Unable to remove Server header on Coraza module's response

[to-kr]

I'm currently using Caddy server with the coraza module for web application firewall (WAF) capabilities. I've configured Caddy to remove the Server header using the header directive, but it seems that the Server header persists when the coraza module returns a 403 Forbidden response.

Caddyfile:

{
    http_port 8080
    order coraza_waf first
}

:8080 {
    header {
        -Server
        -Alt-Svc
    }

    handle {
        respond 404
    }
        
    coraza_waf {
        load_owasp_crs
        directives `
            Include /etc/caddy/*.conf
            Include @coraza.conf-recommended
            Include @crs-setup.conf.example
            Include @owasp_crs/*.conf

            SecRuleEngine On
        `
    }
}

Steps to Reproduce:

1. Start Caddy server with the provided Caddyfile configuration.
2. Send a request that triggers a 403 Forbidden response from the coraza module.

curl -v "http://127.0.0.1:8080?id=1;DELETE%20FROM"

3. Check the response headers and observe that the Server header is still present.

Expected Behavior:
The Server header should be removed from the response when the coraza module returns a 403 Forbidden response, as specified in the Caddyfile configuration.

Actual Behavior:
The Server header persists in the response even after configuring Caddy to remove it.

Additional Information:

• Caddy version: 2.7.6
• Coraza module version: v2.0.0-rc.3

[jcchavezs]

Interesting. What happens when you do `SecRuleEngine Off`?

…

On Mon, Apr 8, 2024 at 12:51 PM to-kr ***@***.***> wrote: I'm currently using Caddy server with the coraza module for web application firewall (WAF) capabilities. I've configured Caddy to remove the Server header using the header directive, but it seems that the Server header persists when the coraza module returns a 403 Forbidden response. image.png (view on web) <https://github.com/corazawaf/coraza-caddy/assets/6631729/8ccb2f35-bddb-4ba8-98ac-42bd627d1707> Caddyfile: { http_port 8080 order coraza_waf first } :8080 { header { -Server -Alt-Svc } handle { respond 404 } coraza_waf { load_owasp_crs directives ` Include /etc/caddy/*.conf Include @coraza.conf-recommended Include @crs-setup.conf.example Include @owasp_crs/*.conf SecRuleEngine On ` } } Steps to Reproduce: 1. Start Caddy server with the provided Caddyfile configuration. 2. Send a request that triggers a 403 Forbidden response from the coraza module. curl -v "http://127.0.0.1:8080?id=1;DELETE%20FROM" 3. Check the response headers and observe that the Server header is still present. Expected Behavior: The Server header should be removed from the response when the coraza module returns a 403 Forbidden response, as specified in the Caddyfile configuration. Actual Behavior: The Server header persists in the response even after configuring Caddy to remove it. Additional Information: - Caddy version: 2.7.6 - Coraza module version: v2.0.0-rc.3 — Reply to this email directly, view it on GitHub <#144>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAXOYAT3YQISJ7NGMJMJ7WDY4JZDPAVCNFSM6AAAAABF4OUAOKVHI2DSMVQWIX3LMV43ASLTON2WKOZSGIZTAOBXGY3DSMQ> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[to-kr]

It returns 404 without Server header.

[jcchavezs]

Could it be the case that the middleware that removes server header happens after coraza does its job? cc @mholt

[mholt]

Yeah. order coraza_waf first causes it to be executed before any other directives, which is probably not what you want. If coraza_waf terminates the handler chain (i.e. responds to the request), the header directive won't even be evaluated.

[zdeneksvarc]

We can configure WAF header from handle_errors 403 { … } like this:

{
        admin off
        auto_https off
        order coraza_waf first
}

:80 {
        coraza_waf {
                load_owasp_crs
                directives `
                Include @coraza.conf-recommended
                Include @crs-setup.conf.example
                Include @owasp_crs/*.conf
                SecRuleEngine On
                `
        }

        header {
                -Server
        }

        handle_errors 403 {
               header X-Blocked "true"
               header Server "WAF"
#              header -Server
        }

        reverse_proxy http://whoami:2001
}

Returns:

HTTP/1.1 403 Forbidden
Server: WAF
X-Blocked: true
Date: Mon, 30 Sep 2024 12:42:35 GMT

and

HTTP/1.1 200 OK
Content-Length: 269
Content-Type: text/plain; charset=utf-8
Date: Mon, 30 Sep 2024 12:42:36 GMT

[to-kr]

Thank You. It works.

[jcchavezs]

Can we close this?

…

On Wed, Oct 2, 2024 at 2:34 PM to-kr ***@***.***> wrote: Thank You. It works. — Reply to this email directly, view it on GitHub <#144 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAXOYAQCAGXPG7ERHAGODETZZPR33AVCNFSM6AAAAABF4OUAOKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGOBYGUZTANBTGM> . You are receiving this because you commented.Message ID: ***@***.***>

[to-kr]

Yes, handle_errors solves the problem