Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Argument 'src-port' not found for IPv6 #107

Open
choffmeister opened this issue Jul 23, 2024 · 1 comment
Open

Argument 'src-port' not found for IPv6 #107

choffmeister opened this issue Jul 23, 2024 · 1 comment

Comments

@choffmeister
Copy link

Hello,

today I noticed, that our web application is getting slow after we have added AAAA DNS headers. Turned out, that requests via IPv6 had coraza failing. The problem is, that for IPv6 traffic there is no src-port given and coraza fails with

time="2024-07-23T14:02:47Z" level=error msg="spoe error during first notify handle: handle notify: Argument 'src-port' not found"

I have prepared a minimal test-case with docker compose here. The configuration is pretty much exactly what is described in the README.md.

# haproxy.cfg
global
    log stdout format raw local0
    
defaults
    log global
    mode http
    log-format "%ci:%cp\ [%t]\ %ft\ %b/%s\ %Th/%Ti/%TR/%Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r\ %ID\ coraza-error:%[var(txn.coraza.error)]\ coraza-action:%[var(txn.coraza.action)]"
    retries 3
    maxconn 1000
    timeout connect 5s
    timeout client 50s
    timeout server 50s
    
frontend frontend
    bind :::80 v4v6
    mode http
    filter spoe engine coraza config /usr/local/etc/haproxy/coraza.cfg
    http-request return status 200 content-type "text/plain" lf-string "ok" 

backend coraza
    mode tcp
    server coraza coraza:9000

# coraza.cfg
[coraza]
spoe-agent coraza-agent
    messages coraza-req
    #messages coraza-res
    option var-prefix coraza
    option set-on-error error
    timeout hello 2s
    timeout idle 2m
    timeout processing 500ms
    use-backend coraza
    log global

spoe-message coraza-req
    args app=fe_name id=unique-id src-ip=src src-port=src_port dst-ip=dst dst-port=dst_port method=method path=path query=query version=req.ver headers=req.hdrs body=req.body
    event on-frontend-http-request

spoe-message coraza-res
    args app=fe_name id=unique-id version=res.ver status=status headers=res.hdrs body=res.body
    event on-http-response

Currently it is unclear to me, if this a problem of this repository or with HAproxy itself.
@foxcaput
Copy link

Hello,

I attempted troubleshooting, and it appears that the issue is specific to IPv6 compatibility. To mitigate this, I separated IPv4 and IPv6 onto distinct frontends and disabled Coraza on the IPv6 frontend. However, this approach is a temporary workaround rather than a true solution, as it merely masks the underlying issue rather than resolving it.

Is there someone from the development team available to investigate this issue further?
and the problem is not in HAProxy, the probem is in coraza spoa.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@choffmeister @foxcaput