how to tell coraza not to buffer responses?

[dkhokhlov]

I am using caddy as https reverse proxy with coraza. my app streams response. w/o coraza I see page rendered gradually. with coraza I get whole page after delay. Even with empty coraza config it is still buffering.

how to tell coraza not to buffer responses?

myhost:1443 {
    tls /etc/caddy/my.crt /etc/caddy/my.key
    reverse_proxy localhost:8080
    header Access-Control-Allow-Methods "POST, GET, OPTIONS"
    header Access-Control-Allow-Headers "*"
    encode zstd gzip
    log {
        level  DEBUG
    }
  coraza_waf {
    directives `
      Include /etc/caddy/coraza-coreruleset/rules/@coraza.conf-recommended
      Include /etc/caddy/coraza-coreruleset/rules/@crs-setup.conf.example
      Include /etc/caddy/coraza-coreruleset/rules/@owasp_crs/*.conf
      SecRuleEngine On
      SecDebugLog /dev/stdout
      SecDebugLogLevel 9
      SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,t:lowercase,deny,status:403"
      SecRule REQUEST_BODY "@rx maliciouspayload" "id:102,phase:2,t:lowercase,deny,status:403"
    `
  }
}

[jptosso]

Unfortunately it's impossible to process the request with blocking capabilities without buffering.
Modsecurity tried a streaming mode but it never really worked, the same applies for coraza.
Also CRS breaks if we stops processing request body phase

[dkhokhlov]

double checking - you are talking about response? buffering a request and then processing its body etc is ok. but buffering corresponding response from the server is the problem.

[jptosso]

Same applies for responses, but it might not affect CRS unless you enable anomaly scoring mode. I think it wouldn't damage to allow users to stream the response body. We could even use an action to tell the connector to stream

@jcchavezs @fzipi

[jcchavezs]

You can disable request body inspection and that should do the trick but that is a big risk of leaking data in response payload.