Fixing uri max size

[kawaiipantsu]

Changing URI max size from 1024 to 1280 bytes

[kawaiipantsu]

Problem - >T-Pot Live Attack Map not working as intended

Problem debugging:

• Message in browser is "Request URI to long"
• Screenshot shows server returning error is Nginx (I had to be sure as im also behind my own reverse proxy!)
• Making sure we can see the problem in "facts" - Checking URI length

echo "GET /kibana/api/maps/mvt/getGridTile/0/0/0.pbf?geometryFieldName=geoip_ext.location&index=logstash-*&gridPrecision=4&hasLabels=false&requestBody=(_source%3A(excludes%3A!())%2Caggs%3A()%2Cfields%3A!((field%3A%27%40timestamp%27%2Cformat%3Adate_time)%2C(field%3Aend_time%2Cformat%3Adate_time)%2C(field%3Aflow.start%2Cformat%3Adate_time)%2C(field%3Astart_time%2Cformat%3Adate_time)%2C(field%3Atime_iso8601%2Cformat%3Adate_time)%2C(field%3Atimestamp%2Cformat%3Adate_time)%2C(field%3Atls.notafter%2Cformat%3Adate_time)%2C(field%3Atls.notbefore%2Cformat%3Adate_time))%2Cquery%3A(bool%3A(filter%3A!((bool%3A(minimum_should_match%3A1%2Cshould%3A!((match%3A(type%3A%27Adbhoney%20Ciscoasa%20CitrixHoneypot%20ConPot%20Cowrie%20Ddospot%20Dicompot%20Dionaea%20ElasticPot%20Endlessh%20Glutton%20Hellpot%20Heralding%20Honeytrap%20Honeypots%20Log4pot%20Ipphoney%20Mailoney%20Medpot%20Redishoneypot%20Tanner%20Wordpot%27)))))%2C(range%3A(%27%40timestamp%27%3A(format%3Astrict_date_optional_time%2Cgte%3A%272023-02-20T23%3A03%3A07.592Z%27%2Clt" | wc -m
1025

• Matching requestet URI length against Nginx conf setting
  large_client_header_buffers 2 1k;

Conclusion:
Yes 1k ( 1024 ) is not enogth to accomendate Kibanas 1025 long URI. After a bit of research it's clear that this can happen but that Kibana tries to keep it to 1024. But larger is seen. So we need something above 1024 to not see this problem. But also we want to keep it close to 1024 as per OWASP recommendations.

Problem patch test:

Login to Tpot Hive / Standalone install
Add "- /data/nginx/conf/tpotweb.conf:/etc/nginx/conf.d/tpotweb.conf:ro" for Nginx volumes

# nano /opt/tpot/etc/tpot.yml
# curl -so /data/nginx/conf/tpotweb.conf https://raw.githubusercontent.com/telekom-security/tpotce/master/docker/nginx/dist/conf/tpotweb.conf
# sed -i 's/large_client_header_buffers 2 1k;/large_client_header_buffers 2 1280;/' tpotweb.conf
# chown tpot:tpot /data/nginx/conf/tpotweb.conf
# chmod 644 /data/nginx/conf/tpotweb.conf
# reboot

Confirm change
Login to Tpot Hive / Standalone install

# docker exec -it nginx cat /etc/nginx/conf.d/tpotweb.conf|grep large_client_header_buffers
    large_client_header_buffers 2 1280;

T-Pot Live Attack Map is now working as intended

Yay!

[t3chn0m4g3]

Thank you. Will have a look at it ASAP.

[kawaiipantsu]

Thank you. Will have a look at it ASAP.

If you can't replicate the problem then perhaps it's not needed. But i kept getting that error message, sometimes it worked other times it was to long etc. So it broke the user UI experience :)

I actually think the real culprit is that i put my proxy in front of it. So myproxy -> nginx -> map_web and perhaps my proxy introduced extra headers that would add up just a little bit to hit the 1024 bytes limit. So perhaps this is indeed not a fix for Kibana doing long URI's but for those who want to run it smoothly behind their own reverse proxy as well :)

But then again it does explicitly state URI to long and counted chars is 1025 so it is larger than the allowed 1024 🍡

[t3chn0m4g3]

Thank you for taking the time to describe this so one can really follow up for reproduction 😁
However, as you mentioned earlier, since I cannot reproduce this I think it is the result of the second reverse proxy you introduced. Please make adjustments to the config comments that reflect this conversation. Afterwards I will merge.

[t3chn0m4g3]

Thank you very much for the valued contribution!

[t3chn0m4g3]

Updated images have been deployed.