Missing hostname in WAF logs #75
Description
Hi everyone,
I am currently trying to implement Coraza into my Caddy setup, but for some reason the hostname of blocked requests does not get logged. As you can see in the log samples below, the hostname is recorded as [hostname ""]
2023/06/15 11:08:02.985 WARN http.handlers.waf [client "192.168.178.11"] Coraza: Access denied (phase 1). POST without Content-Length or Transfer-Encoding headers [file "@owasp_crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1543"] [id "920180"] [rev ""] [msg "POST without Content-Length or Transfer-Encoding headers"] [data "0"] [severity "warning"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname ""] [uri "/api/add"] [unique_id "iicqKuOYWuBJfVcM"]
2023/06/15 11:08:02.985 ERROR http.handlers.waf [client "192.168.178.11"] Coraza: Access denied (phase 2). XSS Attack Detected via libinjection [file "@owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "4432"] [id "941100"] [rev ""] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:url: <script>"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname ""] [uri "/api/add"] [unique_id "iicqKuOYWuBJfVcM"]
2023/06/15 11:08:02.985 ERROR http.handlers.waf [client "192.168.178.11"] Coraza: Access denied (phase 2). XSS Filter - Category 1: Script Tag Vector [file "@owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "4451"] [id "941110"] [rev ""] [msg "XSS Filter - Category 1: Script Tag Vector"] [data "Matched Data: <script> found within ARGS:url: <script>"] [severity "critical"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/152/242"] [hostname ""] [uri "/api/add"] [unique_id "iicqKuOYWuBJfVcM"]
According to #35 this should be fixed, so I am not sure if there is a possible misconfiguration at play also.
I've compiled Caddy 2.6.4 with xcaddy in several ways, with the most recent command seen as below. AFAIK these versions should contain the servername fixes.
xcaddy build --with github.com/corazawaf/coraza-caddy/@v2.0.0-rc.2 --with github.com/corazawaf/coraza/@v3.0.0
My current Caddyfile looks like this.
I am using the current rule files from coraza-coreruleset, haven't made any changes except additionaly allowing HTTP/3 & HTTP/3.0 versions in crs-setup.conf.
{
debug
http_port 1180
https_port 11443
admin off
auto_https off
order coraza_waf first
servers {
metrics
}
}
(tls) {
tls ./{args.0}_ecc/fullchain.cer ./{args.0}_ecc/{args.0}.key
header {
Strict-Transport-Security max-age=63072000;includeSubDomains;preload
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Robots-Tag none
}
}
(waf) {
coraza_waf {
#load_owasp_crs
directives `
Include @coraza.conf-recommended
Include @crs-setup.conf.example
Include @owasp_crs/*.conf
SecRuleEngine On
`
}
}
memes.example.com {
import tls example.com
import waf
reverse_proxy 10.0.0.109:5001
}
Would be happy about some hints. Thank you 😀