Exclude coraza from scanning HTTP POST requests involving multipart content type data

[Barnoux]

Hello,

I'm currently utilizing Coraza with Caddy!

Within an application protected by coraza, there's an API designated for file uploads. However, the WAF (Web Application Firewall) is significantly impacting this service. For information, file uploads are limited to a maximum size of 500MB.

Conducting benchmarks using 92MB files revealed a considerable increase in response time from caddy, extending up to approximately 2 minutes. This delay has prompted me to question the necessity of employing a WAF for scanning POST requests involving multipart content type data for file uploads, especially considering the performance issues encountered.

Hence, my query arises: How can I exclude Coraza from scanning this specific type of request? Should this exclusion be implemented within the Caddyfile configuration or within the Coraza configuration?

Regards,

BBA

[jcchavezs]

How does you config look like? Cc @M4tteoP

[M4tteoP]

Hi, I'm thinking about something like SecRule REQUEST_HEADERS:Content-Type "^multipart/form-data" "id:'1000',phase:1,t:none,t:lowercase,pass,nolog, ctl:requestBodyAccess=off", added after include /ruleset/coraza.conf. But it would be very permissive not analyzing the body of any multipart/form-data, not just the ones uploading a file.
I also think (not checked) we can rely on Content-Disposition because it is sent as part of the body 🤔

If you can take for granted that the specific endpoint is only receiving uploaded files a chained rule concatenating REQUEST_URI check and REQUEST_HEADERS:Content-Type might do the work.

[jptosso]

What about disabling request body access just for the file upload UrL and POST method?

[Barnoux]

Thank you both for your help, i make it work with this rule 🥇
it's blazingly fast now ^^

SecRule REQUEST_METHOD "^POST$" "chain, phase:1, t:none, \
    ctl:requestBodyAccess=Off, \
    log, \
    id:1007, \
    rev:1, \
    msg:'file uploads will not be buffered and processed by Coraza on /api/sends/*'"
    SecRule REQUEST_URI "@beginsWith /api/sends/" \
        "t:none, \
        chain"
    SecRule REQUEST_HEADERS:Content-Type "^multipart/form-data" "t:lowercase"

I don't know if it can help with testing, but when the rule is triggered, we observe the same number of chained rules as the number of duplicated messages., i know this is a known issue in #849

{
    "level": "error",
    "ts": 1700835557.5667484,
    "logger": "http.handlers.waf",
    "msg": "[client \"192.168.1.1\"] Coraza: Warning. file uploads will not be buffered and processed by Coraza on /api/sends/* [file \"/ruleset/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf\"] [line \"1189\"] [id \"1007\"] [rev \"1\"] [msg \"file uploads will not be buffered and processed by Coraza on /api/sends/*\"] [data \"\"] [severity \"emergency\"] [ver \"\"] [maturity \"0\"] [accuracy \"0\"] [hostname \"\"] [uri \"/api/sends/46146c67-cdd9-48d3-936b-1f71d6fc305c/file/d54fe0859049660aa386e2d3aef67d7e9b8d6d2c9b1b71d233cec58d50a1cc9a\"] [unique_id \"WuplkQQbsDGTJXYb\"]
            [client \"192.168.1.1\"] Coraza: Warning. file uploads will not be buffered and processed by Coraza on /api/sends/* [file \"/ruleset/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf\"] [line \"1189\"] [id \"1007\"] [rev \"1\"] [msg \"\"] [data \"\"] [severity \"emergency\"] [ver \"\"] [maturity \"0\"] [accuracy \"0\"] [hostname \"\"] [uri \"/api/sends/46146c67-cdd9-48d3-936b-1f71d6fc305c/file/d54fe0859049660aa386e2d3aef67d7e9b8d6d2c9b1b71d233cec58d50a1cc9a\"] [unique_id \"WuplkQQbsDGTJXYb\"]
            [client \"192.168.1.1\"] Coraza: Warning. file uploads will not be buffered and processed by Coraza on /api/sends/* [file \"/ruleset/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf\"] [line \"1189\"] [id \"1007\"] [rev \"1\"] [msg \"\"] [data \"\"] [severity \"emergency\"] [ver \"\"] [maturity \"0\"] [accuracy \"0\"] [hostname \"\"] [uri \"/api/sends/46146c67-cdd9-48d3-936b-1f71d6fc305c/file/d54fe0859049660aa386e2d3aef67d7e9b8d6d2c9b1b71d233cec58d50a1cc9a\"] [unique_id \"WuplkQQbsDGTJXYb\"]\n"
}

[M4tteoP]

Hi @Barnoux,
Mind that the ctl actions are part of the no-disruptive actions. Because of that , in a chained rule, these actions are executed whenever the individual rule of the action is reached and matched, not when the whole rule chain is matched.
I would refactor your rule as something like this:

SecRule REQUEST_METHOD "@streq POST" \
    "id:1007,\
    phase:1,\
    pass,\
    log,\
    t:none,\
    msg:'file uploads will not be buffered and processed by Coraza on /api/sends/*',\
    rev:'1',\
    chain"
    SecRule REQUEST_URI "@beginsWith /api/sends/" \
        "t:none,chain"
        SecRule REQUEST_HEADERS:Content-Type "^multipart/form-data" \
            "t:lowercase, ctl:requestBodyAccess=Off"

• In REQUEST_METHOD you are strictly looking for POST, @streq should be enough without having to rely on regexes
• ctl:requestBodyAccess has been moved to the latest rule of the chain, therefore you are going to disable the request body access only if all the previous rules matched.

I don't know if it can help with testing, but when the rule is triggered, we observe the same number of chained rules as the number of duplicated messages., I know this is a known issue in #849

Could you point us to the Coraza-caddy version you are using? I tried with master and the latest release that has been tagged but I'm not able to reproduce this duplicated messages error 🤔

[Barnoux]

Hi @M4tteoP :)
I'm using this version :
xcaddy build --with github.com/corazawaf/coraza-caddy