Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incompatible with Range header #25

Open
aliask opened this issue Dec 23, 2024 · 1 comment
Open

Incompatible with Range header #25

aliask opened this issue Dec 23, 2024 · 1 comment

Comments

@aliask
Copy link
Contributor

aliask commented Dec 23, 2024
edited
Loading

Problem

I've run into an issue while using this middleware to protect a Jellyfin instance.

Requests to the /Videos/:media_id/stream.mp4 endpoint use the Range HTTP header to request chunks of video data piece-by-piece.

Initially, with Range: bytes=0-, the request is checked correctly and the WAF functions as expected.

However, when a request containing an offset (e.g. mid-way through a video) is relayed to the WAF container, Apache will respond with 416 Requested Range Not Satisfiable if the offset is larger than the whoami response.

The 4XX error is then returned directly to the client and the stream breaks.

Steps to reproduce

  • Traefik: traefik:v3.2
  • Plugin: github.com/acouvreur/traefik-modsecurity-plugin:v1.3.0
  • ModSecurity: owasp/modsecurity-crs:4.9.0-apache-202412120712
  • Backend: containous/whoami:latest
$ docker run --network traefik_proxy curlimages/curl -vs http://waf:8080/test -H 'Range: bytes=10240-'
*   Trying 192.168.128.24:8080...
* Connected to waf (192.168.128.24) port 8080
> GET /test HTTP/1.1
> Host: waf:8080
> User-Agent: curl/8.4.0
> Accept: */*
> Range: bytes=10240-
> 
< HTTP/1.1 416 Requested Range Not Satisfiable
< Date: Mon, 23 Dec 2024 09:45:25 GMT
< Server: Apache
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=iso-8859-1
< 
[... cut ...]

Notes

As a hack to get it working, I've added the following section to my RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf config file:

# Remove Range header because it doesn't work with `whoami`
RequestHeader unset Range

This strips the header after it has been processed by ModSecurity, but before it gets sent to whoami, so you still get the protection of the WAF:

$ docker run --network traefik_proxy curlimages/curl -Is http://waf:8080/test -H 'Range: ../etc/passwd'
HTTP/1.1 403 Forbidden

... without the broken behaviour:

$ docker run --network traefik_proxy curlimages/curl -Is http://waf:8080/test -H 'Range: bytes=10240-'
HTTP/1.1 200 OK
@aliask
Copy link
Contributor Author

aliask commented Dec 23, 2024

Switching the backend container to traefik/whoami fixes this issue, as it appears to ignore the Range header entirely.

@aliask aliask mentioned this issue Dec 23, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@aliask