Problem with Modsecurity Plugin

Traefik Traefik v2
1

I am on traefik 2.11.3.
I am following the instruction here https://github.com/acouvreur/traefik-modsecurity-plugin/blob/main/docker-compose.yml to add this middleware to my stack.

The latest owasp/modsecurity-crs:apache is having issues, so I use this version:

owasp/modsecurity-crs:4.1.0-apache-202404070904

I can verify modsecurity is running by log into the modesecurity container and do a curl command. For example

curl http://localhost

will return 200

but

curl http://localhost?a=../asdf

returns 403.

However, it is not working from traefik container. I ssh into traefik container, there is something strange:

  1. curl http://waf command does not seem to generate any log in modsecurity container.
  2. curl http://10.0.9.1 will generate log in modsecurity container (waf's ip is 10.0.9.1)
  3. curl http://10.0.9.1?a=../ still returns 200. In the modsecurity log, sees all url params are gone.

Any ideas?

2

How do you curl in Traefik container? I always thought curl is not included in the image.

3

sorry my mistake i think I used wget.

Anyway, local version of this https://github.com/acouvreur/traefik-modsecurity-plugin does not work (tried production and local both not working)

But this works (only fixed to owasp/modsecurity-crs:4.3.0-apache-alpine-202406090906). It does not work if I use any of the latest versions.

https://github.com/madebymode/traefik-modsecurity-plugin?tab=readme-ov-file

4

It’s two user-generated plug-ins. It’s probably best you create an issue on their Github.

1 Like