Hi,
The following template has previously worked as far as WAF detection is
concerned. However accessors keep updating their tools, this configuration
is no longer effective.
Anyone using relayd as WAF? What sort of configuration options do you have?
Kind regards,
Kihaguru.
---------------------------------------------------------------------------------------------------
# $OpenBSD: relayd.conf,v 1.5 2018/05/06 20:56:55 benno Exp $
#
# Relay and protocol
#
http protocol httpp {
pass request quick method "GET"
block
}
relay httpr {
# Listen on localhost, accept diverted connections from pf(4)
listen on 127.0.0.1 port 8080
protocol httpp
# Forward to the original target host
forward to destination
}
http protocol httpsp {
match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
match request header append "X-Forwarded-By" \
value "$SERVER_ADDR:$SERVER_PORT"
match response header remove "Server"
pass request quick url file "/etc/mydomain-url.txt"
pass request quick path file "/etc/mydomain-path.txt"
pass request quick method "GET"
block
tls keypair mydomain.com
}
relay httpsr {
# Listen on localhost, accept diverted connections from pf(4)
listen on 127.0.0.1 port 8443 tls
protocol httpsp
# Forward to the original target host
forward with tls to destination
}
----------------------------------------------------------------------------------------------------
---------- Forwarded message ---------
From: Kihaguru Gathura <pqscr...@gmail.com>
Date: Fri, Dec 27, 2019 at 10:40 PM
Subject: Re: No WAF detected - Solved
To: Kihaguru Gathura <pqscr...@gmail.com>, misc <misc@openbsd.org>
Hi,
WAF is detected when certain methods are filtered in relayd.
Thanks,
Kihaguru.
On Monday, December 9, 2019, Kihaguru Gathura <pqscr...@gmail.com> wrote:
>
>
> Hi,
> A message form assessors and further tests below.
>
>
</mail/u/1/s/?view=att&th=16ee9e8c520462f2&attid=0.1&disp=emb&realattid=ii_k3y7kgeo0&zw&atsh=1>
>
>
> I have configured relayd to serve a single url that accepts no
parameters. This url is blocked by relayd with error 403 Forbidden if
anything is appended to its end.
> I would expect WAF detection in such a test case but this has not
happened.
> what other means are malicious payloads being delivered in this case?
>
> Thanks and regards,
> Kihaguru
>
>
>
----------------------------------------------------------------------------------------------------------------------------
>
> # $OpenBSD: relayd.conf,v 1.5 2018/05/06 20:56:55 benno Exp $
> #
> # Relay and protocol
> #
> http protocol httpp {
> return error
> match response header remove "Server"
>
> pass
> block quick path "/cgi-bin/index.cgi" value "*command=*"
> pass quick path "/net/index.html" value ""
> block
> }
>
> relay httpr {
> # Listen on localhost, accept diverted connections from
pf(4)
> listen on 127.0.0.1 port 8080
> protocol httpp
>
> # Forward to the original target host
> forward to destination
> }
>
> http protocol httpsp {
> return error
> match response header remove "Server"
>
> pass
> block quick path "/cgi-bin/index.cgi" value "*command=*"
> pass quick path "/net/index.html" value ""
> block
>
> tls keypair example.net
> }
>
> relay httpsr {
> # Listen on localhost, accept diverted connections from
pf(4)
> listen on 127.0.0.1 port 8443 tls
> protocol httpsp
>
> # Forward to the original target host
> forward with tls to destination
> }
>
---------------------------------------------------------------------------------------------------------------------------
>
> On Thu, Dec 5, 2019 at 2:11 PM Stuart Henderson <s...@spacehopper.org>
wrote:
>>
>> On 2019/12/05 00:17, Kihaguru Gathura wrote:
>> >
>> >
>> >
>> > On Wed, Dec 4, 2019 at 11:58 PM Kihaguru Gathura <pqscr...@gmail.com>
wrote:
>> >
>> >
>> >
>> > >> Which is a better way to implement a WAF on OpenBSD using
the base utilities?
>> > >
>> > > relayd configured in certain ways might be considered as a
WAF.
>> >
>> >
>> > All methods and all other security headers and path filters are
coded in the web
>> > application which had always been detected as a custom WAF until
two weeks ago.
>> >
>> > I have now included relayd and a re-test passes all other
requirements but does not detect
>> > a WAF (please find sample configurations and test report below).
>> >
>> > Any hint highly appreciated
>>
>> I think you will need to talk to your assessors and ask what they're
looking for.
>>
>
