search

nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.78k stars 603 forks source link

nginx: [emerg] "MainRule" directive is not allowed here in /etc/nginx/naxsi_core.rules #202

Closed exZ closed 9 years ago

exZ commented 9 years ago

Starting nginx (1.9.1) with naxsi.

Linux proxy1-coffee 2.6.32-504.16.2.el6.x86_64 #1 SMP Wed Apr 22 06:48:29 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux CentOS release 6.6 (Final)

conf:

  location /beta/ {
        #Naxsi
        #LearningMode;
        internal;
        SecRulesEnabled;
        DeniedUrl "/RequestDenied";

        include "/etc/nginx/naxsi_core.rules";

        ## check rules
        CheckRule "$SQL >= 8" BLOCK;
        CheckRule "$RFI >= 8" BLOCK;
        CheckRule "$TRAVERSAL >= 4" BLOCK;
        CheckRule "$EVADE >= 4" BLOCK;
        CheckRule "$XSS >= 8" BLOCK;

        proxy_cache_key $uri$is_args$args;
        proxy_pass   http://10.0.2.21:80;
        proxy_redirect off;
    }

Configure:

./configure --add-module=../naxsi/naxsi_src --add-module=../ngx_http_geoip2_module --with-http_ssl_module --sbin-path=/usr/sbin/ --conf-path=/etc/nginx \ 
--with-http_gzip_static_module --with-http_stub_status_module --with-pcre --with-file-aio --with-http_realip_module --user=nginx --group=nginx --prefix=/etc/nginx \ 
--pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --with-ipv6 --with-mail_ssl_module \ 
--with-mail --with-http_secure_link_module --with-http_random_index_module --with-http_gunzip_module --with-http_addition_module --http-client-body-temp-path=/var/cache/nginx/client_temp \ 
--http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp

Configure output: (important lines)

configuring additional modules
adding module in ../naxsi/naxsi_src
 + ngx_http_naxsi_module was configured
adding module in ../ngx_http_geoip2_module
checking for MaxmindDB library ... found
 + ngx_http_geoip2_module was configured
checking for PCRE library ... found
checking for PCRE JIT support ... not found
checking for OpenSSL library ... found
checking for zlib library ... found
creating objs/Makefile
blotus commented 9 years ago

Hi,

The core rules should not be included inside a location. Move the 'include "/etc/nginx/naxsi_core.rules";' outside the location and it will work.

exZ commented 9 years ago

Ow thank you @blotus. How do I setup different set of rules based on location?