nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

naxsi breaks nginx modules that use subrequests, like SSI [error] #364

Closed selivan closed 11 months ago

selivan commented 7 years ago

I tried using openresty echo-nginx-module. Plain echo works fine, but echo_location, echo_location_async, echo_subrequest, echo_subrequest_async work 50/50: sometimes return required answer, sometimes just hang indefinitely.

Then to solve the same task I switched to nginx build-in SSI, and get very similar behavior: shtml files with only <!--# echo var="time_local" --> work fine, but shtml files with <!--# include file="/somefile" --> work 50/50 like echo_location.

I suppose, both this modules use nginx subrequests, and naxsi somehow brokes this functionality.

P.S. Is there any way to get commercial support for naxsi?

buixor commented 7 years ago

Hello !

Yes, it seems naxsi breaks subrequests, but I didn't encounter it yet because we are not using it. can you provide me a little test case so I can have a look ? I hope to get some time to work on this !

regards and thanks for the detailed issues :)

buixor commented 7 years ago

Hi, it seem that the naxsi does not take effect within the nginx internal subrequest?

location /loc2 { SecRulesEnabled; DeniedUrl "/50x.html"; CheckRule "$SQL >= 8" BLOCK; CheckRule "$RFI >= 8" BLOCK; CheckRule "$TRAVERSAL >= 4" BLOCK; CheckRule "$EVADE >= 4" BLOCK; CheckRule "$XSS >= 8" BLOCK;

proxy_pass http://192.168.0.11:8080$request_uri; }



1. enable naxsi `SecRule` in `/loc1`, the rules take effect.
2. disable `SecRule` in `/loc1`, only enable naxsi `SecRule` in `/loc2`, the rules have no effect. that is to say, the naxsi does not take effect in the nginx internal subrequest.

Any good suggestions? Thanks!
selivan commented 7 years ago

@buixor I am a little overloaded now, but I promise I'll return in a couple days with a solid test case. I remember that in configuration I was building both SSI and echo_location were glitching inside internal location used to handle blocked requests: DeniedUrl "/location_with_ssi";.

buixor commented 7 years ago

Don't worry, I'm quite busy myself, and will be out of the internetz from next week till the end of the month :)

selivan commented 7 years ago

@buixor seems I finally got it. It was quite a quest to catch when exactly it breaks :) Here is the test case:

Expected: first request gets response from DeniedUrl location, second request is processed as usual

Actual result: first request returns expected response, second request hangs forever

Environment:

If you disable echo_location inside problematic location, you will get expected result.

Here is test nginx.conf: https://gist.github.com/selivan/10ed68156a869b4095c20a2d10cc101c

To make curl send requests in a single keepalive connection, you can use --config-file option with file like this(empty lines are mandatory):

url="http://example.net/?wafprohibited=<script>"

url="http://example.net/"

P.S. And I'd like to repeat my question, is it possible to get commercial support for Naxsi? I think I can convince my bosses to pay for it.

buixor commented 7 years ago

Hello,

Thanks for the detailed informatiion :) I'll be on hollidays for two weeks with no internet, but I'll try to tackle this one when I come back ! So far, I have no plan for commercial support for naxsi as I'd like to keep free hands on it, but we can always discuss the matter depending on your needs, can you mail me ?

cheers,

selivan commented 7 years ago

@buixor

can you mail me ?

I can't, because nor your github profile neither your blog have any mail links. Can you please contact me selivan.at.github@gmail.com?