Coraza always returns 'allow'

[csuka]

I'm using Alma 8, go version go1.21.11, haproxy 2.8.10.
I've cloned the repo, created the coraza-spoa binary, and setup all config files, essentially following this guide.
I run the binary, and it's listening on port 9000.

When I do a curl request, e.g. curl http://localhost:80/\?x\=/etc/passwd, I see the request being denied by the owasp ruleset, but coraza returns an allow to haproxy. I've checked this using the debug option in haproxy: %[var(txn.coraza.action)].

I expected a deny, as the owasp ruleset flags the request as critical as well.
Example of coraza message:

{"level":"error","ts":1722250000.55379,"msg":"[client \"127.0.0.1\"] Coraza: Warning. OS File Access Attempt [file \"/etc/coraza-spoa/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf\"] [line \"4360\"] [id \"930120\"] [rev \"\"] [msg \"OS File Access Attempt\"] [data \"Matched Data: etc/passwd found within ARGS:x: /etc/passwd\"] [severity \"critical\"] [ver \"OWASP_CRS/4.3.0\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-lfi\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"capec/1000/255/153/126\"] [tag \"PCI/6.5.4\"] [hostname \"127.0.0.1\"] [uri \"/?x=/etc/passwd\"] [unique_id \"927f0d12-a6d7-4ee0-8a2d-aa3813a9b126\"]\n"}

I actually think that this commit broke it.

Also, when using the docker container I get the same results.

[fsou]

Hi @csuka
Have you tried changing SecRuleEngine to On on coraza.conf?

# Enable Coraza, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
#SecRuleEngine DetectionOnly
SecRuleEngine On

[superstes]

Got the same behavior on main:

Spoa config

cat /etc/coraza-spoa/spoa.yaml
...
    directives: |
      Include /etc/coraza-spoa/coraza.conf
      Include /etc/coraza-spoa/coreruleset/rules/@crs-setup.conf.example
      Include /etc/coraza-spoa/coreruleset/rules/@owasp_crs/*.conf
...

Main coraza config

cat /etc/coraza-spoa/coraza.conf | grep ^SecRuleEngine
> SecRuleEngine On

Logs

journalctl -u coraza-spoa.service -n 10
>  Sep 16 17:04:39 waf01 coraza[52209]: {"level":"error","ts":1726499079.543303,"msg":"[client \"212.95.5.x\"] Coraza: Access denied (phase 2). Inbound Anomaly Score Exceeded (Total Score: 10) [file \"/etc/coraza-spoa/coreruleset/rules/@owasp_crs/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"7023\"] [id \"949110\"] [rev \"\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 10)\"] [data \"\"] [severity \"emergency\"] [ver \"OWASP_CRS/4.5.0\"] [maturity \"0\"] [accuracy \"0\"] [tag \"anomaly-evaluation\"] [tag \"OWASP_CRS\"] [hostname \"78.47.98.x\"] [uri \"/js/slideshow.js?\"] [unique_id \"a77c4a3f-0e2e-4c8e-8449-db889f646d71\"]\n"}

[superstes]

Got it.
The haproxy.cfg referenced by the README.md (2nd reference) and in the docs is not blocking requests.

This one seems to do the job: https://github.com/corazawaf/coraza-spoa/blob/main/doc/config/haproxy.cfg

It seems PR #103 has fix the link in the README. (Note: Maybe there also were some other fixes in #103)

curl -v 'http://localhost:80/?a=<script>alert(1)</script>'
< HTTP/1.1 403 Forbidden