Closed selivan closed 11 months ago
Hello !
Yes, it seems naxsi breaks subrequests, but I didn't encounter it yet because we are not using it. can you provide me a little test case so I can have a look ? I hope to get some time to work on this !
regards and thanks for the detailed issues :)
Hi, it seem that the naxsi does not take effect within the nginx internal subrequest?
1.10.1
0.55.3
nginx.conf:
location /loc1 {
#SecRulesEnabled;
#DeniedUrl "/50x.html";
#CheckRule "$SQL >= 8" BLOCK;
#CheckRule "$RFI >= 8" BLOCK;
#CheckRule "$TRAVERSAL >= 4" BLOCK;
#CheckRule "$EVADE >= 4" BLOCK;
#CheckRule "$XSS >= 8" BLOCK;
content_by_lua ' ngx.location.capture('/loc2')';
}
location /loc2 { SecRulesEnabled; DeniedUrl "/50x.html"; CheckRule "$SQL >= 8" BLOCK; CheckRule "$RFI >= 8" BLOCK; CheckRule "$TRAVERSAL >= 4" BLOCK; CheckRule "$EVADE >= 4" BLOCK; CheckRule "$XSS >= 8" BLOCK;
proxy_pass http://192.168.0.11:8080$request_uri; }
1. enable naxsi `SecRule` in `/loc1`, the rules take effect.
2. disable `SecRule` in `/loc1`, only enable naxsi `SecRule` in `/loc2`, the rules have no effect. that is to say, the naxsi does not take effect in the nginx internal subrequest.
Any good suggestions? Thanks!
@buixor I am a little overloaded now, but I promise I'll return in a couple days with a solid test case. I remember that in configuration I was building both SSI and echo_location
were glitching inside internal location used to handle blocked requests: DeniedUrl "/location_with_ssi";
.
Don't worry, I'm quite busy myself, and will be out of the internetz from next week till the end of the month :)
@buixor seems I finally got it. It was quite a quest to catch when exactly it breaks :) Here is the test case:
DeniedUrl
points to location, where subrequests are used:
echo_location
from echo moduleinclude file=
or include virtual=
, keepalive
is enabled in nginxExpected: first request gets response from DeniedUrl
location, second request is processed as usual
Actual result: first request returns expected response, second request hangs forever
Environment:
nginx -V
: https://gist.github.com/selivan/cac189d3b8ba167e43899cc908195114If you disable echo_location
inside problematic location, you will get expected result.
Here is test nginx.conf: https://gist.github.com/selivan/10ed68156a869b4095c20a2d10cc101c
To make curl send requests in a single keepalive connection, you can use --config-file
option with file like this(empty lines are mandatory):
url="http://example.net/?wafprohibited=<script>"
url="http://example.net/"
P.S. And I'd like to repeat my question, is it possible to get commercial support for Naxsi? I think I can convince my bosses to pay for it.
Hello,
Thanks for the detailed informatiion :) I'll be on hollidays for two weeks with no internet, but I'll try to tackle this one when I come back ! So far, I have no plan for commercial support for naxsi as I'd like to keep free hands on it, but we can always discuss the matter depending on your needs, can you mail me ?
cheers,
@buixor
can you mail me ?
I can't, because nor your github profile neither your blog have any mail links. Can you please contact me selivan.at.github@gmail.com?
1.10.3
nginx-echo naxsi
0.55.3
I tried using openresty echo-nginx-module. Plain
echo
works fine, butecho_location
,echo_location_async
,echo_subrequest
,echo_subrequest_async
work 50/50: sometimes return required answer, sometimes just hang indefinitely.Then to solve the same task I switched to nginx build-in SSI, and get very similar behavior: shtml files with only
<!--# echo var="time_local" -->
work fine, but shtml files with<!--# include file="/somefile" -->
work 50/50 likeecho_location
.I suppose, both this modules use nginx subrequests, and naxsi somehow brokes this functionality.
P.S. Is there any way to get commercial support for naxsi?