Saving Keepass database is impossible

[BHMath]

Hello when I try to save my keepass database with the waf middleware in traefik it fails. I'm getting an error. If I disable the middleware it's ok. Can you check on it ? I can help with specific test.

[acouvreur]

Hi @BHMath ,

Could you please share your configuration ?

As this middleware is only supposed to intercept incoming http connections, I'm not sure how it could break ths kind of behavior.

Please share some more details, logs, compose files etc.

[BHMath]

My waf is configure like this

      - PARANOIA=1
      - ANOMALY_INBOUND=10
      - ANOMALY_OUTBOUND=5

And my router is like this

[http.routers]
  [http.routers.webdav]
    rule = "Host(`webdav.mycompany.com`)"
    service = "webdav"
    entrypoints = ["websecure"]
    middlewares = ["waf@docker"] 
  [http.routers.webdav.tls]
    certresolver = "myresolver"

[http.services]
  [http.services.webdav.loadBalancer]
    [[http.services.webdav.loadBalancer.servers]]
      url = "https://myip:5006/"

[BHMath]

Here the log

28/11/2022 14:40:19
[Mon Nov 28 14:40:19.142199 2022] [:error] [pid 19:tid 139733371959040] [client 172.18.0.1:33714] [client 172.18.0.1] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "736"] [id "920350"] [msg "Host header is a numeric IP address"] [data "172.17.0.1:666"] [severity "WARNING"] [ver "OWASP_CRS/3.3.4"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "172.17.0.1"] [uri "/webdav/folder/mydb.kdbx"] [unique_id "Y4S6Q-rfCYuT94nJXn6jxQAAABU"]
28/11/2022 14:40:19
audit_data.engine_mode=ENABLEDaudit_data.error_messages=[file "apache2_util.c"] [line 271] [level 3] [client 172.18.0.1] ModSecurity: Warning. Pattern match "^[\\\\\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "736"] [id "920350"] [msg "Host header is a numeric IP address"] [data "172.17.0.1:666"] [severity "WARNING"] [ver "OWASP_CRS/3.3.4"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "172.17.0.1"] [uri "/webdav/folder/mydb.kdbx"] [unique_id "Y4S6Q-rfCYuT94nJXn6jxQAAABU"]audit_data.handler=proxy-serveraudit_data.messages=Warning. Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "736"] [id "920350"] [msg "Host header is a numeric IP address"] [data "172.17.0.1:666"] [severity "WARNING"] [ver "OWASP_CRS/3.3.4"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"]audit_data.producer=ModSecurity for Apache/2.9.6 (http://www.modsecurity.org/),OWASP_CRS/3.3.4audit_data.response_body_dechunked=trueaudit_data.server=Apacheaudit_data.stopwatch.gc=0audit_data.stopwatch.l=0audit_data.stopwatch.p1=616audit_data.stopwatch.p2=1795audit_data.stopwatch.p3=95audit_data.stopwatch.p4=257audit_data.stopwatch.p5=149audit_data.stopwatch.sr=166audit_data.stopwatch.sw=1request.headers.Accept-Encoding=gziprequest.headers.Authorization=Basic a2VlcGFzczpLMzNQQHNzMDE=request.headers.Cache-Control=no-store,no-cacherequest.headers.Host=172.17.0.1:666request.headers.Pragma=no-cacherequest.headers.User-Agent=Go-http-client/1.1request.headers.X-Forwarded-Host=webdav.mycompany.comrequest.headers.X-Forwarded-Port=443request.headers.X-Forwarded-Proto=httpsrequest.headers.X-Forwarded-Server=vps-da6b9d4crequest.headers.X-Real-Ip=165.225.205.15request.request_line=GET /webdav/folder/mydb.kdbx HTTP/1.1response.body=Hostname: d345eec86f29 IP: 127.0.0.1 IP: 172.18.0.4 RemoteAddr: 172.18.0.1:37302 GET /webdav/folder/mydb.kdbx HTTP/1.1 Host: 172.17.0.1:666 User-Agent: Go-http-client/1.1 Authorization: Basic a2VlcGFzczpLMzNQQHNzMDE= Cache-Control: no-store,no-cache Connection: close Pragma: no-cache X-Forwarded-For: 172.18.0.1 X-Forwarded-Host: webdav.mycompany.com, 172.17.0.1:666 X-Forwarded-Port: 443 X-Forwarded-Proto: https X-Forwarded-Server: vps-da6b9d4c, localhost X-Real-Ip: 172.18.0.1 X-Unique-Id: Y4S6Q-rfCYuT94nJXn6jxQAAABUresponse.headers.Content-Length=536response.headers.Content-Type=text/plain; charset=utf-8response.protocol=HTTP/1.1response.status=200transaction.local_address=172.18.0.3transaction.local_port=80transaction.remote_address=172.18.0.1transaction.remote_port=33714transaction.time=28/Nov/2022:14:40:19.146858 +0100transaction.transaction_id=Y4S6Q-rfCYuT94nJXn6jxQAAABU
28/11/2022 14:40:22
[Mon Nov 28 14:40:22.489246 2022] [:error] [pid 64027:tid 139733673965312] [client 172.18.0.1:45610] [client 172.18.0.1] ModSecurity: Request body no files data length is larger than the configured limit (131072). [hostname "172.17.0.1"] [uri "/webdav/folder/mydb.kdbx.tmp"] [unique_id "Y4S6RmKEEGrk-9egGHU24AAAAUM"]
28/11/2022 14:40:22
[Mon Nov 28 14:40:22.489771 2022] [:error] [pid 64027:tid 139733673965312] [client 172.18.0.1:45610] [client 172.18.0.1] ModSecurity: Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_ERROR" required. [file "/etc/modsecurity.d/modsecurity.conf"] [line "72"] [id "200002"] [msg "Failed to parse request body."] [data "Request body no files data length is larger than the configured limit (131072)."] [severity "CRITICAL"] [hostname "172.17.0.1"] [uri "/webdav/folder/mydb.kdbx.tmp"] [unique_id "Y4S6RmKEEGrk-9egGHU24AAAAUM"]
28/11/2022 14:40:22
audit_data.action.intercepted=trueaudit_data.action.message=Match of "eq 0" against "REQBODY_ERROR" required.audit_data.action.phase=2audit_data.engine_mode=ENABLEDaudit_data.error_messages=[file "apache2_util.c"] [line 271] [level 3] [client 172.18.0.1] ModSecurity: Request body no files data length is larger than the configured limit (131072). [hostname "172.17.0.1"] [uri "/webdav/folder/mydb.kdbx.tmp"] [unique_id "Y4S6RmKEEGrk-9egGHU24AAAAUM"],[file "apache2_util.c"] [line 271] [level 3] [client 172.18.0.1] ModSecurity: Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_ERROR" required. [file "/etc/modsecurity.d/modsecurity.conf"] [line "72"] [id "200002"] [msg "Failed to parse request body."] [data "Request body no files data length is larger than the configured limit (131072)."] [severity "CRITICAL"] [hostname "172.17.0.1"] [uri "/webdav/folder/mydb.kdbx.tmp"] [unique_id "Y4S6RmKEEGrk-9egGHU24AAAAUM"]audit_data.handler=proxy-serveraudit_data.messages=Request body no files data length is larger than the configured limit (131072).,Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_ERROR" required. [file "/etc/modsecurity.d/modsecurity.conf"] [line "72"] [id "200002"] [msg "Failed to parse request body."] [data "Request body no files data length is larger than the configured limit (131072)."] [severity "CRITICAL"]audit_data.producer=ModSecurity for Apache/2.9.6 (http://www.modsecurity.org/),OWASP_CRS/3.3.4audit_data.response_body_dechunked=trueaudit_data.server=Apacheaudit_data.stopwatch.gc=0audit_data.stopwatch.l=0audit_data.stopwatch.p1=1115audit_data.stopwatch.p2=16audit_data.stopwatch.p3=0audit_data.stopwatch.p4=0audit_data.stopwatch.p5=211audit_data.stopwatch.sr=307audit_data.stopwatch.sw=0request.body=�٢�g�K�,;�y�vAn��G�|�&�!^��n����M_�S��R֙ľ�ѫ�R�3=q��毪j�"� �>��N���G�����>�8�zS�b��E��(������B- �C�zed�D�/�ܙ$�sÌG�Yn�E�$f�T��H,>�nY�,��$�J�A�G������a��2��}���j����'$����5�e��ي���<�@t�m��[�܅\g��~�qu|����Ó�R�X(OS1���Ǟ��)�nY�[�^�q1�m�����H60�P,�S�o�rf�*��IچGq����9�� ����"4��h�,��#��j�&��!�/��1��)!�[�v�7(���+��wSEW�wWZo�H'`��k��?Y�L�)����֊�(iAE�ɥ9�C��%0q#�^��s�����T싑zM����е�XLm�~�z1�yKOF� �#yT>�s�J5����~�����*S��Ē��V������2΅2����?�E��1:�}f� ��@����T�1��sA�s��9�<���g��b�J����]^nK'��z|'g�x�+}?U�JI���oMIU������]���~��R�뙈�̕���1��V����wH�����~�q�����<��$vͺ�c�(�"����\���۶GCNL�R8�Y,V�,�\�c�W���P��Bb�ᘀ��������j'y�ю*��@��*�?��6YC Q���ÃE�=��<$��>q��R���!ϋ+��^��s�J&�_=��X^�T�������h��0�r��t���������zHZ�.����+M���8��uE�s��N�$l]T>�߇���v����߹]Hk�1�\#Evi�}"Y���>w�j҈�|U��x[�,����S�_P�s���L��o1r����܅/ћ\ҵ��]�����Sh}�h�8x�#_y̗�<��<�i��B������b9(+���/P��{Z�}�yT߳��O,��QUa(�ܞ����}O���X���]�ñw�69���7˔�/4�/�nqV�M�zPQ�K-��DO�������Q�E���-2q���B��k����!>��՗Se��8���T(����r˰�nV�JiMj�ݚƢι��E��eT�s2꠆q�w=��N [�{�Hv2�����X��4L#s����UT��h�T���[;,a�̧���W*%+�d�n����&��o����c��l�m9/�ߟ5��ߌ�@܇��MB~�����P�<�U�~��������M���_��xW��Z� ���;$S��}M.E������Ҽ,�"����������)`��Q����-l2�%�|�}HvUzE������h۟���9��Z�\�������%���Ys%������ɒ�/5� \j��&H��y��U��]~�ǻ�p�6�b������3���+�U[�BI�Oi,��{E~�X� @i��D�N���rm +�K�4FptFB'cס,����c��/䴋`��;��h"���<��3(���L�m�L-n���k� �7��t�2oMa$5��[|W���C�#҃���RW`��>��"g����/;s��"��M�FW6��mX��۵���^�e���LQ%����ύ^Af�?K��x��µI�d�.�a��&������v�h�կ=�rg�J) ����������no���Oӡ�ԗ�����⹌u�I�">���bݼC��t���|]�����]_�����`i��*b�6�f�����G���F�J�sث������T�n��aq���R�VQN�������2����1<��!o�� �8G����m�3L�� g1�e�1kRM�p1cE�|e����$�����Y9Yn}�*B�#�M���mM� t����W�%Q���Wze�ȃ�6���J�������uN��_��1�����e&�o�Q�=/}vx��[kDX� u��+�P��`��>��q� ����-�I��j �Yq���y�^�!+���9>d��I|9�C����p�B�_5Մ2X�$��)5ؒ-�%������p�0�C�����lZ��>�>�[��HD-���J���w�.��tSS�f�t������eQ� yD��XԎ���/7t��YB��#�BZ��/0N�y]��^@;���,,���u��I�J�9K��I �$]�=+��uy���S�[C���x�瓝E��D+����h����C���t���rV��a3�9J|��ְ�8���{j �����������"�GE5�������� ��B\���?���D���p���m���~��˯�$b�����k��t�d2�aM�Vݤ�1��/{ɽ��t�,��Ó�Iz�1�7��#�s����G>����T�Vj)�o�r�����(p�93��K�{_WXJU���r�As��6�l�����1��q����-�".��n01���Q��}���s���4k��y���Y~����.����hd�j�Z@�� ��7��(�������-���Ck�S�\��%,W���~�M�������}�71Z$����D��/."9�J�H�ʷ�O����zC��&_������<���J��%�m�6��@�0�H6���$�v59�^ ,�p''��> �#x�#)�,��p��}d���;��A� l3�����_��M2�ǃQ�R5AXT�����gt��*�-է����z�a������7��T����%�����[��/ץ. ���x����B���/ʷ���A���"i&�ɇHE9ݮ����c����\�V�L��Xxwxr�C�,$����^� �� ���E�f�Z��� ��G�>ȃ�k��c����g�.BsУ�Ck̺������AkV�$�OH�+5X;x�T旵-�x �4�~���j��*�����ʝAZ�NQ�A������;ž��_kB�e�F�Kj�t�Zz�}��s�$y"i,}��b��&<�S�ۇ�����es\���:�T�z¥����⠝��Ǔ�_�D���<��dx�����KD�/�|�j����0�s�بee�+�n+����W,�8�Gc.�Gs�g{���)��h��*�G�d��:E�����P�;�������� 8��=o'5�߳Fc\�����m���V�v�'Y���� ���7�@����Ǝ��r��X���K����>��c��t�����J�ա�Y�^MA� s���pd������H���*��Y��q�u��e`�?�����!�7S `���R�;�}^��l*ya��&�.�߾��8����v�y��n���yu0/�0���j� �F�������츔��x�3Ĝ���Z�E�oMz,�}�+���N8y20�>��{�{+�M�����Yۂ����}����ӓS#k�:�a̼��ץqLGȪO,�����%~��>`������,5���$�CCt����cMm���`T��qƼU�8��&��Bb�EC�N%Ԇ����N+��I�q�>ڗު��7��%y���T�A�U����Ɲ�_�������`��7�����Ф��1���o�2ic~)]����믕4y� wv�^���"�v���|a~&!�{���H�9Y�!E*�x8S��2�L�o�lT׉���:��K���ҵF�:dI5�F�������60�`���8K�p�����k�����-T�� �qŞ��� �� �5_j�k�D��;�JtEf�v�������^�r������QQ���u���Q���Yj�U�f��m�;*��o �2-���Fx����E>�l�~������b��.�1����^rI.���5s��i��V���_�����7����t�C���������P�j��T��e�BU��(k���3�F=�ĭ����;�䒕�u��?&���0��PH�t���e�Qߎ-�Ɵ!��������}���my��C{+�wq�&��� b�D��8d���k�^�;4��,�����!�Os_��}����o�������ub"���'�E�ɕYU�I��"�X��'���fjA��#��/ hy�����̕nLԋ�����x���h�6���Q�]���3�~��Ƃ����ل���A�e������*�T�))�����u0T���H�z���_���0;5��ݜ!�����������8������4���M�$����|^�#2������]#���u<+���Х�����[gj���v�6ު ����6�m�����#����&��`��u����c� ���,"������S��"�� iH�kX~A���.b�T<�?��d����Fp����cO���H(,�������?�&70���<^��y����נ5KR�R��9���k��_��2��M�H�������x������ ����į��؞*Dl1iafx!����]p}�������!3� ��P|ttq�=�,,e�镱ƃ �����v���)��loz��#�0��"m+S:���e�v7���+=�i�3�S�y��w��������� ��A�O��g�Җ��lQ^�6ל�n�x+�9�Z�A��K\�����f��,+۰L�k7�"���[��e�;:!��W�I�dJg�9���I\*'j@I��B������m��}~������R�\ ' ^�'��f� ��������H���C��v�F�����Y7����"r�˜蘝� ��lW�:���ܧn�ׄ���� ��8��Ƿ��$k�B�D������Θ��Y�/���!�p�쀁)H����6���_X��}iO�./�~`���E&ڋ υ��1�uic6F����+���GG��N~��п��+�ul:��T������%������ÀM�V$��t���܋�/�58����R��>���.������*��ij�P�:����,��ӝz����\�,�ϡ�pbg�|P�����D����H����;�L�'�ӉiK��ؤ2��t�7�?(����o�|�a�_4��#�� �� Y@~O�b�SF��� *́���������W�{v<���4��TX�y����ccT+��Ƞ��%n�Y�*k�4'��(�]� �1(��Ku[����W��������(� N�����0���L�˜� �����x%����ZҐښ�+[�V$?D��Q�} �ZE�f�_�88����5g<սE`_�����B�������vR+}����[��9����9�P���ı2 Gc/��������*ň��V�b��z�y[?ME��MK�04���t��l\/�o����J�^ahxk��~�ɓ�����N�����c��k����y#�-bQt�MtOk7���{lq��wh�����s�!a�9ҷb��u�/�~p�x]���g��Cb�j���7�����$*��������a4��}h��<����;�b��F�Ŏs��R������{��4�7�xΤe׋Zp�1��5�] )�}B�WO�������ٌ�qU��~(�F�{uh������mT�����)��n�]������k�HdʶB|�=/»��z�=v��j�D ����J����(��/{�|�V�0�T�6��1@��!�� 1\r2PUШ�g�z[I�-z������F�&��ئ�wh��� �p�1�-���&�Y%��ʎ�l؛W�������vvz��׎���ޑ���.��u�������}�4vN0����ګ��R�R;;1request.headers.Accept-Encoding=gziprequest.headers.Authorization=Basic a2VlcGFzczpLMzNQQHNzMDE=request.headers.Cache-Control=no-store,no-cacherequest.headers.Content-Length=228565request.headers.Expect=100-continuerequest.headers.Host=172.17.0.1:666request.headers.Pragma=no-cacherequest.headers.User-Agent=Go-http-client/1.1request.headers.X-Forwarded-Host=webdav.mycompany.comrequest.headers.X-Forwarded-Port=443request.headers.X-Forwarded-Proto=httpsrequest.headers.X-Forwarded-Server=vps-da6b9d4crequest.headers.X-Real-Ip=165.225.205.15request.request_line=PUT /webdav/folder/mydb.kdbx.tmp HTTP/1.1response.body=
Bad Request
Your browser sent a request that this server could not understand.
response.headers.Connection=closeresponse.headers.Content-Length=226response.headers.Content-Type=text/html; charset=iso-8859-1response.protocol=HTTP/1.1response.status=400transaction.local_address=172.18.0.3transaction.local_port=80transaction.remote_address=172.18.0.1transaction.remote_port=45610transaction.time=28/Nov/2022:14:40:22.491726 +0100transaction.transaction_id=Y4S6RmKEEGrk-9egGHU24AAAAUM

If i missed personnal data pm me I'll update it.

[acouvreur]

Well it says the following:

[data "Request body no files data length is larger than the configured limit (131072)."]

Please configure your owasp container with correct rules