Re: [mod-security-users] Why was this request put in the audit log?

[Ervin H. <ai...@gm...>]

Hi,

On Sun, Nov 13, 2022 at 09:59:09AM +0100, az...@po... wrote:
> Is that correct behavior as HTTP/1.0 does not require Host header to be
> present?

No, I think it's not. (I just answered for PL-related part of the
mail)

> Do we support HTTP/1.0 in CRS?

well, I think it's a "hard" question, because we allow it:

https://github.com/coreruleset/coreruleset/blob/v3.3/master/rules/REQUEST-901-INITIALIZATION.conf#L204

but looks like we do not care the special cases, eg. HTTP/1.0
does not need the Host header. Look at the RFC:

https://www.rfc-editor.org/rfc/rfc2616.html#page-128
https://www.rfc-editor.org/rfc/rfc2616.html#section-19.6.1

The RFC says:

"The Host field value MUST represent the naming authority of the
origin server or gateway given by the original URL. The Host
field value MUST represent the naming authority of the origin
server or gateway given by the original URL."

It does not say that "Host" is NOT mandatory in case of HTTP/1.0,
just says "Host" is mandatory in case of HTTP/1.1. The quoted
part above from RFC means that if you use a hosted server,
clients needs to send "Host" to identify the resource - so, is it
mandatory? :)

Furthermore: I don't remember when SNI came (for HTTPS - I mean was
HTTP/1.0 still used then?), but I think in case of using SNI,
"Host" header needs, no matter what HTTP version you use (correct
me if I'm wrong).

Furthermore+: I found one more reference about HTTP/2. Looks like
"Host" header isn't mandatory there too, becase the ":authority"
header can replace it:

https://www.rfc-editor.org/rfc/rfc7540#section-8.1.2.3




May be we can fix this. A bit similar problem the checking of CL
header in case of HTTP/2 (where CL isn't mandatory neither):

https://github.com/coreruleset/coreruleset/blob/v3.3/master/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf#L223-L245



First of all, it would be fine to open an issue on GH, and add it
to the list of monthly chat topics.



a.