Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-10647

puppetlabs-apache : apache::mod::security does not support HTTP/2.0

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: apache
    • Labels:
      None
    • Template:
      MODULES Bug Template
    • Method Found:
      Needs Assessment
    • QA Risk Assessment:
      Needs Assessment

      Description

      Basic Info
      Module Version: latest
      Puppet Version: latest
      OS Name/Version: CentOS 7 (does not matter here)

      Describe your issue in as much detail as possible...

      Desired Behavior: The module supports HTTP 0.9, 1.0 and 1.1 (see https://github.com/puppetlabs/puppetlabs-apache/blob/master/templates/mod/security_crs.conf.erb#L280 tx.allowed_http_versions). The expectation is to support HTTP/2.0 as well (eg. 'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2.0').**

      Potential solutions:

      • Whitelist HTTP/2.0 like the others
      • Make allowed_http_versions configurable (like allowed_methods)

      Actual Behavior: When using HTTP versions like 1.1 all is ok. When using HTTP 2.0 the following alert occurs:**

      ModSecurity: Access denied with code 403 (phase 2). Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "78"] [id "960034"] [rev "2"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/2.0"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.10"] [hostname "www.example.com"] [uri "/"] [unique_id "XqPYeWaygwz3pGWYd72VVgAAAA8"]

       

      Please take a moment and attach any relevant log output and/or manifests. This will help us immensely when troubleshooting the issue.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            ray.magini Dirk Dietrich
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:

                Zendesk Support