nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

general wl rules without matchzone work; more specific "mz:$URL:/mail|$ARGS_VAR:_caps" fails to match ? #506

Closed pgnd closed 4 years ago

pgnd commented 4 years ago

i'm running

    nginx/1.19.2 

built with with naxsi/HEAD

    --add-dynamic-module=../naxsi-07a056ccd36bc3c5c40dc17991db226cb8cf6241/naxsi_src

default site config works generally.

for a specific site, i'd like to create static whitelist entries for two blocks

    2020/08/17 16:29:17 [error] 27495#27495: *58 NAXSI_FMT: ip=10.1.5.19&server=example.com&uri=/mail/&vers=0.56&total_processed=66&total_blocked=4&config=block&cscore0=$SQL&score0=8&zone0=ARGS&id0=1009&var_name0=_caps, client: 10.1.5.19, server: example.com, request: "GET /mail/?_task=mail&_caps=pdf%3D1%2Cflash%3D0%2Ctiff%3D0%2Cwebp%3D1&_uid=3&_mbox=INBOX&_framed=1&_action=preview HTTP/2.0", host: "example.com"
    2020/08/17 16:30:17 [error] 27544#27544: *58 NAXSI_FMT: ip=10.1.5.19&server=example.com&uri=/mail/&vers=0.56&total_processed=63&total_blocked=2&config=block&cscore0=$SQL&score0=12&zone0=ARGS&id0=1015&var_name0=_caps, client: 10.1.5.19, server: example.com, request: "GET /mail/?_task=mail&_caps=pdf%3D1%2Cflash%3D0%2Ctiff%3D0%2Cwebp%3D1&_uid=2&_mbox=INBOX&_framed=1&_action=preview HTTP/2.0", host: "example.com"

general rules, without matchzones,

    BasicRule wl:1009;
    BasicRule wl:1015;

work as expected; traffic passes.

but attempt at matching

    URL = /mail
    ARGS_VAR = _caps

with this rule

    BasicRule wl:1009,1015 "mz:$URL:/mail|$ARGS_VAR:_caps";

fails; traffic is still blocked, as above.

what's the correct usage for whitelisting an mz match for these^ blocks?

wargio commented 4 years ago

what about mz:$URL:/mail/|$ARGS_VAR:_caps ?

pgnd commented 4 years ago

groan.

$URL:/mail/

instead of

$URL:/mail

does the trick.

although the URL i enter in browser, and hence was trying to match, is simply "/mail", there's likely a rewrite adding the trailing slash.

the exact match to the reported NAXSI error -- "uri=/mail/" -- is in fact required.

thx!