Access List Not Working Properly After Update #1447
Comments
|
can you send me the config file from the host? |
|
Currently, it is possible to access the URL created in the proxy host without any login or authentication. |
|
so it will just open the page even without being in this ip range in a "private" browser? |
|
do you use openappsec or crowdsec? |
|
Even when accessing via LTE with an external IP, the page opens without authentication, even in secret mode. |
|
can you disable openappsec temporary and try again please? |
|
I paused the openappsec agent container and tested it, but access is still possible without authentication. (In an LTE environment) |
|
you need to set the load module env to false |
|
Oh, setting NGINX_LOAD_OPENAPPSEC_ATTACHMENT_MODULE=false and commenting out ipc: service:openappsec-agent enabled the access list feature. It looks like this was the root cause of the issue! |
|
The same problem existed with crowdsec in the past, the nginx option satisfy any will accept the request (see it as authorized) if one check passes and it seems like that a successfull openappsec check will be seen as authorization |
|
So, until an update is available, would it be correct to disable openappsec if the access list feature is needed? |
|
changing would not help in your case, since satisfy has two option "any" (means one is enough) and "all" (means that all, so ip check, credentials and openappsec need to be fine), if you want to change it to all it is the option which is called "Allow access if at least one authorization method succeeded" |
|
Hmm... So, can the issue of not being able to use the access list when using the openappsec module be resolved through an update, like the issue with CrowdSec? |
|
yes needs to be fixed by openappsec |
|
Off topic question: do you change 12121 back to 443 in your router when opening the ports to the internet? |
|
I have configured the router to forward incoming traffic on port 443 of the WAN IP to port 12121 on the server IP using port forwarding. |
|
Thanks! Because I think I need to add a second env, since then the port in the Alt-Svc needs to be 443 |
|
Hi @youngchaurachacha , I am from the open-appsec WAF team. Thanks for letting us know, we will soon try to replicate this and update here. |
|
Hi @youngchaurachacha , quick update on this, our R&D team has identified the issue (in our attachment code) and fix is planned to be included in our next release with ETA begin of next week. |
Thanks for the update! Appreciate the quick fix. Looking forward to the release. |
After the update, I enabled the access list and applied it to the proxy host, but it is not working properly.
Before the update, access from the internal network was allowed without any authentication, while connections from external IP addresses prompted a login screen. However, the login screen is no longer appearing now.
I couldn't find any access list-related logs in the container logs.
The text was updated successfully, but these errors were encountered: