OPNWAF / Web Application Business with Nextcloud - enabled we cannot upload

[Wuensch-AG-Adm]

Dear OPNsense community,

We bought the 3-year package to have business capabilities on our firewall in our company. But as soon as we started configuring OPNWAF (Web Application) Business, it didn't work as expected. We can't upload any documents or photos, regardless of file size (error 413). Some nextcloud applications generate errors (such as “photos”, or we lose the ability to change profile status). On the firewall, in the Web Protection tab, I've configured Nextcloud-specific rule exclusions, but that doesn't seem to do anything...

We have found that there's is a limitation in the modsecurity on the OPNWAF. The info is in the Web Error Log.
ModSecurity: Request body no files data length is larger than the configured limit (131072).. Deny with code (413) [hostname "xxxxxxxxx"] [uri "/remote.php/dav/files/

The problem with this plugin is that we couldn't find any documentation of the plugin paths on the hard disk. We have no idea how to set up this plugin, and there's no way of changing anything in the user interface. That's sad for a Business tool.

If someone with experience on this plugin can explain to me where I can change the configured limit, I'd be very happy not loose my time with this kind of stuffs.

Thank you ahead.

Regards,

Joel. T

[Monviech]

Hello, it looks like the error you have is this one:

https://github.com/owasp-modsecurity/ModSecurity/issues/2873

It looks like the following settings have to be included into the virtual host configuration:

SecRequestBodyLimit 1073741824
SecRequestBodyNoFilesLimit 1073741824

1GB per chunk seems like the hard limit. So, these parameters could be added with a checkbox.

If you open a feature request https://github.com/opnsense/plugins/issues I will evaluate it and add it to OPNWAF. I am currently working on including new features into it.

e.g. compare to this feature request: https://github.com/opnsense/plugins/issues/4030

The next version will have some more features coming that makes more selective configurations, especially with the WAF, a lot easier.

[Wuensch-AG-Adm]

Hello,
thank you for your fast answer.
Is there some possibility to apply the new parameters and that the modsecurity keep them? (I mean in the console mod / shell)
I've found the parameters in this file:
/usr/local/etc/apache24/modsecurity.conf
But if I change something, the next restart of the plugin / service, it resets the parameter to the original values ( 13107200 and 131072). I can't change anything. The "App Specific Rule Exclussions" nextcloud in Firewall -> Web Application-> Settings -> Web protection ist doing nothing. There's no effect on the nextcloud.

I've find the rules Set files for Nextcloud too, but nothing works.
I've deactivated the Web protection, because with, nobody can really use Nextcloud. From now I'm using only the gateway webserver. I was thinking that a business solution like this waf plugin would work.

I've forgot to write that we are using the version OPNsense 24.4.2-amd64 with the os-OPNWAF 1.5

Can I add the parameters in the gateway_vhosts.conf?

Thx ahead.

Regards,

Joel Timm.

[Wuensch-AG-Adm]

Every time I restart the plugin / service, I loose all the changes in the conf files. Is there a special way to do this with OPNsense? Because I need to fix this asap.

[franco]

Well, you would adjust the template, not the rendered config. It's still volatile but sticks until the next update.


Cheers,
Franco