nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

Why does Naxsi (Nginx) not apply basic rules? CentOS 7. NGINX 1.12.2 #431

Closed PhilWicke closed 5 years ago

PhilWicke commented 6 years ago

I have recompiled the latest naxis version with nginx according to several tutorials. Here is the nginx configuration:

        nginx version: nginx/1.12.2
        built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) 
        built with OpenSSL 1.0.2k-fips  26 Jan 2017
        TLS SNI support enabled
        configure arguments: 
    --prefix=/etc/nginx
    --sbin-path=/usr/sbin/nginx 
    --conf-path=/etc/nginx/nginx.conf 
    --add-module=../naxsi-master/naxsi_src/ 
    --error-log-path=/var/log/nginx/error.log 
    --http-log-path=/var/log/nginx/access.log 
    --pid-path=/var/run/nginx.pid 
    --lock-path=/var/run/nginx.lock 
    --http-client-body-temp-path=/var/cache/nginx/client_temp 
    --http-proxy-temp-path=/var/cache/nginx/proxy_temp 
    --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp 
    --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp 
    --http-scgi-temp-path=/var/cache/nginx/scgi_temp 
    --user=nginx --group=nginx --with-http_ssl_module 
    --with-http_realip_module --with-http_addition_module 
    --with-http_sub_module --with-http_dav_module 
    --with-http_flv_module --with-http_mp4_module 
    --with-http_gunzip_module --with-http_gzip_static_module 
    --with-http_random_index_module --with-http_secure_link_module 
    --with-http_stub_status_module --with-http_auth_request_module 
    --with-mail --with-mail_ssl_module 
    --with-file-aio --with-ipv6 --with-http_v2_module 
    --with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
    --param=ssp-buffer-size=4 -m64 -mtune=generic' 

Furthermore, I have added the basic naxis rules into the html and server blocks. If any of the *.rules files from naxis has a syntax error I have been notified by nginx -t. Therefore, I assume that so far naxsi and nginx are somewhat correctly installed. Nonetheless, any test of the naxsi rules fails. Testing http://MY-IP/?q="><script>alert(1)</script> does not result in blocking, neither do the logs show the rule breach. Here is my nginx.conf:

user nginx;
    worker_processes auto;
    error_log /var/log/nginx/error.log;
    pid /run/nginx.pid;

    include /usr/share/nginx/modules/*.conf;
    events {
    worker_connections 1024;
    }

    http {
        include /etc/nginx/naxsi_core.rules;

        add_header X-Frame-Options SAMEORIGIN always;
        add_header X-XSS-Protection "1; mode=block" always;
        add_header Content-Security-Policy "frame-ancestors 'self'" always;
        add_header X-Content-Type-Options "nosniff" always;

        client_header_timeout 3000;
        client_body_timeout 3000;
        fastcgi_read_timeout 3000;
        client_max_body_size 32m;
        fastcgi_buffers 8 128k;
        fastcgi_buffer_size 128k;

        log_format scripts '$document_root$fastcgi_script_name > $request';

       log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

        access_log  /var/log/nginx/access.log  main;

        sendfile            on;
        tcp_nopush          on;
        tcp_nodelay         on;
        keepalive_timeout   65;
        types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    server {
        add_header X-Frame-Options SAMEORIGIN always;
        add_header X-XSS-Protection "1; mode=block" always;
        add_header Content-Security-Policy "frame-ancestors 'self'" always;
        add_header X-Content-Type-Options "nosniff" always;

        access_log /var/log/nginx/naxsi_access.log;
        error_log /var/log/nginx/naxsi_error.log debug;

        location / {
                include /etc/nginx/naxsi.rules;
                root   html;
                index  index.html index.htm;
        }

        error_page   500 502 503 504  /50x.html;

        location = /50x.html {
                root   html;
        }

        location /RequestDenied {
                 return 500;
        }
    return 403;
    }

      proxy_connect_timeout       600;
      proxy_send_timeout          600;
      proxy_read_timeout          600;
      send_timeout                600;
        uwsgi_connect_timeout 750s;
        fastcgi_send_timeout 600s;

    include /etc/nginx/conf.d/*.conf;
    }

I have no idea why the rules do not apply. I've used the basic rules and turned of learning mode for naxsi. I'd be glad for any help pointing me in the right direction.

jvoisin commented 6 years ago

You might want to take a look at the example configuration provided in the wiki :)

PhilWicke commented 6 years ago

Thank you. I have used the example configuration before and it did not activate the rules. Neither did my current nginx.conf posted above. I've tried to use the example configuration from the wiki and now have this config:

    user nginx;
    worker_processes auto;
    error_log /var/log/nginx/error.log;
    pid /run/nginx.pid;

    include /usr/share/nginx/modules/*.conf;
    events {
    worker_connections 1024;
    }

    http {
        include /etc/nginx/naxsi_core.rules;

        add_header X-Frame-Options SAMEORIGIN always;
        add_header X-XSS-Protection "1; mode=block" always;
        add_header Content-Security-Policy "frame-ancestors 'self'" always;
        add_header X-Content-Type-Options "nosniff" always;

        client_header_timeout 3000;
        client_body_timeout 3000;
        fastcgi_read_timeout 3000;
        client_max_body_size 32m;
        fastcgi_buffers 8 128k;
        fastcgi_buffer_size 128k;

        log_format scripts '$document_root$fastcgi_script_name > $request';

       log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

        access_log  /var/log/nginx/access.log  main;

        sendfile            on;
        tcp_nopush          on;
        tcp_nodelay         on;
        keepalive_timeout   65;
        types_hash_max_size 2048;

        include             /etc/nginx/mime.types;
        default_type        application/octet-stream;

    server {
        add_header X-Frame-Options SAMEORIGIN always;
        add_header X-XSS-Protection "1; mode=block" always;
        add_header Content-Security-Policy "frame-ancestors 'self'" always;
        add_header X-Content-Type-Options "nosniff" always;

        access_log /var/log/nginx/naxsi_access.log;
        error_log /var/log/nginx/naxsi_error.log debug;

        # example server config
        location / {
        SecRulesEnabled;
        #Define where blocked requests go
        DeniedUrl "/50x.html";
        # CheckRules, determining when naxsi needs to take action
        CheckRule "$SQL >= 8" BLOCK;
        CheckRule "$RFI >= 8" BLOCK;
        CheckRule "$TRAVERSAL >= 4" BLOCK;
        CheckRule "$EVADE >= 4" BLOCK;
        CheckRule "$XSS >= 8" BLOCK;
        #naxsi logs goes there
        error_log /var/log/nginx/naxis_server_error.log;
        }
           error_page   500 502 503 504  /50x.html;
           #This is where the blocked requests are going
           location = /50x.html {
            return 418; #I'm a teapot \o/
        }
    }

      proxy_connect_timeout       600;
      proxy_send_timeout          600;
      proxy_read_timeout          600;
      send_timeout                600;
        uwsgi_connect_timeout 750s;
        fastcgi_send_timeout 600s;

    include /etc/nginx/conf.d/*.conf;
    }
jvoisin commented 6 years ago

I think that you mispasted something, because your server block is inside your http one

PhilWicke commented 6 years ago

I'm sorry, but in every example and the default nginx.conf the server block is inside the http one. See HERE and HERE. If I have it outside the http, I receive nginx: [emerg] "server" directive is not allowed here.

jvoisin commented 6 years ago

My bad, you're absolutely right. The latest config that you pasted doesn't work? I don't see anything wrong with it.

Are you running the nginx you're using is the one with the naxsi plugin?

PhilWicke commented 6 years ago

Yes, the very first snippet shows my nginx configuration. Also, if the rules had a wrong syntax (as I tested before) this would result in an error starting nginx, therefore the nginx is running with the naxsi plugin. It might be nothing wrong with the nginx.conf, but I don't know where else I can find the bug/problem.

buixor commented 6 years ago

Hello, Sorry for the delay of my answer :/ I was unfortunately not able to reproduce the issue locally. At first hand, I would think of a configuration error, but I don't see any mistake in your configuration.. Can you include the full configuration if it isn't already the case, so I can give it a try locally ? (ie. I don't see the listen directive etc.)

Are you still facing the issue ?

PhilWicke commented 6 years ago

Hello, thanks for replying to the issue. Yes, it still persists. If by full configuration you mean the entire nginx.conf, it is the one I've posted above. Not sure where there should be a listen or what it does.

Unless, I find a solution I'll have to re-write a lot of code. And I appreciate this project and would really like to make use of it. Let me know if there's any more information I can provide.

buixor commented 5 years ago

As I dont have access to your environement, I'm sorry but I can't reeally help. In order to know if it's a configuration issue, can you attempt typing make re from naxsi_src directory ? It's going to download & install nginx+naxsi in your /tmp/, and conf can then be found in /tmp/naxsi_ut ?

diadal commented 5 years ago

am facing same issue have tried alot config noting works @PhilWicke were you able to fix this issue??

PhilWicke commented 5 years ago

@diadal unfortunately, I cannot fix the issue. I think I've done everything according to the instructions, but there is zero application of the rules. Let me know if you progress.

diadal commented 5 years ago

I guess the plugin naxsi no longer working have done everything no error log in nginx but naxsi still not working

buixor commented 5 years ago

Hello,

How did you install the package? I'm going to try to get my hands on a centos to give it a try.

Can you maybe try running the unit tests (make test from naxsi_src dir - requires test::nginx ) to see if something is preventing naxsi from working?

Thanks,

Le jeu. 10 janv. 2019 à 17:01, Diadal notifications@github.com a écrit :

I guess the plugin naxsi no longer working have done everything no error log in nginx but naxsi still not working

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHub https://github.com/nbs-system/naxsi/issues/431#issuecomment-453148937, or mute the thread https://github.com/notifications/unsubscribe-auth/AA8d-lsPBT1MyINrIIsT4RUSibN-RsE4ks5vB2PqgaJpZM4VvDW9 .

jvoisin commented 5 years ago

@buixor feel free to check this Snuffleupagus commit, on how to use gitlab-ci to run the testsuite/compilation on several linux distributions :)

bobziuchkovski commented 5 years ago

@PhilWicke I'm not sure the server block or location block you posted is actually being used by your live site(s). The following towards the end of your config file sticks out to me:

include /etc/nginx/conf.d/*.conf;

Could you post the contents of those included *.conf files? I'm guessing you might have other server/location blocks defined in those files, possibly without the naxsi config directives in them?

PhilWicke commented 5 years ago

@bobziuchkovski thank you for the reply. There are indeed three .conf files. Again, I have inherited the system and have very little knowledge. So, the server / locations that I can find in there are the following:

server { server_name myserverName ourwebsite.com; location /downloads/ { root /srv; some X-XSS protection protocols location / { proxy_pass http://127.0.0.1:8080; } } and in a different file, things like this: location ~* \.(css|js|gif|jpe?g|png)$ { expires 1d; log_not_found off; } location / { try_files $uri $uri/ $uri.html =404; log_not_found off; }

bobziuchkovski commented 5 years ago

@PhilWicke Aha. Yeah, I think it's the config file with the server_name myserverName ourwebsite.com block that is going to need the naxsi config directives. I can't tell about the other file with the additional location blocks. It depends on the context of where those are being included, but it's possible those might need some directives as well.

It looks like the config files are possibly a little disorganized. You might want to read through some various nginx config guides/examples to try to refactor/reorganize the config so that it's easy to follow and makes sense to you and others as whole. That might make it a little easier to troubleshoot.