Since I upgraded traefik to v3 in Docker every Route that is protected with the middleware traefik-modsecurity-plugin returns a 502 error in my browser. If I remove the middleware from (in this example) authentik it works perfectly.docker-compose.yml
services:
traefik:
image: traefik:latest
container_name: traefik
ports:
- 80:80
- 443:443
volumes:
# mounted relevant files
restart: always
modsecurity:
image: owasp/modsecurity-crs:apache
container_name: modsecurity
restart: unless-stopped
environment:
BACKEND: http://whoami
whoami:
image: traefik/whoami
container_name: whoami
restart: unless-stopped
security_opt:
- no-new-privileges:true
File dynamic-configuration.yml
http:
middlewares:
modsecurity:
plugin:
modsecurity:
modSecurityUrl: http://modsecurity:80
services:
authentik:
loadBalancer:
servers:
- url: "http://authentik-server:9000"
routers:
authentik:
rule: Host(`authentik.domain.tld`)
entrypoints: "websecure"
tls:
certresolver: "lets-encrypt"
domains:
- main: "authentik.domain.tld"
middlewares:
- modsecurity@file
service: "authentik"
File traefik.yml
# ...
experimental:
plugins:
modsecurity:
moduleName: "github.com/acouvreur/traefik-modsecurity-plugin"
version: "v1.3.0"
What does Traefik debug log tell you (doc )?
Why do you set this?
RUFmord:
BACKEND: http://whoami
Debug log does not expand if I call the site authentik.domain.tld. But here are some relevant lines:
2024-05-08T11:45:39Z DBG github.com/traefik/traefik/v3/pkg/plugins/plugins.go:30 > Loading of plugin: modsecurity: github.com/acouvreur/traefik-modsecurity-plugin@v1.3.0
2024-05-08T11:45:39Z DBG github.com/hashicorp/go-retryablehttp@v0.7.5/client.go:612 > Performing request method=GET url=https://plugins.traefik.io/public/download/github.com/acouvreur/traefik-modsecurity-plugin/v1.3.0
2024-05-08T11:45:39Z DBG github.com/hashicorp/go-retryablehttp@v0.7.5/client.go:612 > Performing request method=GET url=https://plugins.traefik.io/public/validate/github.com/acouvreur/traefik-modsecurity-plugin/v1.3.0
2024-05-08T11:45:40Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=websecure middlewareName=modsecurity@file routerName=authentik@file
2024-05-08T11:45:40Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for authentik.domain.tld with TLS options default entryPointName=websecure
2024-05-08T11:45:40Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:851 > Looking for provided certificate(s) to validate ["authentik.domain.tld"]... ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets-encrypt.acme
2024-05-08T11:45:40Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:895 > No ACME certificate generation required for domains ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["authentik.domain.tld"] providerName=lets-encrypt.acme
This does not look like an error to me. Should be normal behaviour.
I set the BACKEND because this docker compose file of the plugins repo contains this variable. No other reason.
I am also having problems using the new versions of mod-security and traefik 3, from what I have investigated it is because of OCSP (I think) and an update of owasp/modsecurity-crs. For now, I am using owasp/modsecurity-crs:4-apache-202404070904 and in that version it works.
I don't really know who to report this bug to, as it relates traefik, mod-security and coreruleset.
1 Like
system
October 22, 2024, 11:40am
5
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.