Describe the bug 🐛
There's a CRS rule (920180) which looks for missing Content-Length or Transfer-Encoding on a POST.
I assume the issue is that the go http client doesn't include a content-length / transfer-encoding as it's a GET, or something along those lines.
Expected behavior 👀
Content-Length and Transfer-Encoding should be passed to appsec.
Context 🔎
I think this is explained well enough.
Version (please complete the following information):
- OS: Docker (kubernetes)
- Traefik version: 3.6.6
- Plugin version: 1.4.6
- Redis: None
To Reproduce
Enable CRS rules, and cURL something like this:
curl 'https://fqdn/signalr/messages/negotiate?access_token=blah&negotiateVersion=1' \
-X 'POST' \
-H 'Content-Type: text/plain;charset=UTF-8' \
-H 'Accept: */*' \
-H 'Sec-Fetch-Site: same-origin' \
-H 'Accept-Language: en-NZ,en-AU;q=0.9,en;q=0.8' \
-H 'Cache-Control: max-age=0' \
-H 'Sec-Fetch-Mode: cors' \
-H 'Origin: https://fqdn' \
-H 'Content-Length: 10' \
-H 'User-Agent: foo' \
-H 'Referer: https://fqdn/' \
-H 'Accept-Encoding: gzip, deflate, br' \
-H 'Sec-Fetch-Dest: empty' \
-H 'Cookie: removed' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'Priority: u=3, i' \
-H 'X-SignalR-User-Agent: Microsoft SignalR/6.0 (6.0.21; Unknown OS; Browser; Unknown Runtime Version)'
Describe the bug 🐛
There's a CRS rule (920180) which looks for missing Content-Length or Transfer-Encoding on a POST.
I assume the issue is that the go http client doesn't include a content-length / transfer-encoding as it's a GET, or something along those lines.
Expected behavior 👀
Content-Length and Transfer-Encoding should be passed to appsec.
Context 🔎
I think this is explained well enough.
Version (please complete the following information):
To Reproduce
Enable CRS rules, and cURL something like this: