Not working with Nginx + HTTP/3

[jefersonbertoli]

I am using the following configuration:

Nginx + ModSecurity

The problem happens when I enable HTTP/3 in Nginx.

The "host" variable no longer appears in the modsecurity log and because of this, blocking occurs.

The logs follow:

Log:
---AyfUD8sA---A--
[27/Jun/2024:15:47:02 -0400] 171951762247.675197 x.x.x.x 56183 172.31.11.83 443
---AyfUD8sA---B--
GET /login.php HTTP/3.0
sec-fetch-user: ?1
sec-ch-ua: "Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126"
sec-fetch-dest: document
sec-fetch-mode: navigate
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
sec-fetch-site: none
sec-ch-ua-platform: "macOS"
upgrade-insecure-requests: 1
sec-ch-ua-mobile: ?0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
cache-control: max-age=0
accept-encoding: gzip, deflate, br, zstd
cookie: PHPSESSID=87od4pal00n6p57pbriim6apn7
accept-language: pt-BR,pt;q=0.9
priority: u=0, i

---AyfUD8sA---D--

---AyfUD8sA---E--

---AyfUD8sA---F--
HTTP/3.0 200
Server: nginx
Date: Thu, 27 Jun 2024 19:47:02 GMT
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Connection: keep-alive
Alt-Svc: h3=":443"; ma=86400
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

---AyfUD8sA---H--

---AyfUD8sA---H--
ModSecurity: Warning. Matched "Operator Eq' with parameter 0' against variable REQUEST_HEADERS:Host' (Value: 0' ) [file "/usr/local/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "574"] [id "920280"] [rev ""] [msg "Request Missing a Host Header"] [data ""] [severity "4"] [ver "OWASP_CRS/4.4.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "172.31.11.83"] [uri "/login.php"] [unique_id "171951762247.675197"] [ref ""]

---AyfUD8sA---I--

---AyfUD8sA---J--

---AyfUD8sA---Z--

How do I make it work correctly with HTTP/3?
If you only use HTTP/2 it works correctly.

Thanks!

[airween]

Hi @jefersonbertoli,

thanks for reporting.

Unfortunately I can't check this behavior (all existing curl instance uses the old libcurl version which does not support --http3), and I'm not familiar with HTTP/3, but I'm almost sure this is not a libmodsecurity3 problem, but a rule set issue.

I don't know HTTP/3 really needs Host header or not - if not, then this is a false positive rule match (FP). If it is, then next you should set the request's Host header. But in any case, the decision is in the hands of the rules, not the engine.

I suggest you to ask about this behavior the CoreRuleSet team, I'm sure my teammates know the answer.

I'm closing this issue, please feel free to re-open if you think it's an engine problem.

[AMoo-Miki]

This is a connector problem. HTTP/3 uses the :authority pseudo-header which nginx parses into r->headers_in.server. However, the connector doesn't entertain this right now.

See owasp-modsecurity/ModSecurity-nginx#364