Hello Team,
I have a jupyterhub instance where users login with OIDC provider (keycloak) and spawn jupyter notebooks. This jupyterhub is running behind Apisix ingress. Everything works fine. recently, I have enabled coraza wasm plugin on Apisix for WAF capabilities. from then on, I couldn’t spawn notebooks from jupyterhub and getting 403:forbidden error. I found below error in apisix logs.
2024/10/15 04:49:17 [emerg] 50#50: *72040 [client “”] Coraza: Warning. URL file extension is restricted by policy [file “@owasp_crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf”] [line “2518”] [id “920440”] [rev “”] [msg “URL file extension is restricted by policy”] [data “.com”] [severity “critical”] [ver “OWASP_CRS/4.0.0-rc2”] [maturity “0”] [accuracy “0”] [tag “application-multi”] [tag “language-multi”] [tag “platform-multi”] [tag “attack-protocol”] [tag “paranoia-level/1”] [tag “OWASP_CRS”] [tag “capec/1000/210/272”] [tag “PCI/6.5.10”] [hostname “”] [uri “/spawn/user-email@xxxx.com”] [unique_id “yUpadaxbWgjbs”], client: 10.1.3.0, server: _, request: “GET /spawn/user-email@xxxx.com HTTP/1.1”, host: “jupyterhub-test.xxxx.xxx”, referrer: “https://jupyterhub-test.xxxx.xx/hub/admin”
The apisix coraza wasm plugin is not allowing any request with “.com” extention< which is the user’s email. why the apisix coraza wasm plugin thinks this as a vulnerability. Do I need to change anything jupyterhub to resolve this and tell apisix that it is a legitimate request ?
below is the apisix coraza wasm configuration
global_rules:
- id: 1
plugins:
coraza-filter: #1
conf:
directives_map: #2
default:
- SecDebugLogLevel 9 #3
- SecRuleEngine On #4
- Include @crs-setup-conf #5
- Include @owasp_crs/*.conf #6
default_directives: default #7
Any help would be useful.