Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTPtables blocking action ignores block_action directive #1453

Closed
6 tasks
krizhanovsky opened this issue Oct 10, 2020 · 1 comment · Fixed by #1493
Closed
6 tasks

HTTPtables blocking action ignores block_action directive #1453

krizhanovsky opened this issue Oct 10, 2020 · 1 comment · Fixed by #1493
Assignees
@avbelov23
Labels
bug good to start Start form this tasks if you're new in Tempesta FW test
Milestone
0.7 - HTTP/2

Comments

@krizhanovsky
Copy link
Contributor

krizhanovsky commented Oct 10, 2020
edited
Loading

Scope

On configuration

listen 192.168.100.4:80;

block_action attack reply;
block_action error reply;
response_body 400 /var/www/tempesta-tech.com/400;

srv_group default {
        server 127.0.0.1:9090;
}

vhost debian {
        proxy_pass default;
}

cache 1;
cache_fulfill * *;

http_chain l7_rules {
        hdr "Referer" == "http://badhost.com*" -> block;
}

http_chain {
        mark == 1 -> l7_rules;
        -> debian;
}

Note that there is no default host as well no default rule for l7_rules chain. Configure iptables as:

iptables -A INPUT -s 192.168.100.1 -j MARK --set-mark 1

Next try to send 2 requests from 192.168.100.1:

  1. with Referer: http://goodhost.com
  2. with Referer: http://badhost.com/foo

In both the cases HTTPtables block the requests, but Tempesta does not send any HTTP response as expected. From browsing the code it seems we just ignore block argument returned from HTTPtables.

Testing

For the scenario and configuration as the above:

  • request with Referer: http://goodhost.com

  • request with Referer: http://badhost.com/foo

  • Check that configuration option response_body also does the work. In my demo scenario I used

block_action attack reply;
block_action error reply;
response_body 400 /var/www/tempesta-tech.com/400;

Please also add tests for the configuration described in https://github.com/tempesta-tech/tempesta/wiki/HTTP-tables#default-rules-and-chains to ./http_rules/test_http_tables.py

  • Drop a request if there is no matching rule in a chain
  • implicit creation of the main chain
  • Dropping all requests with an empy main chain
@krizhanovsky krizhanovsky added this to the 0.7 HTTP/2 milestone Oct 10, 2020
This was referenced Oct 10, 2020
Closed
Open
@krizhanovsky
Copy link
Contributor Author

The linked task is #1063 , but at this moment we just need to send any error response to a client, just to have consistent configuration and do not make users wondering. This is also a part of #1108 .

@krizhanovsky krizhanovsky assigned i-rinat and unassigned vankoven Nov 18, 2020
@krizhanovsky krizhanovsky added the good to start Start form this tasks if you're new in Tempesta FW label Feb 4, 2021
This was referenced Feb 20, 2021
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@avbelov23 avbelov23

Labels
bug good to start Start form this tasks if you're new in Tempesta FW test
Projects
None yet
Milestone
0.7 - HTTP/2
Development

Successfully merging a pull request may close this issue.

The effect of block_action on the absence of a suitable vhost tempesta-tech/tempesta
4 participants
@krizhanovsky @i-rinat @vankoven @avbelov23