Log4Shell is a middleware plugin for Traefik which blocks JNDI attacks based on HTTP header values.

Overview

Log4Shell Mitigation

Build Status

Log4Shell is a middleware plugin for Traefik which blocks JNDI attacks based on HTTP header values.

Related to the Log4J CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Configuration

Static

--pilot.token=xxx
--experimental.plugins.log4shell.modulename=github.com/traefik/plugin-log4shell
--experimental.plugins.log4shell.version=v0.1.2
pilot:
  token: xxx

experimental:
  plugins:
    log4shell:
      modulename: github.com/traefik/plugin-log4shell
      version: v0.1.2
[pilot]
    token = "xxx"

[experimental.plugins.log4shell]
    modulename = "github.com/traefik/plugin-log4shell"
    version = "v0.1.2"

Dynamic

To configure the Log4Shell plugin you should create a middleware in your dynamic configuration as explained here.

File

http:
  middlewares:
    log4shell-foo:
      plugin:
        log4shell:
          errorCode: 200

  routers:
    my-router:
      rule: Host(`localhost`)
      middlewares:
        - log4shell-foo
      service: my-service

  services:
    my-service:
      loadBalancer:
        servers:
          - url: 'http://127.0.0.1'
[http.middlewares]
  [http.middlewares.log4shell-foo.plugin.log4shell]
    errorCode = 200

[http.routers]
  [http.routers.my-router]
    rule = "Host(`localhost`)"
    middlewares = ["log4shell-foo"]
    service = "my-service"

[http.services]
  [http.services.my-service]
    [http.services.my-service.loadBalancer]
      [[http.services.my-service.loadBalancer.servers]]
        url = "http://127.0.0.1"

Kubernetes

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: log4shell-foo
spec:
  plugin:
    log4shell:
      errorCode: 200

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami
spec:
  entryPoints:
    - web
  routes:
    - kind: Rule
      match: Host(`whoami.localhost`)
      middlewares:
        - name: log4shell-foo
      services:
        - kind: Service
          name: whoami-svc
          port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: log4shell-foo
spec:
  plugin:
    log4shell:
      errorCode: 200

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: myingress
  annotations:
    traefik.ingress.kubernetes.io/router.middlewares: [email protected]

spec:
  rules:
    - host: whoami.localhost
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name:  whoami
                port:
                  number: 80

Docker

version: '3.7'

services:
  whoami:
    image: traefik/whoami:v1.7.1
    labels:
      traefik.enable: 'true'

      traefik.http.routers.app.rule: Host(`whoami.localhost`)
      traefik.http.routers.app.entrypoints: websecure
      traefik.http.routers.app.middlewares: log4shell-foo
      
      traefik.http.middlewares.log4shell-foo.plugin.log4shell.errorcode: 200
Issues
  • Mem Leak?

    Mem Leak?

    Is there a possible memory leak with this plugin, or with the overall Traefik plugin system?

    We're running Traefik 2.5.1 with the log4shell plugin (0.1.2) on 8 different Swarms since Dec 20 (~2 weeks). In one Swarm, Traefik is now using 30GB memory each (5 replicas). In another Swarm, Traefik is using 2GB memory each (5 replicas). The remaining 6 Swarms are seeing relatively normal memory usage - although, these past 2 weeks would also have seen much lower request volume.

    Memory

    ~60 nodes, 8 Swarms, memory usage over 4 weeks: image

    I don't see anything glaring in the logs.

    Configuration

    middlewares.yml

    http:
      middlewares:
        compress:
          compress: {}
        plugin-log4shell:
          plugin:
            log4shell:
              errorCode: "200"
    

    traefik.yml

    # Traefik Config 2.x
    
    pilot:
      token: "***********************************"
    
    experimental:
      plugins:
        log4shell:
          moduleName: "github.com/traefik/plugin-log4shell"
          version: "v0.1.2"
    
    # Entrypoints configuration
    entryPoints:
      metrics:
        address: ':8084'
      http:
        address: ':80'
        forwardedHeaders:
          insecure: true
        http:
          middlewares:
            - [email protected]
            - [email protected]
    ...
    
    kind/bug/possible 
    opened by rjchicago 13
  •  plugin: unknown plugin type: log4shell

    plugin: unknown plugin type: log4shell

    I'm running traefik:v2.5.4 on a Docker standalone host. I'm getting this error when creating the middle ware:

     plugin: unknown plugin type: log4shell 
    

    Interesting part of the traefik compose yaml:

      traefik:
        image: traefik:v2.5.4
        restart: always
        command:
          - "--accesslog"
          - "--log.level=INFO"
          ...
          - "--experimental.plugins.log4shell.modulename=github.com/traefik/plugin-log4shell"
          - "--experimental.plugins.log4shell.version=v0.1.2"
          ...
    

    Interesting part of the apps compose yaml:

        ...
        labels:
          - "traefik.enable=true"
          - "traefik.http.routers.app.rule=Host(`app.your.domain.com`)"
          - "traefik.http.routers.app.entrypoints=websecure"
          - "traefik.http.routers.app.tls.certresolver=mytlschallenge"
          - "traefik.http.services.app.loadbalancer.server.port=8080"
          - "[email protected]"
    

    Am I doing anything wrong?

    kind/question 
    opened by JamborJan 1
  • docs: fix typo in k8s examples

    docs: fix typo in k8s examples

    What does this PR do?

    This pull request fixes typos in the k8s examples. The host values have also been updated to be consistent with the Docker example.

    area/documentation kind/bug/fix 
    opened by kevinpollet 0
  • Question about plugin

    Question about plugin

    Hi,

    Thanks for you job.

    I have one question, i have setup your plugin using traefik.yml:

    log4shell:
              modulename: github.com/traefik/plugin-log4shell
              version: v0.1.2
    

    And dynamic.yml :

    log4shell-foo:
                plugin:
                    log4shell:
                        errorCode: 200
    

    My Traefik dashbord seems to be ok 👍

    image

    It works perfectly, but how does it work ? can i see some logs about the "scan" ? Do i have to download some file into my traefik folder to make it works ? can you give me more detail to be sure that im realy using your plugin ?

    Regards

    opened by mushuthecat 2
  • Request and attempt not shown in either logs

    Request and attempt not shown in either logs

    Hi,

    I am running Traefik 2.5.5, plugin-log4shell v0.1.2 After sending test requests the requests return the code 200 and no content as expected but strangely the requests do not show up in the traefik log, in the access log there is no full request with the headers. Is there a way to log something about the attempt?

    kind/question 
    opened by RichardMore 0
  • Plugin throwing some Panics

    Plugin throwing some Panics

    Hello, I've been running this plugin since Friday with no apparent issues but today when looking at my Traefik error logs I saw this:

    plugins-storage/sources/gop-2074653309/src/github.com/traefik/plugin-log4shell/parser.go:120:6: panic
    plugins-storage/sources/gop-2074653309/src/github.com/traefik/plugin-log4shell/parser.go:67:16: panic
    plugins-storage/sources/gop-2074653309/src/github.com/traefik/plugin-log4shell/middleware.go:51:5: panic
    plugins-storage/sources/gop-2074653309/src/github.com/traefik/plugin-log4shell/middleware.go:38:25: panic
    

    Unfortunately I don't have the requests that created those panics. Is there a way to get more details from the plugin?

    This on Traefik 2.5.4 running on arm64.

    kind/bug/possible 
    opened by jcalonso 1
Owner
Traefik Labs
Makes Networking Boring
Traefik Labs
Header Block is a middleware plugin for Traefik to block request and response headers which regex matched by their name and/or value

Header Block is a middleware plugin for Traefik to block request and response headers which regex matched by their name and/or value Conf

null 3 May 24, 2022
Traefik config validator: a CLI tool to (syntactically) validate your Traefik configuration filesTraefik config validator: a CLI tool to (syntactically) validate your Traefik configuration files

Traefik Config Validator Note This is currently pre-release software. traefik-config-validator is a CLI tool to (syntactically) validate your Traefik

Thomas Klinger 0 Dec 16, 2021
Middleware for Blocking IP ranges by inserting CIDR Blocks and searching IPs through those blocks

firewall Middleware for Blocking IP ranges by inserting CIDR Blocks and searching IPs through those blocks. Features Easy to use Efficient and Fast Co

Golang libraries for everyone 5 May 20, 2022
Traefik - Traefik with zitifed prometheus metrics

Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer th

OpenZiti Incubator 0 Jan 17, 2022
Developing a Traefik plugin using golang

Developing a Traefik plugin Traefik plugins are developed using the Go language. A Traefik middleware plugin is just a Go package that provides an htt

Maximilian Fischer 0 Nov 21, 2021
Developing a Traefik plugin with golang

Developing a Traefik plugin Traefik plugins are developed using the Go language. A Traefik middleware plugin is just a Go package that provides an htt

So Koide 1 Dec 16, 2021
Traefik plugin to proxy requests to owasp/modsecurity-crs:apache container

Traefik Modsecurity Plugin Traefik plugin to proxy requests to owasp/modsecurity-crs:apache Traefik Modsecurity Plugin Demo Full Configuration with do

Alexis Couvreur 40 Jun 19, 2022
Splicetraefikplugin - Sample traefik plugin using golang

Developing a Traefik plugin Traefik plugins are developed using the Go language.

John Bramlett 0 Feb 2, 2022
Go http real ip header parser

remoteaddr Go http real ip header parser module A forwarders such as a reverse proxy or Cloudflare find the real IP address from the requests made to

Netinternet 16 Jun 12, 2022
Caddy log filter module with a log field filter to extract the user from a basic Authorization HTTP-Header

caddy-basic-auth-filter This packages contains a log field filter to extract the user from a basic Authorization HTTP-Header. Installation xcaddy buil

Steffen Brüheim 2 May 10, 2022
A tool for IDN homograph attacks and detection.

Ditto is a small tool that accepts a domain name as input and generates all its variants for an homograph attack as output, checking which ones are av

Simone Margaritelli 671 Jun 23, 2022
The Swiss Army knife for 802.11, BLE and Ethernet networks reconnaissance and MITM attacks.

bettercap is a powerful, easily extensible and portable framework written in Go which aims to offer to security researchers, red teamers and reverse e

bettercap 11.4k Jun 27, 2022
O365 is a tool designed to perform user enumeration* and password guessing attacks on organizations that use Office365

O365 is a tool designed to perform user enumeration* and password guessing attacks on organizations that use Office365 (now/soon Microsoft365). O365 uses a unique SOAP API endpoint on login.microsoftonline.com that most other tools do not use.

Trewis [work] Scotch 3 Jun 2, 2022
Using Envoy Proxy to load-balance gRPC services on GKE with header value based Session Affinity

Using Envoy Proxy to load-balance gRPC services on GKE with header value based S

Daniel William Clarke 1 Jan 8, 2022
Scans a file or folder recursively for jar files that may be vulnerable to Log4Shell

Velocity A Minecraft server proxy with unparalleled server support, scalability, and flexibility. Velocity is licensed under the GPLv3 license. Goals

PaperMC 1k Jun 26, 2022
HTTP API traffic recording and replay middleware based on GoReplay, can be used for migration and refactoring testing

gorc HTTP API traffic recording and replay middleware based on GoReplay, can be used for migration and refactoring testing. English | 中文 Requirements

Jioby 2 Feb 13, 2022
Validator for your Traefik Proxy configuration

Traefik Config Validator Note This is currently pre-release software. traefik-config-validator is a CLI tool to (syntactically) validate your Traefik

OTTO (GmbH & Co. KG) 5 May 5, 2022
Traefik Docker Protector

Traefik Docker Protector Limit traefik's control over the docker daemon Traefik

knrdl 9 Feb 17, 2022
The plugin serves as a starting point for writing a Mattermost plugin

Plugin Starter Template This plugin serves as a starting point for writing a Mattermost plugin. Feel free to base your own plugin off this repository.

Juho Nurminen 0 Dec 10, 2021