appsec: various improvements (#763)

blotus · web-flow · commit 376474ac76fb · 2025-04-22T09:47:16.000+02:00
diff --git a/crowdsec-docs/docs/appsec/configuration.md b/crowdsec-docs/docs/appsec/configuration.md
@@ -58,6 +58,88 @@ inband_rules:
 #...
 ```
 
+## Disabling rules at runtime
+
+Even though we try to provide rules without false positives, sometimes a virtual patching rule can block legitimate requests on a website.
+
+You can disable rules at runtime, either globally (for all requests) or based on specific conditions (source IP, URI, ...).
+
+You can can disable rules by:
+ - Name with `RemoveInBandRuleByName`: Intended for disabling rules provided by crowdsec (the name is the name of the appsec-rule as seen in `cscli appsec-rules list`).
+ - ID with `RemoveInBandRuleByID`: Intended for disabling seclang rules
+ - Tag with `RemoveInBandRuleByTag`: Intended for disabling seclang rules
+
+The same functions exist for out-of-band rules, prefixed with `RemovedOutBandRuleBy...`
+
+To disable a rule, we'll first create a new `appsec-config` to avoid tainting the configuration from the hub (if you are already using a custom configuration, you can update this one instead).
+
+```yaml title="/etc/crowdsec/appsec-configs/my_config.yaml"
+name: custom/my_config
+on_load:
+ - apply:
+    - RemoveInBandRuleByName("crowdsecurity/vpatch-env-access")
+pre_eval:
+ - filter: IsInBand == true && req.URL.Path startsWith "/bar/"
+   apply:
+    - RemoveInBandRuleByName("crowdsecurity/generic-wordpress-uploads-php")
+```
+
+We are using the [hooks](/docs/appsec/hooks.md) provided by the appsec to modify the configuration in 2 places:
+ - `on_load`: Expressions here will be applied when crowdsec loads the configuration, effectively disabling the rule `crowdsecurity/vpatch-env-access` globally.
+ - `pre_eval`: Expressions here will be applied only if the provided filter matches. In this example, we are disabling the rule `crowdsecurity/generic-wordpress-uploads-php` only if the request URI starts with `/blog/` and if we are currently processing in-band rules.
+
+You can also disable native (seclang) rules by providing their ID with the `RemoveInBandRuleByID` helper. See the [hooks](appsec/hooks.md) documentation for a list of available helpers.
+
+Also note that we are not loading any rules in our custom config: the rules are loaded by the `crowdsecurity/appsec-default` config, and we are just modifying the runtime behavior with this config.
+
+Finally, we need to tell crowdsec to load our new config:
+
+```yaml title="/etc/crowdsec/acquis.d/appsec.yaml"
+appsec_configs:
+ - crowdsecurity/appsec-default
+ - custom/my_config
+labels:
+  type: appsec
+listen_addr: 127.0.0.1:7422
+source: appsec
+```
+
+## Allowlisting
+
+### Fully allow a specific IP or range
+
+If you want to ignore all rule matches for a specific IP or range, you can use a [centralized allowlist](local_api/allowlists.md).
+
+Rules will be processed as usual, but the request will not be blocked even if a rule matches.
+
+### Disable specific rules for a specific IP/range
+
+If you want to disable rule(s) for a specific IP (or range), you will need to use the `pre_eval` hook (refer to the section above for more details):
+
+```yaml title="/etc/crowdsec/appsec-configs/my_config.yaml"
+name: custom/my_config
+pre_eval:
+ - filter: req.RemoteAddr == "1.2.3.4"
+   apply:
+    - RemoveInBandRuleByName("crowdsecurity/generic-wordpress-uploads-php")
+```
+
+### Disable appsec for a specific FQDN
+
+If your reverse-proxy forwards all requests to crowdsec, regardless of the FQDN, you can disable the appsec for specific domain with a custom appsec-config (ie, the request will be always allowed):
+
+```yaml title="/etc/crowdsec/appsec-configs/my_config.yaml"
+name: custom/my_config
+on_match:
+ - filter: req.URL.Host == "foo.com"
+   apply:
+    - CancelEvent()
+    - CancelAlert()
+    - SetRemediation("allow")
+```
+
+With this config, the rules will still be evaluated, but if a rule matches no alert or event will be generated, and the remediation will be set to `allow`(ie, instruct the bouncer to let the request through).
+
 ## Appsec configuration
 
 The AppSec configuration is referenced by the acquisition configuration (`appsec_config`, `appsec_configs` or `appsec_config_path`):
diff --git a/crowdsec-docs/docs/appsec/hooks.md b/crowdsec-docs/docs/appsec/hooks.md
@@ -211,4 +211,14 @@ Any other values (including `ban` and `captcha`) are transmitted as-is to the re
 
 
 
+### `req` object
 
+The `pre_eval`, `on_match` and `post_eval` hooks have access to a `req` variable that represents the HTTP request that was forwarded to the appsec.
+
+It's a Go [http.Request](https://pkg.go.dev/net/http#Request) object, so you can directly access all the details about the request.
+
+For example:
+ - To get the requested URI: `req.URL.Path`
+ - To get the client IP: `req.RemoteAddr`
+ - To get the HTTP method: `req.Method`
+ - To get the FQDN: `req.URL.Host`
diff --git a/crowdsec-docs/docs/appsec/intro.md b/crowdsec-docs/docs/appsec/intro.md
@@ -70,8 +70,7 @@ You can follow our quick start guides depending on your web server:
 Or consider learning more about the AppSec capabilities:
 
 -   **Rules**: [How to read, write and debug rules](/appsec/rules_syntax.md)
- <!-- TODO -->
--   **Scenarios**: How to create scenarios that leverage the AppSec Component events
--   **Hooks**: [For advanced use let's talk about possible Hooks](/appsec/hooks.md)
+-   **Scenarios**: [How to create scenarios that leverage the AppSec Component events](/appsec/alerts_and_scenarios.md)
+-   **Hooks**: [To customise behavior of the AppSec at runtime](/appsec/hooks.md)
 -   **Troubleshoot**: [How to troubleshoot the behavior of the AppSec Component](/appsec/troubleshooting.md)
 -   **AppSec Protocol**: [if you're maintaining or creating a remedation component and want to add the AppSec capabilities](/appsec/protocol.md)
diff --git a/crowdsec-docs/docs/appsec/protocol.md b/crowdsec-docs/docs/appsec/protocol.md
@@ -22,14 +22,15 @@ This documentation can be useful in case you want to write your own remediation
 
 To work with the CrowdSec application security component, some HTTP headers are require, in addition to the other HTTP headers and the body of the original request.
 
-| Header Name                 | Description                                                                |
-| --------------------------- | -------------------------------------------------------------------------- |
-| `X-Crowdsec-Appsec-Ip`      | The Real IP address of the original HTTP request                           |
-| `X-Crowdsec-Appsec-Uri`     | The URI of the original HTTP request                                       |
-| `X-Crowdsec-Appsec-Host`    | The Host of the original HTTP request                                      |
-| `X-Crowdsec-Appsec-Verb`    | The Method of the original HTTP request                                    |
-| `X-Crowdsec-Appsec-Api-Key` | The API Key to communicate with the CrowdSec application security component |
-| `X-Crowdsec-Appsec-User-Agent`| The User-Agent of the original HTTP request                              |
+| Header Name                      | Description                                                                           |
+| -------------------------------- | ------------------------------------------------------------------------------------- |
+| `X-Crowdsec-Appsec-Ip`           | The Real IP address of the original HTTP request                                      |
+| `X-Crowdsec-Appsec-Uri`          | The URI of the original HTTP request                                                  |
+| `X-Crowdsec-Appsec-Host`         | The Host of the original HTTP request                                                 |
+| `X-Crowdsec-Appsec-Verb`         | The Method of the original HTTP request                                               |
+| `X-Crowdsec-Appsec-Api-Key`      | The API Key to communicate with the CrowdSec application security component           |
+| `X-Crowdsec-Appsec-User-Agent`   | The User-Agent of the original HTTP request                                           |
+| `X-Crowdsec-Appsec-Http-Version` | The HTTP version used by the original HTTP request (in integer form `10`, `11`, ...) |
 
 :::note
 
@@ -96,11 +97,11 @@ username=admin' OR '1'='1' -- &password=password
 
 According to the result of the processing of the HTTP request, the application security component will respond with a different HTTP code and body.
 
-| HTTP Code | Description                                                                                                                                          | Body                                             |
-| --------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ |
-| `200`     | The HTTP request is allowed                                                                                                                          | `{"action" : "allow"}`                           |
-| `403`     | The HTTP request triggered one or more application security component rules                                                                           | `{"action" : "ban", "http_status": 403}` or `{"action" : "captcha", "http_status": 403}` |
-| `500`     | An error occurred in the application security component. The remediation component must support a `APPSEC_FAILURE_ACTION` parameter to handle this case | `null`                                           |
-| `401`     | The remediation component is not authenticated. It must use the same API Key that was generated to pull the local API request                        | `null`                                           |
+| HTTP Code | Description                                                                                                                                             | Body                                                                                     |
+| --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- |
+| `200`     | The HTTP request is allowed                                                                                                                             | `{"action" : "allow"}`                                                                   |
+| `403`     | The HTTP request triggered one or more application security component rules                                                                             | `{"action" : "ban", "http_status": 403}` or `{"action" : "captcha", "http_status": 403}` |
+| `500`     | An error occurred in the application security component. The remediation component must support a `APPSEC_FAILURE_ACTION` parameter to handle this case | `null`                                                                                   |
+| `401`     | The remediation component is not authenticated. It must use the same API Key that was generated to pull the local API request                           | `null`                                                                                   |
 
 In case of a `403` response, the body will contain the action to take and the HTTP status code to return to the client.
