-
-
Notifications
You must be signed in to change notification settings - Fork 344
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DoH blocked? #3216
Comments
Hi @Zoey2936 and thanks for reporting this. Can you, please, provide full logs related to this request? Rule By the way, you have completely disabled the whole WAF by removing rule |
|
thats just a part, because I get many dns reuqests every second I can't sent the entire log, so maybe there is some important parts missing |
The standard (not debug) log would be sufficient. |
how do I get it? nginx only logs the part I sent you, I can only provide a lower lever debug log |
Are you sure there isn't other line than you paste above (in your first comment)? In your debug.log, there is this part:
It seems that rule 920420 triggered, which increases the anomaly score by 5 - this is enough to trigger the rule 949110. Perhaps you should set your own |
so the problem is that the content type is blocked? and no, nginx only logs the part I sent at the beggining. But another question, below the lines you mentiioned arfe http version listed and they don't contains http3, could this also cause a block, since I compiled nginx with http3 support? |
Yes, you need to allow
You did a HTTP2 request, see: |
yes in this example, but would it mean that |
will this be something I need to add forever now to the crs-setup.conf, or will this be added to the coreruleset at some point? |
It depends on your configuration, see crs-setup.conf. |
You need to add it to your configuration, it won't be part of CRS. |
thanks, adding application/dns-message to the crs-setup.conf fixed it. |
Will HTTP/3 be added to coreruleset at some point? |
if I set tx.allowed_http_versions to HTTP/3, will it be added to the default or will it override the default? |
It will override the default so you probably want to keep all versions. |
is it possible to add it without override? |
No. |
See #3218. |
Description
The REQUEST-949-BLOCKING-EVALUATION.conf file (ID: 949110) seems to block DoH requests. If I remove the file, everything works. If I do the same requests on another host which does not proxy to a DoH server, I get a 404, no 403, so the problem seems to come from the response of the DoH server.
How to reproduce the misbehavior (-> curl call)
No Idea how a curl command could look like, but using doh-cli
doh-cli --url https://dns.domain.de/dns-query www.example.com A
on a nginx host (with this ruleset), which proxies to an adguardhome server results in:403 Client Error: Forbidden for url: https://dns.domain.de/dns-query?dns=r2wBAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB
Logs
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator \`Ge' with parameter \`5' against variable \`TX:BLOCKING_INBOUND_ANOMALY_SCORE' (Value: \`5' ) [file "/usr/local/nginx/conf/conf.d/include/coreruleset/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "176"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "0"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "*.*.*.*"] [uri "/dns-query"] [unique_id "168444845218.573577"] [ref ""], client: *.*.*.*, server: *.dns.domain.de, request: "POST /dns-query HTTP/2.0", host: "dns.domain.de"
Your Environment
Confirmation
passwords, domain names) from any logs posted.
The text was updated successfully, but these errors were encountered: