502 error if activated modsecurity Plugin on v3

Since I upgraded traefik to v3 in Docker every Route that is protected with the middleware traefik-modsecurity-plugin returns a 502 error in my browser. If I remove the middleware from (in this example) authentik it works perfectly.
Has anyone encountered the same issue and fixed it?
File docker-compose.yml

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    ports:
      - 80:80
      - 443:443
    volumes:
      # mounted relevant files
    restart: always
  modsecurity:
    image: owasp/modsecurity-crs:apache
    container_name: modsecurity
    restart: unless-stopped
    environment:
      BACKEND: http://whoami
  whoami:
    image: traefik/whoami
    container_name: whoami
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true

File dynamic-configuration.yml

http:
  middlewares:
    modsecurity:
      plugin:
        modsecurity:
          modSecurityUrl: http://modsecurity:80
  services:
    authentik:
      loadBalancer:
        servers:
          - url: "http://authentik-server:9000"
  routers:
    authentik:
      rule: Host(`authentik.domain.tld`)
      entrypoints: "websecure"
      tls:
        certresolver: "lets-encrypt"
        domains:
          - main: "authentik.domain.tld"
      middlewares:
        - modsecurity@file
      service: "authentik"

File traefik.yml

# ...
experimental:
  plugins:
    modsecurity:
      moduleName: "github.com/acouvreur/traefik-modsecurity-plugin"
      version: "v1.3.0"

What does Traefik debug log tell you (doc)?

Why do you set this?

Debug log does not expand if I call the site authentik.domain.tld. But here are some relevant lines:

2024-05-08T11:45:39Z DBG github.com/traefik/traefik/v3/pkg/plugins/plugins.go:30 > Loading of plugin: modsecurity: github.com/acouvreur/traefik-modsecurity-plugin@v1.3.0
2024-05-08T11:45:39Z DBG github.com/hashicorp/go-retryablehttp@v0.7.5/client.go:612 > Performing request method=GET url=https://plugins.traefik.io/public/download/github.com/acouvreur/traefik-modsecurity-plugin/v1.3.0
2024-05-08T11:45:39Z DBG github.com/hashicorp/go-retryablehttp@v0.7.5/client.go:612 > Performing request method=GET url=https://plugins.traefik.io/public/validate/github.com/acouvreur/traefik-modsecurity-plugin/v1.3.0
2024-05-08T11:45:40Z DBG github.com/traefik/traefik/v3/pkg/middlewares/observability/middleware.go:33 > Adding tracing to middleware entryPointName=websecure middlewareName=modsecurity@file routerName=authentik@file
2024-05-08T11:45:40Z DBG github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:237 > Adding route for authentik.domain.tld with TLS options default entryPointName=websecure
2024-05-08T11:45:40Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:851 > Looking for provided certificate(s) to validate ["authentik.domain.tld"]... ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=lets-encrypt.acme
2024-05-08T11:45:40Z DBG github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:895 > No ACME certificate generation required for domains ACME CA=https://acme-v02.api.letsencrypt.org/directory acmeCA=https://acme-v02.api.letsencrypt.org/directory domains=["authentik.domain.tld"] providerName=lets-encrypt.acme

This does not look like an error to me. Should be normal behaviour.

I set the BACKEND because this docker compose file of the plugins repo contains this variable. No other reason.

I am also having problems using the new versions of mod-security and traefik 3, from what I have investigated it is because of OCSP (I think) and an update of owasp/modsecurity-crs. For now, I am using owasp/modsecurity-crs:4-apache-202404070904 and in that version it works.

I don't really know who to report this bug to, as it relates traefik, mod-security and coreruleset.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.