connection: I/O error

csuka opened this issue · 0 comments

csuka commented

I'm using the latest version as of now, 0.13.

I've setup docker to run, and configured haproxy to use this tool.
My haproxy config:

frontend http_front
    mode http
    bind *:80
    filter spoe engine modsecurity config /etc/haproxy/spoe-modsecurity.conf
    http-request deny if { var(txn.modsec.code) -m int gt 0 }
    default_backend http_back

All works beautifully, when i send an example request like this:

[root@vm-local-1 ~]# curl 'http://localhost:80/?foo=/etc/passwd&bar=/bin/sh' -k
<html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.

I see the docker logs that the request is denied as well:

1721067956.818297 [00] [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Matched phrase "...[tag ....

And then haproxy provides me with a 403, all is good.

Now, when i try the following:

[root@vm-local-1 log]# telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
POST /test HTTP/1.1
Host: test

So, I provide the arguments to telnet

POST /test HTTP/1.1
Host: test

Then, the request gets sends through the backend, with a proper response.
This is undesired, as i expected a 403 again.

The docker logs:

1721068085.616785 [00] [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 1). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/modsecurity/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "252"] [id "920180"] [msg "POST without Content-Length or Transfer-Encoding headers"] [data "0"] [severity "WARNING"] [ver "OWASP_CRS/4.3.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "5cb4346453ee"] [uri "http://test/test"] [unique_id ""]
1721068090.620010 [05] <15> Peer closed connection: I/O error

So what i'm seeing is a bit weird.
This command request gets blocked as it should:
curl 'http://localhost:80/?foo=/etc/passwd&bar=/bin/sh'
However, when using telnet, the message is Peer closed connection: I/O error.

I've also tested this using your previous image, there i didn't had that error.