Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
OPNWAF / Web Application Business with Nextcloud - enabled we cannot upload
« previous
next »
Print
Pages: [
1
]
Author
Topic: OPNWAF / Web Application Business with Nextcloud - enabled we cannot upload (Read 521 times)
Wuensch-AG-Adm
Newbie
Posts: 18
Karma: 0
OPNWAF / Web Application Business with Nextcloud - enabled we cannot upload
«
on:
September 11, 2024, 04:29:30 pm »
Dear OPNsense community,
We bought the 3-year package to have business capabilities on our firewall in our company. But as soon as we started configuring OPNWAF (Web Application) Business, it didn't work as expected. We can't upload any documents or photos, regardless of file size (error 413). Some nextcloud applications generate errors (such as “photos”, or we lose the ability to change profile status). On the firewall, in the Web Protection tab, I've configured Nextcloud-specific rule exclusions, but that doesn't seem to do anything...
We have found that there's is a limitation in the modsecurity on the OPNWAF. The info is in the Web Error Log.
ModSecurity: Request body no files data length is larger than the configured limit (131072).. Deny with code (413) [hostname "xxxxxxxxx"] [uri "/remote.php/dav/files/
The problem with this plugin is that we couldn't find any documentation of the plugin paths on the hard disk. We have no idea how to set up this plugin, and there's no way of changing anything in the user interface. That's sad for a Business tool.
If someone with experience on this plugin can explain to me where I can change the configured limit, I'd be very happy not loose my time with this kind of stuffs.
Thank you ahead.
Regards,
Joel. T
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1622
Karma: 178
Re: OPNWAF / Web Application Business with Nextcloud - enabled we cannot upload
«
Reply #1 on:
September 11, 2024, 04:51:07 pm »
Hello, it looks like the error you have is this one:
https://github.com/owasp-modsecurity/ModSecurity/issues/2873
It looks like the following settings have to be included into the virtual host configuration:
SecRequestBodyLimit 1073741824
SecRequestBodyNoFilesLimit 1073741824
1GB per chunk seems like the hard limit. So, these parameters could be added with a checkbox.
If you open a feature request
https://github.com/opnsense/plugins/issues
I will evaluate it and add it to OPNWAF. I am currently working on including new features into it.
e.g. compare to this feature request:
https://github.com/opnsense/plugins/issues/4030
The next version will have some more features coming that makes more selective configurations, especially with the WAF, a lot easier.
Logged
Hardware:
DEC740
Wuensch-AG-Adm
Newbie
Posts: 18
Karma: 0
Re: OPNWAF / Web Application Business with Nextcloud - enabled we cannot upload
«
Reply #2 on:
September 11, 2024, 06:31:59 pm »
Hello,
thank you for your fast answer.
Is there some possibility to apply the new parameters and that the modsecurity keep them? (I mean in the console mod / shell)
I've found the parameters in this file:
/usr/local/etc/apache24/modsecurity.conf
But if I change something, the next restart of the plugin / service, it resets the parameter to the original values ( 13107200 and 131072). I can't change anything. The "App Specific Rule Exclussions" nextcloud in Firewall -> Web Application-> Settings -> Web protection ist doing nothing. There's no effect on the nextcloud.
I've find the rules Set files for Nextcloud too, but nothing works.
I've deactivated the Web protection, because with, nobody can really use Nextcloud. From now I'm using only the gateway webserver. I was thinking that a business solution like this waf plugin would work.
I've forgot to write that we are using the version OPNsense 24.4.2-amd64 with the os-OPNWAF 1.5
Can I add the parameters in the gateway_vhosts.conf?
Thx ahead.
Regards,
Joel Timm.
Logged
Wuensch-AG-Adm
Newbie
Posts: 18
Karma: 0
Re: OPNWAF / Web Application Business with Nextcloud - enabled we cannot upload
«
Reply #3 on:
September 11, 2024, 06:36:19 pm »
Every time I restart the plugin / service, I loose all the changes in the conf files. Is there a special way to do this with OPNsense? Because I need to fix this asap.
Logged
franco
Administrator
Hero Member
Posts: 17672
Karma: 1612
Re: OPNWAF / Web Application Business with Nextcloud - enabled we cannot upload
«
Reply #4 on:
September 11, 2024, 06:59:30 pm »
Well, you would adjust the template, not the rendered config. It's still volatile but sticks until the next update.
Cheers,
Franco
Logged
Wuensch-AG-Adm
Newbie
Posts: 18
Karma: 0
Re: OPNWAF / Web Application Business with Nextcloud - enabled we cannot upload
«
Reply #5 on:
November 15, 2024, 09:48:41 am »
Hello Franco,
could you please explain how?
We had a maintenance on the OPNsense and an update (Version 24.10_7 and os-OPNWAF 1.6). Now it's even worst there's no exception anymore for Nextcloud and Nextcloud cannot show the files on the UI.
My workflow before the update as worked, now I must repeat all from the start. Because the rules were changed.
Thanks ahead for your help
Regards,
Joel.
Logged
Wuensch-AG-Adm
Newbie
Posts: 18
Karma: 0
Re: OPNWAF / Web Application Business with Nextcloud - enabled we cannot upload
«
Reply #6 on:
November 15, 2024, 10:16:16 am »
Hello Franco, Hi dear community,
no misunderstood I like to use the OPNSense and
I've found some solutions on the UI
Firewall -> Web Application -> Gateways -> Virtual servers
But I don't think that disabling a whole rule because of a parameter on the rule is an enhancement on the security of the WAF. An Exception for a certain URL would be a great improvement.
Maybe I'm wrong.
Regards,
Joel.
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1622
Karma: 178
Re: OPNWAF / Web Application Business with Nextcloud - enabled we cannot upload
«
Reply #7 on:
November 15, 2024, 10:35:22 am »
The App Specific Exclusions were removed in the new version because the WAF rules were updated from Core Ruleset 3 to 4.
This removed these exclusions from the main coreruleset and put them into external plugins.
https://github.com/coreruleset/coreruleset/blob/5c0303a03526853818592d83581492646ff9cca0/crs-setup.conf.example#L323-L332
The reason is that there were critical CVEs in the past in these App Specific Exclusions, so OWASP CRS removed them from their main repository.
https://coreruleset.org/docs/concepts/plugins/#why-are-plugins-needed
So one can say that this new version has hardened security.
«
Last Edit: November 15, 2024, 10:36:59 am by Monviech (Cedrik)
»
Logged
Hardware:
DEC740
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
OPNWAF / Web Application Business with Nextcloud - enabled we cannot upload