Saving Keepass database is impossible

[BHMath]

Hello when I try to save my keepass database with the waf middleware in traefik it fails. I'm getting an error. If I disable the middleware it's ok. Can you check on it ? I can help with specific test.

[acouvreur]

Hi @BHMath ,

Could you please share your configuration ?

As this middleware is only supposed to intercept incoming http connections, I'm not sure how it could break ths kind of behavior.

Please share some more details, logs, compose files etc.

[BHMath]

My waf is configure like this

      - PARANOIA=1
      - ANOMALY_INBOUND=10
      - ANOMALY_OUTBOUND=5

And my router is like this

[http.routers]
  [http.routers.webdav]
    rule = "Host(`webdav.mycompany.com`)"
    service = "webdav"
    entrypoints = ["websecure"]
    middlewares = ["waf@docker"] 
  [http.routers.webdav.tls]
    certresolver = "myresolver"

[http.services]
  [http.services.webdav.loadBalancer]
    [[http.services.webdav.loadBalancer.servers]]
      url = "https://myip:5006/"

[BHMath]

Here the log

28/11/2022 14:40:19
[Mon Nov 28 14:40:19.142199 2022] [:error] [pid 19:tid 139733371959040] [client 172.18.0.1:33714] [client 172.18.0.1] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "736"] [id "920350"] [msg "Host header is a numeric IP address"] [data "172.17.0.1:666"] [severity "WARNING"] [ver "OWASP_CRS/3.3.4"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "172.17.0.1"] [uri "/webdav/folder/mydb.kdbx"] [unique_id "Y4S6Q-rfCYuT94nJXn6jxQAAABU"]
28/11/2022 14:40:19
audit_data.engine_mode=ENABLEDaudit_data.error_messages=[file "apache2_util.c"] [line 271] [level 3] [client 172.18.0.1] ModSecurity: Warning. Pattern match "^[\\\\\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "736"] [id "920350"] [msg "Host header is a numeric IP address"] [data "172.17.0.1:666"] [severity "WARNING"] [ver "OWASP_CRS/3.3.4"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "172.17.0.1"] [uri "/webdav/folder/mydb.kdbx"] [unique_id "Y4S6Q-rfCYuT94nJXn6jxQAAABU"]audit_data.handler=proxy-serveraudit_data.messages=Warning. Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/modsecurity.d/owasp-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "736"] [id "920350"] [msg "Host header is a numeric IP address"] [data "172.17.0.1:666"] [severity "WARNING"] [ver "OWASP_CRS/3.3.4"] [tag "modsecurity"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"]audit_data.producer=ModSecurity for Apache/2.9.6 (http://www.modsecurity.org/),OWASP_CRS/3.3.4audit_data.response_body_dechunked=trueaudit_data.server=Apacheaudit_data.stopwatch.gc=0audit_data.stopwatch.l=0audit_data.stopwatch.p1=616audit_data.stopwatch.p2=1795audit_data.stopwatch.p3=95audit_data.stopwatch.p4=257audit_data.stopwatch.p5=149audit_data.stopwatch.sr=166audit_data.stopwatch.sw=1request.headers.Accept-Encoding=gziprequest.headers.Authorization=Basic a2VlcGFzczpLMzNQQHNzMDE=request.headers.Cache-Control=no-store,no-cacherequest.headers.Host=172.17.0.1:666request.headers.Pragma=no-cacherequest.headers.User-Agent=Go-http-client/1.1request.headers.X-Forwarded-Host=webdav.mycompany.comrequest.headers.X-Forwarded-Port=443request.headers.X-Forwarded-Proto=httpsrequest.headers.X-Forwarded-Server=vps-da6b9d4crequest.headers.X-Real-Ip=165.225.205.15request.request_line=GET /webdav/folder/mydb.kdbx HTTP/1.1response.body=Hostname: d345eec86f29 IP: 127.0.0.1 IP: 172.18.0.4 RemoteAddr: 172.18.0.1:37302 GET /webdav/folder/mydb.kdbx HTTP/1.1 Host: 172.17.0.1:666 User-Agent: Go-http-client/1.1 Authorization: Basic a2VlcGFzczpLMzNQQHNzMDE= Cache-Control: no-store,no-cache Connection: close Pragma: no-cache X-Forwarded-For: 172.18.0.1 X-Forwarded-Host: webdav.mycompany.com, 172.17.0.1:666 X-Forwarded-Port: 443 X-Forwarded-Proto: https X-Forwarded-Server: vps-da6b9d4c, localhost X-Real-Ip: 172.18.0.1 X-Unique-Id: Y4S6Q-rfCYuT94nJXn6jxQAAABUresponse.headers.Content-Length=536response.headers.Content-Type=text/plain; charset=utf-8response.protocol=HTTP/1.1response.status=200transaction.local_address=172.18.0.3transaction.local_port=80transaction.remote_address=172.18.0.1transaction.remote_port=33714transaction.time=28/Nov/2022:14:40:19.146858 +0100transaction.transaction_id=Y4S6Q-rfCYuT94nJXn6jxQAAABU
28/11/2022 14:40:22
[Mon Nov 28 14:40:22.489246 2022] [:error] [pid 64027:tid 139733673965312] [client 172.18.0.1:45610] [client 172.18.0.1] ModSecurity: Request body no files data length is larger than the configured limit (131072). [hostname "172.17.0.1"] [uri "/webdav/folder/mydb.kdbx.tmp"] [unique_id "Y4S6RmKEEGrk-9egGHU24AAAAUM"]
28/11/2022 14:40:22
[Mon Nov 28 14:40:22.489771 2022] [:error] [pid 64027:tid 139733673965312] [client 172.18.0.1:45610] [client 172.18.0.1] ModSecurity: Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_ERROR" required. [file "/etc/modsecurity.d/modsecurity.conf"] [line "72"] [id "200002"] [msg "Failed to parse request body."] [data "Request body no files data length is larger than the configured limit (131072)."] [severity "CRITICAL"] [hostname "172.17.0.1"] [uri "/webdav/folder/mydb.kdbx.tmp"] [unique_id "Y4S6RmKEEGrk-9egGHU24AAAAUM"]
28/11/2022 14:40:22
audit_data.action.intercepted=trueaudit_data.action.message=Match of "eq 0" against "REQBODY_ERROR" required.audit_data.action.phase=2audit_data.engine_mode=ENABLEDaudit_data.error_messages=[file "apache2_util.c"] [line 271] [level 3] [client 172.18.0.1] ModSecurity: Request body no files data length is larger than the configured limit (131072). [hostname "172.17.0.1"] [uri "/webdav/folder/mydb.kdbx.tmp"] [unique_id "Y4S6RmKEEGrk-9egGHU24AAAAUM"],[file "apache2_util.c"] [line 271] [level 3] [client 172.18.0.1] ModSecurity: Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_ERROR" required. [file "/etc/modsecurity.d/modsecurity.conf"] [line "72"] [id "200002"] [msg "Failed to parse request body."] [data "Request body no files data length is larger than the configured limit (131072)."] [severity "CRITICAL"] [hostname "172.17.0.1"] [uri "/webdav/folder/mydb.kdbx.tmp"] [unique_id "Y4S6RmKEEGrk-9egGHU24AAAAUM"]audit_data.handler=proxy-serveraudit_data.messages=Request body no files data length is larger than the configured limit (131072).,Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_ERROR" required. [file "/etc/modsecurity.d/modsecurity.conf"] [line "72"] [id "200002"] [msg "Failed to parse request body."] [data "Request body no files data length is larger than the configured limit (131072)."] [severity "CRITICAL"]audit_data.producer=ModSecurity for Apache/2.9.6 (http://www.modsecurity.org/),OWASP_CRS/3.3.4audit_data.response_body_dechunked=trueaudit_data.server=Apacheaudit_data.stopwatch.gc=0audit_data.stopwatch.l=0audit_data.stopwatch.p1=1115audit_data.stopwatch.p2=16audit_data.stopwatch.p3=0audit_data.stopwatch.p4=0audit_data.stopwatch.p5=211audit_data.stopwatch.sr=307audit_data.stopwatch.sw=0request.body=٢�g�K�,;�y�vAn��G|�&�!^�n���M_�S��R֙ľѫ�R�3=q�毪j�" �>�N�G���>�8�zS�b��E�(�����B- �C�zed�D�/�ܙ$�sÌG�Yn�E�$f�T�H,>nY�,�$�J�A�G����a��2��}��j���'$����5�e��ي�<�@t�m��[�܅\g�~�qu|��Ó�R�X(OS1��Ǟ�)nY[^q1�m���H60�P,�S�o�rf�*��IچGq���9� ����"4��h�,��#�j�&��!/1��)![v7(��+�wSEW�wWZoH'`�k�?YL�)����֊�(iAEɥ9�C�%0q#�^��s����T싑zM���е�XLm�~�z1yKOF� �#yT>s�J5��~���*SĒ�V�����2΅2����?E�1:�}f ��@���T�1�sA�s�9�<��g��b�J���]^nK'�z|'g�x�+}?UJI��oMIU��]��~�R�뙈�̕��1��V����wH�~q��<��$vͺc("���\���۶GCNL�R8Y,V�,�\�cW�P��Bb�ᘀ��������j'y�ю*�@��*�?��6YC Q��ÃE�=��<$��>q��R���!ϋ+��^�s�J&�_=��X^T�����h�0�r��t�����zHZ�.�œ�+M���8��uE�s�N�$l]T>�߇��v���߹]Hk�1�\#Evi}"Y���>wj҈�|Ux[�,�S�_P�s���L�o1r���܅/ћ\ҵ��]����Sh}�h�8x�#_y̗�<��<�i�B�����b9(+��/P��{Z�}�yT߳��O,��QUa(�ܞ���}O���X�]ñw69��7˔�/4�/�nqV�MzPQ�K-��DO�����Q�E��-2q���B��k����!>��՗Se��8��T(���r˰�nV�JiMj�ݚƢι��E��eT�s2꠆qw=��N [�{�Hv2�����X�4L#s��UT��hT��[;,a�̧���W*%+d�n�&��o���c��l�m9/�ߟ5�ߌ�@܇��MB~�����P�<U�~�������M��_�xW�Z� ���;$S��}M.E�����Ҽ,�"�������)`�Q��-l2�%�|�}HvUzE������h۟���9��Z�\�����%���Ys%�����ɒ�/5 \j�&H��y��U�]~�ǻ�p�6�b����3��+U[�BI�Oi,��{E~X� @i��D�N���rm +�K�4FptFB'cס,���c��/䴋`�;�h"���<�3(�LmL-n��k �7��t�2oMa$5�[|W��C�#҃��RW`�>�"g��/;s��"M�FW6�mX��۵���^e���LQ%��ύ^Af�?K��x�µI�d�.�a��&�����v�h�կ=rgJ) �������no��Oӡԗ��⹌uI�">��bݼC��t�|]�����]_�����`i�*b�6�f����G��F�J�sث�����T�n��aqR�VQN�����2���1<!o�� 8G���m�3L�� g1�e�1kRM�p1cE�|e���$�����Y9Yn}*B#�M��mM t���W�%Q���Wze�ȃ�6���J������uN�_��1����e&�o�Q=/}vx�[kDX� u�+�P��`�>�q� ����-I��j �Yq���y�^�!+���9>d�I|9�C���p�B�_5Մ2X�$��)5ؒ-�%�����p�0�C���lZ��>�>�[��HD-���J���w�.��tSSf�t�����eQ� yD�XԎ��/7t��YB�#�BZ��/0N�y]�^@;��,,���u��I�J9K��I �$]�=+��uy��S�[C���x�瓝E��D+��h����C��t�rV��a3�9J|�ְ�8���{j �������"�GE5����� ��B\���?��D�p���m���~��˯$b�����k�td2�aM�Vݤ�1��/{ɽ��t�,��Ó�Iz�1�7��#�s����G>����TVj)�o�r���(p93�K{_WXJU��r�As�6l���1�q���-".��n01�Q��}���s���4k�y��Y~���.����hd�jZ@�� ��7��(����-��CkS\��%,W���~�M������}�71Z$��D��/."9�J�Hʷ�O��zC��&_����<J��%�m6�@�0�H6��$�v59�^ ,�p''��> #x�#)�,�p��}d���;�A� l3����_��M2�ǃQ�R5AXT����gt��*�-է��z�a������7��T����%��[��/ץ. ���x���B���/ʷ���A���"i&�ɇHE9ݮ���c���\�V�L��XxwxrC�,$��^� �� ���E�f�Z�� ��G�>ȃk��c���g�.BsУ�Ck̺����AkV�$�OH�+5X;x�T旵-�x �4�~��j��*�����ʝAZ�NQ�A����;ž��_kB�e�F�Kj�t�Zz�}��s�$y"i,}�b��&<�S�ۇ�es\���:�Tz¥����⠝��Ǔ�_D��<��dx�����KD�/�|�j����0�s�بee�+�n+���W,�8Gc.�Gs�g{���)��h��*G�d�:E���P�;������� 8�=o'5�߳Fc\�����m���V�v'Y��� ��7�@����Ǝ�r��X���K����>��c�t�����J�ա�Y�^MA� s��pd��H���*��Y�q�u��e`�?����!�7S `���R;�}^�l*ya��&�.�߾�8��v�y��n���yu0/�0���j� �F������츔��x3Ĝ��Z�E�oMz,�}+���N8y20�>�{�{+�M����Yۂ����}���ӓS#k:a̼��ץqLGȪO,��%~��>`���,5���$�CCt����cMm��`T��qƼU�8��&��Bb�EC�N%Ԇ����N+��I�q�>ڗު��7��%y��TA�U���Ɲ_����`��7�����Ф��1��o�2ic~)]���믕4y wv�^�"�v���|a~&!{�H�9Y!E*�x8S�2�L�o�lT׉���:��K��ҵF�:dI5�F�������60�`�8K�p���k����-T� �qŞ�� �� �5_j�k�D��;�JtEf�v������^�r����QQ���u��Q���Yj�U�f��m;*��o 2-���Fx���E>�l~�����b�.1��^rI.��5s��i�V���_���7���t�C�������P�j��T��eBU�(k��3�F=ĭ����;�䒕u��?&��0�PH�t���e�Qߎ-�Ɵ!������}��my�C{+�wq�&�� b�D�8d��k�^�;4��,���!�Os_��}��o�������ub"���'�E�ɕYU�I��"�X��'���fjA��#�/ hy����̕nLԋ����x���h�6�Q]��3�~�Ƃ��ل���A�e�����*�T�))����u0T���H�z��_��0;5��ݜ!�������8����4�M$��|^�#2����]#��u<+��Х�����[gj��v�6ު ����6m����#���&�`�u����c� ��,"����S�"�� iH�kX~A��.bT<�?��d��Fp����cO��H(,������?�&70��<^��y���נ5KR�R��9��k��_��2��M�H������x����� ���į��؞*Dl1iafx!���]p}�������!3� ��P|ttq�=�,,e�镱ƃ ����v���)��loz�#�0��"m+S:�e�v7���+=�i�3�S�y�w��������� A�O��g�Җ��lQ^�6ל�nx+�9�Z�A��K\�����f,+۰L�k7�"��[��e�;:!��WIdJg9���I\*'j@I��B�����m��}~����R�\ ' ^'�f� ������H���C��v�F����Y7��"r˜蘝� �lW�:���ܧnׄ��� ��8�Ƿ$k�BD�����Θ�Y/��!�p�쀁)H���6��_X��}iO�./~`��E&ڋ υ��1uic6F����+���GG��N~��п�+�ul:�T������%������ÀMV$�t���܋�/�58��R��>���.����*�ijP�:���,��ӝz����\�,ϡpbg�|P���D����H���;�L�'�ӉiK��ؤ2�t�7�?(���o|a�_4��#�� �� Y@~O�b�SF��� *́������W�{v<��4�TX�y��ccT+��Ƞ��%nY�*k�4'��(�] �1(��Ku[����W�����(� N����0��L�˜� ����x%���ZҐښ�+[�V$?D��Q�} �ZE�f�_�88���5g<սE`_��B�����vR+}���[��9��9�P��ı2 Gc/������*ň��V�b��z�y[?ME��MK�04��t��l\/�o���J�^ahxk~�ɓ�����N��c��k���y#�-bQtMtOk7�{lq��wh����s�!a�9ҷb�u�/�~p�x]��g��Cb�j���7����$*�������a4��}h�<����;�b�F�ŎsR������{�4�7xΤe׋Zp�1�5�] )�}B�WO�����ٌqU�~(�F{uh�����mT����)��n�]�����k�HdʶB|�=/»z�=v�j�D �J����(��/{|�V�0�T�6��1@��!�� 1\r2PUШ�g�z[I�-z�����F�&�ئ�wh�� �p�1�-��&�Y%��ʎ�l؛W������vvz�׎��ޑ���.��u������}�4vN0���ګ��R�R;;1request.headers.Accept-Encoding=gziprequest.headers.Authorization=Basic a2VlcGFzczpLMzNQQHNzMDE=request.headers.Cache-Control=no-store,no-cacherequest.headers.Content-Length=228565request.headers.Expect=100-continuerequest.headers.Host=172.17.0.1:666request.headers.Pragma=no-cacherequest.headers.User-Agent=Go-http-client/1.1request.headers.X-Forwarded-Host=webdav.mycompany.comrequest.headers.X-Forwarded-Port=443request.headers.X-Forwarded-Proto=httpsrequest.headers.X-Forwarded-Server=vps-da6b9d4crequest.headers.X-Real-Ip=165.225.205.15request.request_line=PUT /webdav/folder/mydb.kdbx.tmp HTTP/1.1response.body=
Bad Request
Your browser sent a request that this server could not understand.
response.headers.Connection=closeresponse.headers.Content-Length=226response.headers.Content-Type=text/html; charset=iso-8859-1response.protocol=HTTP/1.1response.status=400transaction.local_address=172.18.0.3transaction.local_port=80transaction.remote_address=172.18.0.1transaction.remote_port=45610transaction.time=28/Nov/2022:14:40:22.491726 +0100transaction.transaction_id=Y4S6RmKEEGrk-9egGHU24AAAAUM

If i missed personnal data pm me I'll update it.

[acouvreur]

Well it says the following:

[data "Request body no files data length is larger than the configured limit (131072)."]

Please configure your owasp container with correct rules