Fix ftw timeouts causing termination (envoyproxy#17)

README_RULES.md

@@ -3,6 +3,8 @@
 - 00-modsecurity.conf: `SecStatusEngine` not supported
 - REQUEST-912-DOS-PROTECTION: 912171 temporarily disabled since doesn't interact well with go-ftw
 - REQUEST-920-PROTOCOL-ENFORCEMENT: 920120 not supported with re2
+- REQUEST-920-PROTOCOL-ENFORCEMENT: 920250 temporarily disabled since doesn't interact well with go-ftw
+- REQUEST-920-PROTOCOL-ENFORCEMENT: 920350 updated regex to latest CRS version
 - REQUEST-942-APPLICATION-ATTACK-SQLI: 942130: not supported with re2
 - REQUEST-942-APPLICATION-ATTACK-SQLI: 942480: regexp fails to compile in wasm with "out of bounds memory access"
 - RESPONSE-953-DATA-LEAKAGES-PHP: 953120: not supported with re2

custom_rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf

@@ -404,25 +404,25 @@ SecRule REQUEST_HEADERS:Content-Type "@rx ^(?i)application/x-www-form-urlencoded
 # This chained rule first checks to see if the admin has set the TX:CRS_VALIDATE_UTF8_ENCODING
 # variable in the crs-setup.conf file.
 #
-SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \
-    "id:920250,\
-    phase:2,\
-    block,\
-    t:none,\
-    msg:'UTF8 Encoding Abuse Attack Attempt',\
-    logdata:'%{MATCHED_VAR}',\
-    tag:'application-multi',\
-    tag:'language-multi',\
-    tag:'platform-multi',\
-    tag:'attack-protocol',\
-    tag:'paranoia-level/1',\
-    tag:'OWASP_CRS',\
-    tag:'capec/1000/255/153/267',\
-    ver:'OWASP_CRS/3.3.2',\
-    severity:'WARNING',\
-    chain"
-    SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" \
-        "setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
+# SecRule TX:CRS_VALIDATE_UTF8_ENCODING "@eq 1" \
+#     "id:920250,\
+#     phase:2,\
+#     block,\
+#     t:none,\
+#     msg:'UTF8 Encoding Abuse Attack Attempt',\
+#     logdata:'%{MATCHED_VAR}',\
+#     tag:'application-multi',\
+#     tag:'language-multi',\
+#     tag:'platform-multi',\
+#     tag:'attack-protocol',\
+#     tag:'paranoia-level/1',\
+#     tag:'OWASP_CRS',\
+#     tag:'capec/1000/255/153/267',\
+#     ver:'OWASP_CRS/3.3.2',\
+#     severity:'WARNING',\
+#     chain"
+#     SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "@validateUtf8Encoding" \
+#         "setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"
 
 
 #
@@ -715,7 +715,7 @@ SecRule REQUEST_HEADERS:Content-Length "!@rx ^0$" \
 # https://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx
 #
 
-SecRule REQUEST_HEADERS:Host "@rx ^[\d.:]+$" \
+SecRule REQUEST_HEADERS:Host "@rx (?:^([\d.]+|\[[\da-f:]+\]|[\da-f:]+)(:[\d]+)?$)" \
     "id:920350,\
     phase:2,\
     block,\

ftw/Dockerfile

@@ -7,7 +7,7 @@ WORKDIR /workspace
 
 RUN apk update && apk add curl
 
-RUN go install github.com/fzipi/go-ftw@68d28255a0b526d73369f298033dfad774b86afc
+RUN go install github.com/anuraaga/go-ftw@dev
 
 ADD https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.0.0-rc1.tar.gz /workspace/coreruleset/
 RUN cd coreruleset && tar -xf v4.0.0-rc1.tar.gz --strip-components 1

ftw/docker-compose.yml

@@ -30,19 +30,21 @@ services:
       - logs:/home/envoy/logs:rw
     ports:
       - 8080:80
-  envoy-logs:
+  wasm-logs:
     depends_on:
-    - envoy
-    image: alpine:3.16
-    command: tail -f /home/envoy/logs/envoy.log
+      - envoy
+    image: debian:11-slim
+    entrypoint: bash
+    command:
+      - -c
+      - tail -c +0 -f /home/envoy/logs/envoy.log | grep --line-buffered "[critical][wasm]" > /home/envoy/logs/ftw.log
     volumes:
-      - logs:/home/envoy/logs:ro
+      - logs:/home/envoy/logs:rw
   ftw:
     depends_on:
-      - envoy-logs
+      - wasm-logs
     build: .
     volumes:
       - logs:/home/envoy/logs:ro
-
 volumes:
   logs:

ftw/ftw.yml

@@ -1,7 +1,7 @@
 ---
 # For caddy configuration see the next file, Caddyfile
 # Just type: go-ftw run -d ./coreruleset/tests/regression --config .ftw.yaml
-logfile: '/home/envoy/logs/envoy.log'
+logfile: '/home/envoy/logs/ftw.log'
 testoverride:
   input:
     dest_addr: envoy

ftw/tests.sh

@@ -29,6 +29,4 @@ while [[ "$status_code" -eq "000" ]]; do
 done
 echo -e "\n[Ok] Got status code $status_code, expected 200. Ready to start."
 
-# Protocol violations often get treated by Envoy itself, exclude them for now while investigating
-# what works. Also currently HTTP/1.0 seems to have an issue so we exclude any tests using it.
-go-ftw run -d coreruleset/tests/regression/tests --config ftw.yml --exclude '920.*|9323.*'
+go-ftw run -d coreruleset/tests/regression/tests --config ftw.yml --read-timeout=10s || (echo "Envoy Logs:" && cat /home/envoy/logs/envoy.log)