Broken redirection 301 changed to 200, resulting in white page

[keskad]

Hi,

Wanted to configure a Wordpress instance secured by CORAZA Waf with CRS, started with just empty config to check if the reverse proxy is working, and it wasnt... 😄

So, that's the config:

{
    admin off
    auto_https off
    order coraza_waf first
}


http://example.org:8081/ {
    coraza_waf {
        
    }

   reverse_proxy http://127.0.0.1:8080/
}

On the http://127.0.0.1:8080/ there is a plain Wordpress installation on it's own NGINX.

Scenarios:

• I remove block coraza_waf -> it works
• I disable Caddy at all and use NGINX, it works
• I increase verbosity, then I get:

SecAction "id:1,pass,log"
SecAuditLog /dev/stdout
SecDebugLog /dev/stdout
SecDebugLogLevel 5

{"level":"warn","ts":1653157564.0115337,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"warn","ts":1653157564.0118072,"logger":"admin","msg":"admin endpoint disabled"}
{"level":"warn","ts":1653157564.011933,"logger":"http","msg":"automatic HTTPS is completely disabled for server","server_name":"srv0"}
{"level":"warn","ts":1653157564.011956,"logger":"http","msg":"automatic HTTPS is completely disabled for server","server_name":"srv1"}
{"level":"warn","ts":1653157564.0119655,"logger":"http","msg":"automatic HTTPS is completely disabled for server","server_name":"srv2"}
{"level":"info","ts":1653157564.012178,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00048acb0"}
{"level":"info","ts":1653157564.0125582,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/.local/share/caddy"}
{"level":"info","ts":1653157564.012748,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1653157564.0128853,"msg":"autosaved config (load with --resume flag)","file":"/.config/caddy/autosave.json"}
{"level":"info","ts":1653157564.0130568,"msg":"serving initial configuration"}
{"level":"error","ts":1653157584.9115057,"logger":"http.handlers.waf","msg":"[client \"10.42.0.0\"] Coraza: Warning.  [file \"\"] [line \"0\"] [id \"1\"] [rev \"\"] [msg \"\"] [data \"\"] [severity \"emergency\"] [ver \"\"] [maturity \"0\"] [accuracy \"0\"] [hostname \"\"] [uri \"/wp-admin/\"] [unique_id \"PLqC91DKwSNTMfG4QWr\"]"}
{"level":"debug","ts":1653157584.9111702,"caller":"v2@v2.0.0-rc.3/waf.go:261","msg":"new transaction created","event":"NEW_TRANSACTION","txid":"PLqC91DKwSNTMfG4QWr"}
{"level":"debug","ts":1653157584.911321,"caller":"v2@v2.0.0-rc.3/rulegroup.go:116","msg":"Evaluating phase","event":"EVALUATE_PHASE","txid":"PLqC91DKwSNTMfG4QWr","phase":1}
{"level":"debug","ts":1653157584.911337,"caller":"v2@v2.0.0-rc.3/rulegroup.go:173","msg":"Finished phase","event":"FINISH_PHASE","txid":"PLqC91DKwSNTMfG4QWr","phase":1,"rules":0}
{"level":"debug","ts":1653157584.9113533,"caller":"v2@v2.0.0-rc.3/rulegroup.go:116","msg":"Evaluating phase","event":"EVALUATE_PHASE","txid":"PLqC91DKwSNTMfG4QWr","phase":2}
{"level":"debug","ts":1653157584.9113638,"caller":"v2@v2.0.0-rc.3/rule.go:236","msg":"Evaluating rule","rule":1,"raw":"SecAction id:1,pass,log","tx":"PLqC91DKwSNTMfG4QWr","event":"EVALUATE_RULE","is_chain":false}
{"level":"debug","ts":1653157584.9113884,"caller":"v2@v2.0.0-rc.3/rule.go:258","msg":"Forcing rule match","txid":"PLqC91DKwSNTMfG4QWr","rule":1,"event":"RULE_FORCE_MATCH"}
{"level":"debug","ts":1653157584.9114132,"caller":"v2@v2.0.0-rc.3/rule.go:399","msg":"evaluating action","type":"non_disruptive","txid":"PLqC91DKwSNTMfG4QWr","rule":1,"action":"log"}
{"level":"debug","ts":1653157584.9114475,"caller":"v2@v2.0.0-rc.3/rule.go:363","msg":"Detecting rule disruptive action","txid":"PLqC91DKwSNTMfG4QWr","rule":1}
{"level":"debug","ts":1653157584.911467,"caller":"v2@v2.0.0-rc.3/rule.go:366","msg":"Evaluating action","type":"disruptive or flow","txid":"PLqC91DKwSNTMfG4QWr","rule":1,"action":"pass"}
{"level":"debug","ts":1653157584.9114861,"caller":"v2@v2.0.0-rc.3/transaction.go:279","msg":"rule matched","txid":"PLqC91DKwSNTMfG4QWr","rule":1}
{"level":"debug","ts":1653157584.9115162,"caller":"v2@v2.0.0-rc.3/rule.go:376","msg":"finished evaluating rule","txid":"PLqC91DKwSNTMfG4QWr","rule":1,"matched_values":0,"event":"FINISH_RULE","is_chain":false}
{"level":"debug","ts":1653157584.9115338,"caller":"v2@v2.0.0-rc.3/rulegroup.go:173","msg":"Finished phase","event":"FINISH_PHASE","txid":"PLqC91DKwSNTMfG4QWr","phase":2,"rules":1}
{"level":"debug","ts":1653157590.2650416,"caller":"v2@v2.0.0-rc.3/rulegroup.go:116","msg":"Evaluating phase","event":"EVALUATE_PHASE","txid":"PLqC91DKwSNTMfG4QWr","phase":3}
{"level":"debug","ts":1653157590.2651434,"caller":"v2@v2.0.0-rc.3/rulegroup.go:173","msg":"Finished phase","event":"FINISH_PHASE","txid":"PLqC91DKwSNTMfG4QWr","phase":3,"rules":0}
{"level":"debug","ts":1653157590.2655733,"caller":"v2@v2.0.0-rc.3/rulegroup.go:116","msg":"Evaluating phase","event":"EVALUATE_PHASE","txid":"PLqC91DKwSNTMfG4QWr","phase":5}
{"level":"debug","ts":1653157590.2656057,"caller":"v2@v2.0.0-rc.3/rulegroup.go:173","msg":"Finished phase","event":"FINISH_PHASE","txid":"PLqC91DKwSNTMfG4QWr","phase":5,"rules":0}
{"level":"debug","ts":1653157590.2656202,"caller":"v2@v2.0.0-rc.3/transaction.go:795","msg":"Transaction not marked for audit logging, AuditEngine is disabled","tx":"PLqC91DKwSNTMfG4QWr"}

Actual response

< HTTP/2 200 
< date: Sat, 21 May 2022 19:10:18 GMT
< content-type: text/html; charset=UTF-8
< location: https://.../wp-login.php?redirect_to=https%3A%2F%2F...%2Fwp-admin%2F&reauth=1
< cache-control: no-cache, must-revalidate, max-age=0
< expires: Wed, 11 Jan 1984 05:00:00 GMT
< x-redirect-by: WordPress
< strict-transport-security: max-age=15724800; includeSubDomains

Expected response (when coraza_waf block is disabled)

< HTTP/2 302 
< date: Sun, 22 May 2022 06:28:39 GMT
< content-type: text/html; charset=UTF-8
< location: https://.../wp-login.php?redirect_to=https%3A%2F%2F...%2Fwp-admin%2F&reauth=1
< cache-control: no-cache, must-revalidate, max-age=0
< expires: Wed, 11 Jan 1984 05:00:00 GMT
< x-redirect-by: WordPress
< strict-transport-security: max-age=15724800; includeSubDomains

[jptosso]

It seems that there is a secaction created. Maybe rules creating log events without interruptions are causing problems, I will review this. But could you confirm the presence of rule id 1? There are no default rules in coraza.

SecAction id:1,pass,log

Thank you for your report

[keskad]

@jptosso I confirm presence of this rule - I was testing with and without it. You can see logs when it is present, and when it wasn't present there were no logs at all 🙂

[keskad]

Maybe this can be related to reverse_proxy somehow? I didn't yet test it with for example fast-cgi handler.

[robgordon89]

I am also having this issue but with Laravel, I have been trying to find the reason for this for quite some time, do you have any more information regarding this?

[jptosso]

I will replicate this issue today and get back to you all

[keskad]

@jptosso Do you need any help in reproducing this? :)

[jptosso]

Sorry, I'm traveling right now, still, more details on how to replicate would be greatly appreciated, thank you.

I think it could be related to reverse_proxy, Coraza does not alter status codes unless there is an error, but for some segmentation faults or golang errors it will panic without telling the logs.

[jptosso]

Sorry to answer this late, but here are my results:

➜  coraza-otelcol curl http://127.0.0.1:8080/wp-admin -v 
*   Trying 127.0.0.1:8080...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> GET /wp-admin HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.79.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Content-Length: 315
< Content-Type: text/html; charset=iso-8859-1
< Date: Mon, 25 Jul 2022 20:00:14 GMT
< Location: http://www.tosso.io/wp-admin/
< Server: Caddy
< Server: Caddy
< Server: Apache/2.4.53 (Debian)
< X-Request-Id: bohChMfrpl4muTisGg3
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://www.tosso.io/wp-admin/">here</a>.</p>
<hr>
<address>Apache/2.4.53 (Debian) Server at www.tosso.io Port 80</address>
</body></html>
* Connection #0 to host 127.0.0.1 left intact

My Caddyfile:

{
    debug
    auto_https off
    order coraza_waf first
}

:8080 {
	coraza_waf {
		directives `
			SecRule REQUEST_URI "test5" "id:2, deny, log, phase:1,status:403"
			SecRule REQUEST_URI "test6" "id:4, deny, log, phase:3,status:403"
		`
	}
	header * x-request-id "{http.transaction_id}"
	reverse_proxy https://www.tosso.io {
        header_up Host "www.tosso.io"
        header_up X-Forwarded-Proto "https"
    }
}