Hi there:
I need to place grafana’s web admin gui behind a WAF composed of Apache as reverse proxy and ModSecurity + OWASP CRS.
I’m facing a problem with this configuration while accessing dashboards where the datastore is Elasticsearch. The ModSecurity rejects/blocks these requests with “Failed to parse request body.”
Full log entry (client and server details in log replaced with “suppressed”):
[Tue May 28 23:05:43.808768 2019] [:error] [pid 93066] [client suppressed:1379] [client suppressed] ModSecurity: Access denied with code 400 (phase 2). Match of “eq 0” against “REQBODY_ERROR” required. [file “/usr/local/etc/modsecurity/modsecurity.conf”] [line “60”] [id “200002”] [msg “Failed to parse request body.”] [data “JSON parsing error: parse error: trailing garbage\x0a”] [severity “CRITICAL”] [hostname “suppressed”] [uri “/api/datasources/proxy/3/_msearch”] [unique_id “XO2@x2hIHxCqfadu5KrpkwAAAAE”], referer: https://suppressed/d/WBwp-_WZz/waf-access-logs?orgId=1
So, it seems that ModSecurity is unable to parse the JSON query sent by browser.
Rule ID 200002 --> “Failed to parse request body.” In file modsecurity.conf
Rule ID 920130 --> “Failed to parse request body.” In file REQUEST-920-PROTOCOL-ENFORCEMENT.conf
Just place the whitelisting config above in a new .conf file under OWASP rules folder. The URL path (LocationMatch) is the request the client browser sends, and just for the sake of whitelisting these 2 IDs only for Grafana, keeping the validation for all the rest.
It’d be good though if someone could find out if there’s indeed a problem in the way the query is constructed or if maybe it’s a false positive from ModSecurity.
Cheers
Juan.
Hi Juan,
I am using Grafana and the Webapplication (openHAB) behind an Apache reverse proxy as you.
I have two Virtual hosts: openhab.domain.com grafana.domain.com
Both use proxy authentication. The plan is to reuse the authentication token for grafana. So when the user logs into openhab that he does not need to login again into grafana.
This doesn’t work with firefox and chrome.
Have you by coincidence a similar scenario?
Regards
Marco
Hi Marco:
No, I don’t have authentication implemented on the reverse proxy, authentication is handled directly on Grafana.
I guess Grafana stores the auth tokens in SQLlite, but not sure how it’s done, or how your SSO scenario could be solved, sorry.
Juan.