Grafana behind Reverse Proxy (Apache) + ModSecurity

Hi there:
I need to place grafana’s web admin gui behind a WAF composed of Apache as reverse proxy and ModSecurity + OWASP CRS.

I’m facing a problem with this configuration while accessing dashboards where the datastore is Elasticsearch. The ModSecurity rejects/blocks these requests with “Failed to parse request body.”
Full log entry (client and server details in log replaced with “suppressed”):

[Tue May 28 23:05:43.808768 2019] [:error] [pid 93066] [client suppressed:1379] [client suppressed] ModSecurity: Access denied with code 400 (phase 2). Match of “eq 0” against “REQBODY_ERROR” required. [file “/usr/local/etc/modsecurity/modsecurity.conf”] [line “60”] [id “200002”] [msg “Failed to parse request body.”] [data “JSON parsing error: parse error: trailing garbage\x0a”] [severity “CRITICAL”] [hostname “suppressed”] [uri “/api/datasources/proxy/3/_msearch”] [unique_id “XO2@x2hIHxCqfadu5KrpkwAAAAE”], referer: https://suppressed/d/WBwp-_WZz/waf-access-logs?orgId=1

So, it seems that ModSecurity is unable to parse the JSON query sent by browser.

Any ideas?

Thanks a lot

Juan.

As a workaround, and in case someone will face some issue in the future, 2 rule IDs need to be “whitelisted” for getting this sorted:

<LocationMatch “/api/datasources/proxy/3/_msearch*”>
SecRuleRemoveById 200002 920130

Rule ID 200002 --> “Failed to parse request body.” In file modsecurity.conf
Rule ID 920130 --> “Failed to parse request body.” In file REQUEST-920-PROTOCOL-ENFORCEMENT.conf

Just place the whitelisting config above in a new .conf file under OWASP rules folder. The URL path (LocationMatch) is the request the client browser sends, and just for the sake of whitelisting these 2 IDs only for Grafana, keeping the validation for all the rest.
It’d be good though if someone could find out if there’s indeed a problem in the way the query is constructed or if maybe it’s a false positive from ModSecurity.
Cheers
Juan.

Hi Juan,
I am using Grafana and the Webapplication (openHAB) behind an Apache reverse proxy as you.
I have two Virtual hosts:
openhab.domain.com
grafana.domain.com

Both use proxy authentication. The plan is to reuse the authentication token for grafana. So when the user logs into openhab that he does not need to login again into grafana.
This doesn’t work with firefox and chrome.
Have you by coincidence a similar scenario?
Regards
Marco

Hi Marco:
No, I don’t have authentication implemented on the reverse proxy, authentication is handled directly on Grafana.
I guess Grafana stores the auth tokens in SQLlite, but not sure how it’s done, or how your SSO scenario could be solved, sorry.
Juan.