What happened?
My HAProxy dev box has no restrictions on methods, an external IP sent CONNECT requests which contains an IP in the request line:
http-in crowdsec/s1 0/0/15/15/0/0/1/16 404 89 - - CD-- 2/2/0/0/0 0/0 "CONNECT 116.202.157.104:80 HTTP/1.1" remediation: allow iso: GB
results in:
time="2025-12-17T10:44:23Z" level=error msg="unable to parse url '116.202.157.104:80': parse \"116.202.157.104:80\": first path segment in URL cannot contain colon" module=acquisition.appsec name=myAppSecComponent type=appsec
yes a proper setup should enforce restrictions on methods but we should also be able to detect these if user wishes.
What did you expect to happen?
AppSec should be able to parse any URL loosly to pass to the underlying coraza engine.
How can we reproduce it (as minimally and precisely as possible)?
Setting up the minimal haproxy spoa with appsec enabled and sending a CONNECT request should be enough to trigger.
Anything else we need to know?
No response
Crowdsec version
Details
$ cscli version
# paste output here
OS version
Details
# On Linux:
$ cat /etc/os-release
# paste output here
$ uname -a
# paste output here
# On Windows:
C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture
# paste output here
Enabled collections and parsers
Details
$ cscli hub list -o raw
# paste output here
Acquisition config
Details
```console
# On Linux:
$ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/*
# paste output here
On Windows:
C:> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml
paste output here
Config show
Details
$ cscli config show
# paste output here
Prometheus metrics
Details
$ cscli metrics
# paste output here
Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.
Details
What happened?
My HAProxy dev box has no restrictions on methods, an external IP sent CONNECT requests which contains an IP in the request line:
results in:
yes a proper setup should enforce restrictions on methods but we should also be able to detect these if user wishes.
What did you expect to happen?
AppSec should be able to parse any URL loosly to pass to the underlying coraza engine.
How can we reproduce it (as minimally and precisely as possible)?
Setting up the minimal haproxy spoa with appsec enabled and sending a CONNECT request should be enough to trigger.
Anything else we need to know?
No response
Crowdsec version
Details
OS version
Details
Enabled collections and parsers
Details
Acquisition config
Details
```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* # paste output hereOn Windows:
C:> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml
paste output here
Config show
Details
Prometheus metrics
Details
Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.
Details