Requests that cause 301 redirects do not write a location response header when IP is not found within the cache #8
Description
Repro steps
- Ensure mod_crowdsec and rewrite mods are enabled
- Have a redirect rule within apache's config (e.g.
Redirect /test /) - Start up apache
- Send an HTTP request to the path where the redirect is located (e.g.
http://127.0.0.1/test)
Note that this issue is not present when another page that gives back a response of 200 is requested first, then the redirect request due to the cache containing the crowdsec decision for the IP. Restarting apache wipes the cache and it can be observed the problem reoccurs if the first request right after is to a redirect URL.
Expected behavior
A 301 response is received with a Location header for browsers to redirect to.
Actual behavior
A 301 response is received, but no Location header is present.
The Problem
The problem stems from line 384 where the main request investigation status code check on the main request is made. Since the request results in a 3xx status response, it fails this check and propagates upward without checking crowdsec.
cs-apache2-bouncer/mod_crowdsec.c
Lines 381 to 389 in 27dfea4
Possible Solutions
- Allow redirect status codes (and also 1xx and 2xx status codes) to proxy a decision check to the LAPI.
- If the main request investigation status code returns a 3xx status code, exit out, but also propagate the
Locationheader to the main requestr. - Allow all requests, regardless of the investigation status code, to send a decision check to the LAPI.
I think 1 and 2 are both viable, but between the two, I'm wondering if serving a redirection page to banned IPs is necessary.