OPNWAF / Web Application Business with Nextcloud - enabled we cannot upload

[Wuensch-AG-Adm]

Dear OPNsense community,

We bought the 3-year package to have business capabilities on our firewall in our company. But as soon as we started configuring OPNWAF (Web Application) Business, it didn't work as expected. We can't upload any documents or photos, regardless of file size (error 413). Some nextcloud applications generate errors (such as “photos”, or we lose the ability to change profile status). On the firewall, in the Web Protection tab, I've configured Nextcloud-specific rule exclusions, but that doesn't seem to do anything...

We have found that there's is a limitation in the modsecurity on the OPNWAF. The info is in the Web Error Log.
ModSecurity: Request body no files data length is larger than the configured limit (131072).. Deny with code (413) [hostname "xxxxxxxxx"] [uri "/remote.php/dav/files/

The problem with this plugin is that we couldn't find any documentation of the plugin paths on the hard disk. We have no idea how to set up this plugin, and there's no way of changing anything in the user interface. That's sad for a Business tool.

If someone with experience on this plugin can explain to me where I can change the configured limit, I'd be very happy not loose my time with this kind of stuffs.

Thank you ahead.

Regards,

Joel. T

[Monviech (Cedrik)]

Hello, it looks like the error you have is this one:

https://github.com/owasp-modsecurity/ModSecurity/issues/2873

It looks like the following settings have to be included into the virtual host configuration:

SecRequestBodyLimit 1073741824
SecRequestBodyNoFilesLimit 1073741824

1GB per chunk seems like the hard limit. So, these parameters could be added with a checkbox.

If you open a feature request https://github.com/opnsense/plugins/issues I will evaluate it and add it to OPNWAF. I am currently working on including new features into it.

e.g. compare to this feature request: https://github.com/opnsense/plugins/issues/4030

The next version will have some more features coming that makes more selective configurations, especially with the WAF, a lot easier.

[Wuensch-AG-Adm]

Hello,
thank you for your fast answer.
Is there some possibility to apply the new parameters and that the modsecurity keep them? (I mean in the console mod / shell)
I've found the parameters in this file:
/usr/local/etc/apache24/modsecurity.conf
But if I change something, the next restart of the plugin / service, it resets the parameter to the original values ( 13107200 and 131072). I can't change anything. The "App Specific Rule Exclussions" nextcloud in Firewall -> Web Application-> Settings -> Web protection ist doing nothing. There's no effect on the nextcloud.

I've find the rules Set files for Nextcloud too, but nothing works.
I've deactivated the Web protection, because with, nobody can really use Nextcloud. From now I'm using only the gateway webserver. I was thinking that a business solution like this waf plugin would work.

I've forgot to write that we are using the version OPNsense 24.4.2-amd64 with the os-OPNWAF 1.5

Can I add the parameters in the gateway_vhosts.conf?

Thx ahead.

Regards,

Joel Timm.

[Wuensch-AG-Adm]

Every time I restart the plugin / service, I loose all the changes in the conf files. Is there a special way to do this with OPNsense? Because I need to fix this asap.

[franco]

Well, you would adjust the template, not the rendered config. It's still volatile but sticks until the next update.


Cheers,
Franco

[Wuensch-AG-Adm]

Hello Franco,

could you please explain how?
We had a maintenance on the OPNsense and an update (Version 24.10_7 and os-OPNWAF 1.6). Now it's even worst there's no exception anymore for Nextcloud and Nextcloud cannot show the files on the UI.
My workflow before the update as worked, now I must repeat all from the start. Because the rules were changed.

Thanks ahead for your help

Regards,
Joel.

[Wuensch-AG-Adm]

Hello Franco, Hi dear community,

no misunderstood I like to use the OPNSense and
I've found some solutions on the UI
Firewall -> Web Application -> Gateways -> Virtual servers
But I don't think that disabling a whole rule because of a parameter on the rule is an enhancement on the security of the WAF. An Exception for a certain URL would be a great improvement.
Maybe I'm wrong.

Regards,

Joel.

[Monviech (Cedrik)]

The App Specific Exclusions were removed in the new version because the WAF rules were updated from Core Ruleset 3 to 4.

This removed these exclusions from the main coreruleset and put them into external plugins.

https://github.com/coreruleset/coreruleset/blob/5c0303a03526853818592d83581492646ff9cca0/crs-setup.conf.example#L323-L332

The reason is that there were critical CVEs in the past in these App Specific Exclusions, so OWASP CRS removed them from their main repository.

https://coreruleset.org/docs/concepts/plugins/#why-are-plugins-needed

So one can say that this new version has hardened security.