nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

Why not check JSON? #446

Closed loki008 closed 5 years ago

loki008 commented 5 years ago

After installing naxsi,html is checked and can be blocked,but json is not,the parameters are transmitted through json.

Please help,thanks.

nginx.conf information

user admin admin;

worker_processes auto; worker_cpu_affinity auto;

error_log /data/logs/nginx/error.log crit; pid /var/run/nginx.pid;

worker_rlimit_nofile 65535;

include dso_conf/ngx_dso_modules.conf;

events { use epoll; worker_connections 10240; }

http { server_tokens off; server_tag off; autoindex off; access_log off; include mime.types; include naxsi_core.rules; default_type application/octet-stream;

server_names_hash_bucket_size 128;
client_header_buffer_size 128k;
large_client_header_buffers 4 128k;
client_max_body_size 2m;
client_body_buffer_size 256k;

sendfile on;
tcp_nopush on;
keepalive_timeout 900;
tcp_nodelay on;

gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 6;
gzip_types "image/jpeg;charset=utf-8" text/plain application/x-javascript text/css application/xml application/javascript text/javascript image/jpeg image/gif image/png;
gzip_vary on;

proxy_connect_timeout 900;
proxy_read_timeout 900;
proxy_send_timeout 900;
proxy_buffer_size 128k;
proxy_buffers 4 128k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_headers_hash_max_size 1024;
proxy_headers_hash_bucket_size 128;

proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache_path /data/logs/nginx/cache1 levels=1:2 keys_zone=cache1:100m max_size=50g inactive=90d; 
proxy_temp_path /data/logs/nginx/nginx_temp/nginx_temp;

log_format access '$remote_addr - $remote_user [$time_local] "$request"'
                  '$status $body_bytes_sent "$http_referer"'
                  '"$http_user_agent" $http_x_forwarded_for';

log_format ha     '$remote_addr\t$time_local\t$host\t"$request"\t'
                  '$status\t$body_bytes_sent\t"$http_referer"\t'
                  '"$http_user_agent"\t$request_time\t$sent_http_content_type\t'
                  '$upstream_addr\t$upstream_status\t$upstream_response_time\t'
                  '"$http_x_forwarded_for"';

log_format main '$remote_addr\t$time_local\t"$request"\t'
            '$status\t$body_bytes_sent\t"$http_referer"\t'
            '"$http_user_agent"\t$request_time\t'
            '$upstream_addr\t$upstream_status\t$upstream_response_time\t'
            '"$http_x_forwarded_for"\t$host';

map $http_x_forwarded_proto $https_status {
    default off;
    https on;
}
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server { listen 80; server_name localhost;

    #charset koi8-r;

    access_log  logs/host.access.log  main;

    location / {
        include naxsi.rules;
        include naxsi_BasicRule.conf;
        root   html;
        index  index.html index.htm;
    }
    location /RequestDenied {       
        return 403;
     }
     error_page  403  /403.html;
     location = /403.html {
               root   html;
     }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   html;
    }
} 

## reqstat
req_status_zone server_reqstat_monitor "$host" 100M;

# limit req zone
##
limit_req_zone $binary_remote_addr $http_user_agent zone=limit_with_user_agent:50m rate=30r/m;
limit_req_zone $binary_remote_addr $uri zone=limit_with_uri:50m rate=3r/m;
limit_req_zone $server_name zone=limit_server_qps:10m rate=3500r/s;
limit_req_zone $binary_remote_addr zone=limit_with_remote_addr:20m rate=5r/m;

include conf.d/*.conf;
include upstream/*.conf;
include vhost.d/*.conf;

}