nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

BlockingMode #566

Closed RekGRpth closed 11 months ago

RekGRpth commented 3 years ago

How about BlockingMode as opposite to LearningMode? like this

diff --git a/naxsi_src/naxsi.h b/naxsi_src/naxsi.h
index d9ac93b..f1e4a16 100644
--- a/naxsi_src/naxsi.h
+++ b/naxsi_src/naxsi.h
@@ -370,6 +370,7 @@ typedef struct
   ngx_array_t* persistant_data;
   ngx_flag_t   extensive : 1;
   ngx_flag_t   learning : 1;
+  ngx_flag_t   force_blocking : 1;
   ngx_flag_t   enabled : 1;
   ngx_flag_t   force_disabled : 1;
   ngx_flag_t   pushed : 1;
@@ -466,6 +467,7 @@ typedef struct ngx_http_nx_json_s
 #define TOP_IGNORE_IP_T        "IgnoreIP"
 #define TOP_IGNORE_CIDR_T      "IgnoreCIDR"
 #define TOP_LEARNING_FLAG_T    "LearningMode"
+#define TOP_BLOCKING_FLAG_T    "BlockingMode"
 #define TOP_ENABLED_FLAG_T     "SecRulesEnabled"
 #define TOP_DISABLED_FLAG_T    "SecRulesDisabled"
 #define TOP_CHECK_RULE_T       "CheckRule"
@@ -481,6 +483,7 @@ typedef struct ngx_http_nx_json_s
 #define TOP_IGNORE_IP_N        "ignore_ip"
 #define TOP_IGNORE_CIDR_N      "ignore_cidr"
 #define TOP_LEARNING_FLAG_N    "learning_mode"
+#define TOP_BLOCKING_FLAG_N    "blocking_mode"
 #define TOP_ENABLED_FLAG_N     "rules_enabled"
 #define TOP_DISABLED_FLAG_N    "rules_disabled"
 #define TOP_CHECK_RULE_N       "check_rule"
diff --git a/naxsi_src/naxsi_skeleton.c b/naxsi_src/naxsi_skeleton.c
index 62b86fe..84cf189 100644
--- a/naxsi_src/naxsi_skeleton.c
+++ b/naxsi_src/naxsi_skeleton.c
@@ -182,6 +182,22 @@ static ngx_command_t ngx_http_naxsi_commands[] = {
     0,
     NULL },

+  /* Blocking Flag */
+  { ngx_string(TOP_BLOCKING_FLAG_T),
+    NGX_HTTP_MAIN_CONF | NGX_HTTP_SRV_CONF | NGX_HTTP_LOC_CONF | NGX_HTTP_LMT_CONF | NGX_CONF_NOARGS,
+    ngx_http_naxsi_flags_loc_conf,
+    NGX_HTTP_LOC_CONF_OFFSET,
+    0,
+    NULL },
+
+  /* Blocking Flag (nginx style) */
+  { ngx_string(TOP_BLOCKING_FLAG_N),
+    NGX_HTTP_MAIN_CONF | NGX_HTTP_SRV_CONF | NGX_HTTP_LOC_CONF | NGX_HTTP_LMT_CONF | NGX_CONF_NOARGS,
+    ngx_http_naxsi_flags_loc_conf,
+    NGX_HTTP_LOC_CONF_OFFSET,
+    0,
+    NULL },
+
   /* EnableFlag */
   { ngx_string(TOP_ENABLED_FLAG_T),
     NGX_HTTP_MAIN_CONF | NGX_HTTP_SRV_CONF | NGX_HTTP_LOC_CONF | NGX_HTTP_LMT_CONF | NGX_CONF_NOARGS,
@@ -374,6 +390,8 @@ ngx_http_naxsi_merge_loc_conf(ngx_conf_t* cf, void* parent, void* child)
     conf->extensive = prev->extensive;
   if (conf->learning == 0)
     conf->learning = prev->learning;
+  if (conf->force_blocking == 0)
+    conf->force_blocking = prev->force_blocking;
   if (conf->enabled == 0)
     conf->enabled = prev->enabled;
   if (conf->force_disabled == 0)
@@ -963,6 +981,12 @@ ngx_http_naxsi_flags_loc_conf(ngx_conf_t* cf, ngx_command_t* cmd, void* conf)
         !ngx_strcmp(value[0].data, TOP_LEARNING_FLAG_N)) {
     alcf->learning = 1;
     return (NGX_CONF_OK);
+  } else
+    /* it's a flagrule, currently just a hack to enable/disable learning mode */
+    if (!ngx_strcmp(value[0].data, TOP_BLOCKING_FLAG_T) ||
+        !ngx_strcmp(value[0].data, TOP_BLOCKING_FLAG_N)) {
+    alcf->force_blocking = 1;
+    return (NGX_CONF_OK);
   } else if (!ngx_strcmp(value[0].data, TOP_LIBINJECTION_SQL_T) ||
              !ngx_strcmp(value[0].data, TOP_LIBINJECTION_SQL_N)) {
     NX_LOG_DEBUG(_debug_loc_conf, NGX_LOG_EMERG, cf, 0, "LibInjectionSql enabled");
@@ -1192,6 +1216,7 @@ ngx_http_naxsi_access_handler(ngx_http_request_t* r)
     /* it seems that nginx will - in some cases -
      have a variable with empty content but with lookup->not_found set to 0,
     so check len as well */
+    if (cf->force_blocking == 0)
     ctx->learning = cf->learning;

     lookup = ngx_http_get_variable(r, &learning_flag, cf->flag_learning_h);
wargio commented 3 years ago

there is no need for this. when in blocking mode you just do not enable the LearningMode flag. it's like having a debug flag. you do not need to define others.

RekGRpth commented 3 years ago

no, if I set LearningMode in http section, with this patch I can set BlockingMode in location

RekGRpth commented 3 years ago

but I prefer use ngx_conf_set_flag_slot for such flags with just set on and off

wargio commented 3 years ago

Hmmmm. that is true. make a PR and add tests.