AppSec creates 403s in HAProxy for vpatch rules, but not for crs-inbound rules

[rhclayto]

I've followed the QuickStart at https://docs.crowdsec.net/docs/next/appsec/quickstart/haproxy_spoa/ . The crowdsec-spoa-bouncer is running, it is in communication with HAProxy, the CrowdSec LAPI, & the AppSec component. When I do the test from the QuickStart, curl -i http://<your-haproxy-url>/.env, HAProxy returns a 403 as exepcted.

Then I set up the AppSec CRS In-band (Blocking Mode) as described at https://docs.crowdsec.net/docs/next/appsec/advanced_deployments/#crs-in-band-blocking-mode . When I do a query such as curl -v "http://<your-haproxy-url>/?file=../../../etc/passwd", it creates an alert in CrowdSec & indeed a decision (my IP was added to the various bouncers as well). But HAProxy does not issue a 403, it lets the request pass through.

Can someone show me what I'm doing wrong?

appsec.yaml:

appsec_configs:
  - crowdsecurity/appsec-default # Virtual patching rules (in-band blocking).
  - crowdsecurity/crs-inband # OWASP CRS rules (in-band blocking).
labels:
  type: appsec
listen_addr: 127.0.0.1:7422
source: appsec
name: watcherAppSecComponent
#log_level: debug # Holy moly.

crowdsec-spoa-bouncer.yaml:

log_media: stdout
log_level: debug
log_dir: /dev/null/
update_frequency: 10s
api_url: http://127.0.0.1:8088/
api_key: blahblahblah
insecure_skip_verify: false
listen_tcp: 172.16.10.107:7423
prometheus:
  enabled: true
  listen_addr: 127.0.0.1
  listen_port: 60601
appsec_url: http://127.0.0.1:7422
appsec_timeout: 200ms
hosts:
  - host: "*"
    appsec:
      always_send: false

haproxy.cfg (selected):

global
  tune.bufsize 65536
  lua-prepend-path /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/?.lua
  lua-load /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/crowdsec.lua
  setenv CROWDSEC_BAN_TEMPLATE_PATH /var/lib/crowdsec-haproxy-spoa-bouncer/html/ban.html
  setenv CROWDSEC_CAPTCHA_TEMPLATE_PATH /var/lib/crowdsec-haproxy-spoa-bouncer/html/captcha.html

frontend https-example-com
  unique-id-format %[uuid()]
  unique-id-header X-Unique-ID
  filter spoe engine crowdsec config /etc/haproxy/crowdsec.cfg
  acl body_within_limit req.body_size -m int le 51200
  http-request send-spoe-group crowdsec crowdsec-http-body if body_within_limit || !{ req.body_size -m found }
  http-request send-spoe-group crowdsec crowdsec-http-no-body if !body_within_limit { req.body_size -m found }
  http-request set-header X-Crowdsec-Remediation %[var(txn.crowdsec.remediation)] if { var(txn.crowdsec.remediation) -m found }
  http-request set-header X-Crowdsec-IsoCode %[var(txn.crowdsec.isocode)] if { var(txn.crowdsec.isocode) -m found }
  http-request redirect code 302 location %[url] if { var(txn.crowdsec.remediation) -m str "allow" } { var(txn.crowdsec.redirect) -m found }
  http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m str "captcha" }
  http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m str "ban" }
  http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_status) -m found } { var(txn.crowdsec.captcha_cookie) -m found }
  http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_cookie) -m found } !{ var(txn.crowdsec.captcha_status) -m found }

crowdsec.cfg:

[crowdsec]
spoe-agent crowdsec-agent
    messages    crowdsec-tcp
    groups      crowdsec-http-body crowdsec-http-no-body
    option      var-prefix      crowdsec
    option      set-on-error    error
    timeout     hello           200ms
    timeout     idle            55s
    timeout     processing      500ms
    use-backend crowdsec-spoa
    log         global
spoe-message crowdsec-tcp
    args id=unique-id src-ip=src src-port=src_port
    event on-client-session
spoe-message crowdsec-http-body
    args remediation=var(txn.crowdsec.remediation) id=unique-id method=method path=path query=query version=req.ver headers=req.hdrs body=req.body url=url ssl=ssl_fc src-ip=src src-port=src_port
spoe-message crowdsec-http-no-body
    args remediation=var(txn.crowdsec.remediation) id=unique-id method=method path=path query=query version=req.ver headers=req.hdrs url=url ssl=ssl_fc src-ip=src src-port=src_port
spoe-group crowdsec-http-body
    messages    crowdsec-http-body
spoe-group crowdsec-http-no-body
    messages    crowdsec-http-no-body

[github-actions]

@rhclayto: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

1. Check Documentation to see if your issue can be self resolved.
2. You can also join our Discord

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[github-actions]

@rhclayto: There are no 'kind' label on this issue. You need a 'kind' label to start the triage process.

• /kind feature
• /kind enhancement
• /kind bug
• /kind packaging

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[rhclayto]

Actually I don't think any blocks are being issued by this bouncer. The 403s came from Nginx behind Haproxy. access forbidden by rule. How can I make this block requests?

[rhclayto]

Well now I have blocks occurring (when I added my IP with cscli decisions add. But even when I delete the decision, I am still blocked. Message in the debug logs (or crowdsec-spoa-bouncer) says matched host from cache. Where is this cache & how does one clear it, & configure it? I've restarted CrowdSec, this bouncer, & HAProxy.

[LaurenceJJones]

So the spoa doesnt care about what rules are loaded but there could be either two problems that could be occurring:

• Timeout hit from SPOA processing
• Timeout hit from AppSec processing on spoa side

do you see any flags from the spoa haproxy calls to indicate a timeout or within crowdsec-spoa logs?

[rhclayto]

This problem 'went away' & I began to have this other problem: #152