Hello Team and thanks for your work on the modsec connector for Nginx.
We built nginx with modsec and the modsec connector using the official 'nginx-quic' branch for implementing HTTP3. We use nginx primarily as a global reverse proxy server for our web infrastructure, providing SSL/TLS encryption for our web apps as well as threats protection thanks to modsec.
Everything is working fine apart from several rules we implemented which at the time seemed ineffective, for some unknown reasons.
After some debugging (by enabling modsec's audit logs), it appears that the 'Host' header is missing when the clients request via HTTP3 (that header is not present in modsec's audit logs). That would explain our issue: since that header is unavailable to modsec, all rules like "SecRule REQUEST_HEADERS:Host" are ineffective when clients connect via HTTP3. We then checked with both HTTP1.1/2: the Host header is present in the audit logs, and our rules are applied successfully as they should. We tried to find a workaround by using the 'headers-more' module from openresty and applying custom inbound headers. However it seems like modsec's processing is done prior to our custom headers being injected, which makes such workaround hopeless. Not quite sure what to do next. It's also possible that the Host header not being present is an HTTP3 specification, possibly. It is to note that rules using REQUEST_URI are working normally via all protocols, including HTTP3. Any possible to suggest? Is anybody else experiencing the same? Thanks in advance for your help!