gplessis / dotdeb-nginx

Dotdeb : Nginx
http://www.dotdeb.org/
BSD 2-Clause "Simplified" License
63 stars 31 forks source link

naxsi blocking while in learning mode: wrong module order in compilation? #79

Closed jmce closed 8 years ago

jmce commented 8 years ago

Having set up a few virtual hosts using dotdeb's nginx with NAXSI on Debian jessie [naxsi-extras 1.8.1-1~dotdeb+8.1], I noticed some access blocking occurring for locations set to be in learning mode. In that mode, blocking is supposing to be disabled, and mostly it is — but, for a few locations, some requests are 'randomly' denied.

Apparently this issue has been met and reported before as Debian bug 758642 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758642 and the package maintainer followed the suggestion of changing the module specification order http://anonscm.debian.org/cgit/collab-maint/nginx.git/tree/debian/rules?id=7e92bc3 Meanwhile naxsi was dropped from Debian's nginx so it seems this was actually never released.

Has this issue been taken into account in dotdeb packages? I'm not acquainted with further details on this (including ordering consequences for configure), but noticed that: 1) in debian/rules, naxsi_src it the first --add-module instance for nginx-naxsi, but below all the --with-; and 2) for nginx-extras it is not even the first --add-module instance.

I will try to rebuild dotdeb's nginx packages here, today, after adjusting the order in debian/rules, and will let you know about any changes in behaviour...
(I may also try using nginx-naxsi instead of nginx-extras, since the additional capabilities may not be needed here for some time...)

jmce commented 8 years ago

borked title, of course: meant "while in learning mode"

jmce commented 8 years ago

The module order adjustment hasn't solved the issue, at least not always --- blocking can still occur in learning mode, at least for internal rules 17 and 18, both libinjection-related.

gplessis commented 8 years ago

This change has been taken into account with the latest nginx packages for Jessie and Wheezy.

Please confirm.

gplessis commented 8 years ago

Any feedback?