Closed PhilWicke closed 5 years ago
You might want to take a look at the example configuration provided in the wiki :)
Thank you. I have used the example configuration before and it did not activate the rules. Neither did my current nginx.conf posted above. I've tried to use the example configuration from the wiki and now have this config:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
include /etc/nginx/naxsi_core.rules;
add_header X-Frame-Options SAMEORIGIN always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Content-Security-Policy "frame-ancestors 'self'" always;
add_header X-Content-Type-Options "nosniff" always;
client_header_timeout 3000;
client_body_timeout 3000;
fastcgi_read_timeout 3000;
client_max_body_size 32m;
fastcgi_buffers 8 128k;
fastcgi_buffer_size 128k;
log_format scripts '$document_root$fastcgi_script_name > $request';
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
server {
add_header X-Frame-Options SAMEORIGIN always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Content-Security-Policy "frame-ancestors 'self'" always;
add_header X-Content-Type-Options "nosniff" always;
access_log /var/log/nginx/naxsi_access.log;
error_log /var/log/nginx/naxsi_error.log debug;
# example server config
location / {
SecRulesEnabled;
#Define where blocked requests go
DeniedUrl "/50x.html";
# CheckRules, determining when naxsi needs to take action
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
#naxsi logs goes there
error_log /var/log/nginx/naxis_server_error.log;
}
error_page 500 502 503 504 /50x.html;
#This is where the blocked requests are going
location = /50x.html {
return 418; #I'm a teapot \o/
}
}
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
uwsgi_connect_timeout 750s;
fastcgi_send_timeout 600s;
include /etc/nginx/conf.d/*.conf;
}
I think that you mispasted something, because your server
block is inside your http
one
My bad, you're absolutely right. The latest config that you pasted doesn't work? I don't see anything wrong with it.
Are you running the nginx you're using is the one with the naxsi plugin?
Yes, the very first snippet shows my nginx
configuration. Also, if the rules had a wrong syntax (as I tested before) this would result in an error starting nginx
, therefore the nginx
is running with the naxsi
plugin. It might be nothing wrong with the nginx.conf
, but I don't know where else I can find the bug/problem.
Hello,
Sorry for the delay of my answer :/
I was unfortunately not able to reproduce the issue locally.
At first hand, I would think of a configuration error, but I don't see any mistake in your configuration..
Can you include the full configuration if it isn't already the case, so I can give it a try locally ? (ie. I don't see the listen
directive etc.)
Are you still facing the issue ?
Hello,
thanks for replying to the issue. Yes, it still persists. If by full configuration you mean the entire nginx.conf, it is the one I've posted above. Not sure where there should be a listen
or what it does.
Unless, I find a solution I'll have to re-write a lot of code. And I appreciate this project and would really like to make use of it. Let me know if there's any more information I can provide.
As I dont have access to your environement, I'm sorry but I can't reeally help.
In order to know if it's a configuration issue, can you attempt typing make re
from naxsi_src
directory ? It's going to download & install nginx+naxsi in your /tmp/, and conf can then be found in /tmp/naxsi_ut
?
am facing same issue have tried alot config noting works @PhilWicke were you able to fix this issue??
@diadal unfortunately, I cannot fix the issue. I think I've done everything according to the instructions, but there is zero application of the rules. Let me know if you progress.
I guess the plugin naxsi
no longer working have done everything no error log in nginx but naxsi still not working
Hello,
How did you install the package? I'm going to try to get my hands on a centos to give it a try.
Can you maybe try running the unit tests (make test from naxsi_src dir - requires test::nginx ) to see if something is preventing naxsi from working?
Thanks,
Le jeu. 10 janv. 2019 à 17:01, Diadal notifications@github.com a écrit :
I guess the plugin naxsi no longer working have done everything no error log in nginx but naxsi still not working
— You are receiving this because you were assigned. Reply to this email directly, view it on GitHub https://github.com/nbs-system/naxsi/issues/431#issuecomment-453148937, or mute the thread https://github.com/notifications/unsubscribe-auth/AA8d-lsPBT1MyINrIIsT4RUSibN-RsE4ks5vB2PqgaJpZM4VvDW9 .
@buixor feel free to check this Snuffleupagus commit, on how to use gitlab-ci to run the testsuite/compilation on several linux distributions :)
@PhilWicke I'm not sure the server
block or location
block you posted is actually being used by your live site(s). The following towards the end of your config file sticks out to me:
include /etc/nginx/conf.d/*.conf;
Could you post the contents of those included *.conf
files? I'm guessing you might have other server
/location
blocks defined in those files, possibly without the naxsi config directives in them?
@bobziuchkovski thank you for the reply.
There are indeed three .conf files. Again, I have inherited the system and have very little knowledge. So, the server / locations
that I can find in there are the following:
server {
server_name myserverName ourwebsite.com;
location /downloads/ {
root /srv;
some X-XSS protection protocols
location / {
proxy_pass http://127.0.0.1:8080;
}
}
and in a different file, things like this:
location ~* \.(css|js|gif|jpe?g|png)$ {
expires 1d;
log_not_found off;
}
location / {
try_files $uri $uri/ $uri.html =404;
log_not_found off;
}
@PhilWicke Aha. Yeah, I think it's the config file with the server_name myserverName ourwebsite.com
block that is going to need the naxsi config directives. I can't tell about the other file with the additional location
blocks. It depends on the context of where those are being included, but it's possible those might need some directives as well.
It looks like the config files are possibly a little disorganized. You might want to read through some various nginx config guides/examples to try to refactor/reorganize the config so that it's easy to follow and makes sense to you and others as whole. That might make it a little easier to troubleshoot.
I have recompiled the latest naxis version with nginx according to several tutorials. Here is the nginx configuration:
Furthermore, I have added the basic naxis rules into the html and server blocks. If any of the *.rules files from naxis has a syntax error I have been notified by
nginx -t
. Therefore, I assume that so far naxsi and nginx are somewhat correctly installed. Nonetheless, any test of the naxsi rules fails. Testinghttp://MY-IP/?q="><script>alert(1)</script>
does not result in blocking, neither do the logs show the rule breach. Here is my nginx.conf:I have no idea why the rules do not apply. I've used the basic rules and turned of learning mode for naxsi. I'd be glad for any help pointing me in the right direction.