Argument 'src-port' not found for IPv6

[choffmeister]

Hello,

today I noticed, that our web application is getting slow after we have added AAAA DNS headers. Turned out, that requests via IPv6 had coraza failing. The problem is, that for IPv6 traffic there is no src-port given and coraza fails with

time="2024-07-23T14:02:47Z" level=error msg="spoe error during first notify handle: handle notify: Argument 'src-port' not found"

I have prepared a minimal test-case with docker compose here. The configuration is pretty much exactly what is described in the README.md.

# haproxy.cfg
global
    log stdout format raw local0
    
defaults
    log global
    mode http
    log-format "%ci:%cp\ [%t]\ %ft\ %b/%s\ %Th/%Ti/%TR/%Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r\ %ID\ coraza-error:%[var(txn.coraza.error)]\ coraza-action:%[var(txn.coraza.action)]"
    retries 3
    maxconn 1000
    timeout connect 5s
    timeout client 50s
    timeout server 50s
    
frontend frontend
    bind :::80 v4v6
    mode http
    filter spoe engine coraza config /usr/local/etc/haproxy/coraza.cfg
    http-request return status 200 content-type "text/plain" lf-string "ok" 

backend coraza
    mode tcp
    server coraza coraza:9000

# coraza.cfg
[coraza]
spoe-agent coraza-agent
    messages coraza-req
    #messages coraza-res
    option var-prefix coraza
    option set-on-error error
    timeout hello 2s
    timeout idle 2m
    timeout processing 500ms
    use-backend coraza
    log global

spoe-message coraza-req
    args app=fe_name id=unique-id src-ip=src src-port=src_port dst-ip=dst dst-port=dst_port method=method path=path query=query version=req.ver headers=req.hdrs body=req.body
    event on-frontend-http-request

spoe-message coraza-res
    args app=fe_name id=unique-id version=res.ver status=status headers=res.hdrs body=res.body
    event on-http-response

Currently it is unclear to me, if this a problem of this repository or with HAproxy itself.

[foxcaput]

Hello,

I attempted troubleshooting, and it appears that the issue is specific to IPv6 compatibility. To mitigate this, I separated IPv4 and IPv6 onto distinct frontends and disabled Coraza on the IPv6 frontend. However, this approach is a temporary workaround rather than a true solution, as it merely masks the underlying issue rather than resolving it.

Is there someone from the development team available to investigate this issue further?
and the problem is not in HAProxy, the probem is in coraza spoa.

[fionera]

Is this still an issue?

[foxcaput]

Is this still an issue?

yes, it is.
Had to separate ipv6 frontends and ipv4 frontends to prevent IPv6 traffic going through coraza backend.

Here is some logs that coraza throws

Nov 26 16:16:28 coraza-spoa[435980]: time="2024-11-26T16:16:28+02:00" level=error msg="spoe error during notify handle: handle notify: Argument 'src-port' not found" Nov 26 16:16:33 coraza-spoa[435980]: time="2024-11-26T16:16:33+02:00" level=error msg="spoe error during first notify handle: handle notify: Argument 'src-port' not found" Nov 26 16:16:35 coraza-spoa[435980]: time="2024-11-26T16:16:35+02:00" level=error msg="spoe error during first notify handle: handle notify: Argument 'src-port' not found" Nov 26 16:16:36 coraza-spoa[435980]: time="2024-11-26T16:16:36+02:00" level=error msg="spoe error during first notify handle: handle notify: Argument 'src-port' not found" Nov 26 16:16:36 coraza-spoa[435980]: time="2024-11-26T16:16:36+02:00" level=error msg="spoe error during first notify handle: handle notify: Argument 'src-port' not found" Nov 26 16:16:36 coraza-spoa[435980]: time="2024-11-26T16:16:36+02:00" level=error msg="spoe error during first notify handle: handle notify: Argument 'src-port' not found" Nov 26 16:16:37 coraza-spoa[435980]: time="2024-11-26T16:16:37+02:00" level=error msg="spoe error during notify handle: handle notify: Argument 'src-port' not found" Nov 26 16:16:37 coraza-spoa[435980]: time="2024-11-26T16:16:37+02:00" level=error msg="spoe error during notify handle: handle notify: Argument 'src-port' not found" Nov 26 16:16:37 coraza-spoa[435980]: time="2024-11-26T16:16:37+02:00" level=error msg="spoe error during notify handle: handle notify: Argument 'src-port' not found" Nov 26 16:16:38 coraza-spoa[435980]: time="2024-11-26T16:16:38+02:00" level=error msg="spoe error during notify handle: handle notify: Argument 'src-port' not found"

[fionera]

Are you using the rewrite or previous version? I just tried and cannot reproduce it.
Inside the haproxy container from example docker-compose:
wget "http://[::]:80/get"

Log output:

httpbin-1      | time=2024-11-26T15:43:05.017Z level=INFO msg="200 GET /get 0.6ms" status=200 method=GET uri=/get size_bytes=232 duration_ms=0.629395 user_agent=Wget client_ip=192.168.97.4:35030
haproxy-1      | SPOE: [coraza-agent] <EVENT:on-frontend-http-request> sid=2 st=0 0/2/2/0/5 2/2 0/0 0/2
haproxy-1      | ::1:38698 [26/Nov/2024:15:43:05.009] default httpbin_backend/backend 0/0/5/5/0/0/3/8 200 423 - - ---- 1/1/0/0/0 0/0 "GET /get HTTP/1.1" VPUHWDVTXLEUJEYW spoa-error: - waf-hit: -
coraza-spoa-1  | 3:43PM WRN [client "::1"] Coraza: Warning. Host header is a numeric IP address [file "@owasp_crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "1809"] [id "920350"] [rev ""] [msg "Host header is a numeric IP address"] [data "[::]:80"] [severity "warning"] [ver "OWASP_CRS/4.0.0-rc2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "::1"] [uri "/get"] [unique_id "VPUHWDVTXLEUJEYW"]

[foxcaput]

Indeed updating coraza solved the issue.
Also I wanted to point out that in case to run coraza as a service I had to modify service file:
Delete these two rows
SystemCallFilter=@system-service -@setuid -@ipc -@mount
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

and change this
AmbientCapabilities=CAP_IPC_LOCK

and also in line 48 the is a typo
InaccessiblePaths is written incorrectly.

But in total, thank you and really hope this repo will go stable at some point.