Hi, The subject to the previous email below read 'solved'. this was by error. this has not been solved.
Any assistance is highly appreciated. Kind regards, Kihaguru. ---------- Forwarded message ---------- From: Kihaguru Gathura <pqscr...@gmail.com> Date: Sunday, August 23, 2020 Subject: Re: No WAF detected - Solved To: misc <misc@openbsd.org> Hi, The following template has previously worked as far as WAF detection is concerned. However accessors keep updating their tools, this configuration is no longer effective. Anyone using relayd as WAF? What sort of configuration options do you have? Kind regards, Kihaguru. --------------------------------------------------------------------------------------------------- # $OpenBSD: relayd.conf,v 1.5 2018/05/06 20:56:55 benno Exp $ # # Relay and protocol # http protocol httpp { pass request quick method "GET" block } relay httpr { # Listen on localhost, accept diverted connections from pf(4) listen on 127.0.0.1 port 8080 protocol httpp # Forward to the original target host forward to destination } http protocol httpsp { match request header append "X-Forwarded-For" value "$REMOTE_ADDR" match request header append "X-Forwarded-By" \ value "$SERVER_ADDR:$SERVER_PORT" match response header remove "Server" pass request quick url file "/etc/mydomain-url.txt" pass request quick path file "/etc/mydomain-path.txt" pass request quick method "GET" block tls keypair mydomain.com } relay httpsr { # Listen on localhost, accept diverted connections from pf(4) listen on 127.0.0.1 port 8443 tls protocol httpsp # Forward to the original target host forward with tls to destination } ---------------------------------------------------------------------------------------------------- ---------- Forwarded message --------- From: Kihaguru Gathura <pqscr...@gmail.com> Date: Fri, Dec 27, 2019 at 10:40 PM Subject: Re: No WAF detected - Solved To: Kihaguru Gathura <pqscr...@gmail.com>, misc <misc@openbsd.org> Hi, WAF is detected when certain methods are filtered in relayd. Thanks, Kihaguru. On Monday, December 9, 2019, Kihaguru Gathura <pqscr...@gmail.com> wrote: > > > Hi, > A message form assessors and further tests below. > > </mail/u/1/s/?view=att&th=16ee9e8c520462f2&attid=0.1&disp=emb&realattid=ii_k3y7kgeo0&zw&atsh=1> > > > I have configured relayd to serve a single url that accepts no parameters. This url is blocked by relayd with error 403 Forbidden if anything is appended to its end. > I would expect WAF detection in such a test case but this has not happened. > what other means are malicious payloads being delivered in this case? > > Thanks and regards, > Kihaguru > > > ---------------------------------------------------------------------------------------------------------------------------- > > # $OpenBSD: relayd.conf,v 1.5 2018/05/06 20:56:55 benno Exp $ > # > # Relay and protocol > # > http protocol httpp { > return error > match response header remove "Server" > > pass > block quick path "/cgi-bin/index.cgi" value "*command=*" > pass quick path "/net/index.html" value "" > block > } > > relay httpr { > # Listen on localhost, accept diverted connections from pf(4) > listen on 127.0.0.1 port 8080 > protocol httpp > > # Forward to the original target host > forward to destination > } > > http protocol httpsp { > return error > match response header remove "Server" > > pass > block quick path "/cgi-bin/index.cgi" value "*command=*" > pass quick path "/net/index.html" value "" > block > > tls keypair example.net > } > > relay httpsr { > # Listen on localhost, accept diverted connections from pf(4) > listen on 127.0.0.1 port 8443 tls > protocol httpsp > > # Forward to the original target host > forward with tls to destination > } > --------------------------------------------------------------------------------------------------------------------------- > > On Thu, Dec 5, 2019 at 2:11 PM Stuart Henderson <s...@spacehopper.org> wrote: >> >> On 2019/12/05 00:17, Kihaguru Gathura wrote: >> > >> > >> > >> > On Wed, Dec 4, 2019 at 11:58 PM Kihaguru Gathura <pqscr...@gmail.com> wrote: >> > >> > >> > >> > >> Which is a better way to implement a WAF on OpenBSD using the base utilities? >> > > >> > > relayd configured in certain ways might be considered as a WAF. >> > >> > >> > All methods and all other security headers and path filters are coded in the web >> > application which had always been detected as a custom WAF until two weeks ago. >> > >> > I have now included relayd and a re-test passes all other requirements but does not detect >> > a WAF (please find sample configurations and test report below). >> > >> > Any hint highly appreciated >> >> I think you will need to talk to your assessors and ask what they're looking for. >> >