nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

Naxsi Rule help Question / Request #402

Closed C0nw0nk closed 6 years ago

C0nw0nk commented 6 years ago

Nginx server header HTTP_X_FORWARDED_FOR for Naxsi to check and allow only a single IPv4 or IPv6 address.

Just want naxsi to check that header to keep it clean and allow only a single not multiple IPV4 or IPV6 address.

Dunno what the regex should be for IPv6/v4 in Naxsi to achieve it.

buixor commented 6 years ago

Can you give an example of what you want to allow and what you want to disallow ?

C0nw0nk commented 6 years ago

Well if the IPv4 or IPv6 addresses provided in the header contain the characters what makes them a valid IP.

I know they use characters from A-Z 0-9 . : and , to separate for multiple IP's.

But maybe like md5 checks with php regex

function isValidMd5($md5 ='')
{
return preg_match('/^[a-f0-9]{32}$/', $md5);
}
echo isValidMd5('5d41402abc4b2a76b9719d911017c592');

IPv6 addresses can be more strict with the regex to check if certain parts should have a character length etc I don't know the algorithm for how the addresses should be calculated though maybe someone can shed light onto such things.

Ipv4 192 . 168 . 0 . 1 4 parts total each part containing 0-3 chars each char can be from 0-9 each separator for the 4 parts is a full stop.

buixor commented 6 years ago

If I understood you correctly, you want to allow a single IPv4 or IPv6 adress ? Validating this properly with a regex sounds a dangerous idea, but you might end up with something like this (untested ofc):

BasicRule "rx:^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$|^[a-f0-9:]+$" "mz:$HEADERS_VAR:x-forwarded-for" "s:...";

However, please take my word and considerate this a bad idea, a quick google search will lead you to the fact that validating ipv6 (or even ipv4) addresses with regex is closer to rocket jump than anything else :)

C0nw0nk commented 6 years ago

I do not want to validate it as such but just check that the characters and the order of things look correct and for it to work for both ipv4 and ipv6 just to ensure that header stays clean from anything nasty like.

X-Forwarded-For: I-am-not-containing anything to do with-ipv4-or-ipv6 just another malicious request

As you can see that is not a ip address in the header at all.