nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

Can not include naxsi for more 7 locations in nginx.conf (resolved) #577

Closed cuper6 closed 2 years ago

cuper6 commented 2 years ago

I have nginx.conf with ~ 20 servers. Each server has the same type and the same config (with the same locations). I try to include naxsi for one location at the each server (only for one location per server). The issue: I can include naxsi for only 7 locations in nginx.conf file. When I try to enable nasxi for the 8 location I get "nginx.conf test failed" (without any details) while testing nginx.conf The order of naxsi locations among servers in nginx.conf does not matter for this issue. The naxsi config is the same for all locations:

LearningMode; SecRulesEnabled; include naxsi/naxsi_wl.rules; DeniedUrl "/RequestDenied"; CheckRule "$SQL >= 8" BLOCK; CheckRule "$RFI >= 8" BLOCK; CheckRule "$TRAVERSAL >= 4" BLOCK; CheckRule "$UPLOAD >= 8" BLOCK; CheckRule "$XSS >= 8" BLOCK; CheckRule "$EVADE >= 4" BLOCK;

What's wrong?

wargio commented 2 years ago

are you sure that is not the 8th server configuration different from the others?

cuper6 commented 2 years ago

are you sure that is not the 8th server configuration different from the others?

Yes. The all servers are identical. The “8th server” can be any one from 20 servers, I tested it.

wargio commented 2 years ago

are you using the git version or a release? and how are you including that config?

cuper6 commented 2 years ago

I use naxsi 1.3 release version. Each location where naxsi enabled has the one line:

include naxsi/naxsi.conf;

The contents of naxsi.conf I listed above.

cuper6 commented 2 years ago

I created nginx test config with one server and 8 locations. This config failed. But it works if I comment any one location.

events {
}

http {

    error_log /dev/stderr  debug;
    include  naxsi/naxsi_core.rules;

    server {
        listen       127.0.0.1:8888;
        server_name  localhost;

        location /8.html {
             #LearningMode;
             SecRulesEnabled;
             #SecRulesDisabled;

             DeniedUrl '/rd';
             ## check rules
             CheckRule '$XSS >= 4' BLOCK;
             CheckRule '$TRAVERSAL >= 4' BLOCK;
             CheckRule '$EVADE >= 8' BLOCK;
             CheckRule '$UPLOAD >= 8' BLOCK;
             CheckRule '$RFI >= 8' BLOCK;
             CheckRule '$SQL >= 8' BLOCK;
        }

        location /1.html {
             #LearningMode;
             SecRulesEnabled;
             #SecRulesDisabled;

             DeniedUrl '/rd';
             ## check rules
             CheckRule '$XSS >= 4' BLOCK;
             CheckRule '$TRAVERSAL >= 4' BLOCK;
             CheckRule '$EVADE >= 8' BLOCK;
             CheckRule '$UPLOAD >= 8' BLOCK;
             CheckRule '$RFI >= 8' BLOCK;
             CheckRule '$SQL >= 8' BLOCK;

        }

        location /2.html {
             #LearningMode;
             SecRulesEnabled;
             #SecRulesDisabled;

             DeniedUrl '/rd';
             ## check rules
             CheckRule '$XSS >= 4' BLOCK;
             CheckRule '$TRAVERSAL >= 4' BLOCK;
             CheckRule '$EVADE >= 8' BLOCK;
             CheckRule '$UPLOAD >= 8' BLOCK;
             CheckRule '$RFI >= 8' BLOCK;
             CheckRule '$SQL >= 8' BLOCK;

        }

        location /3.html {
             #LearningMode;
             SecRulesEnabled;
             #SecRulesDisabled;

             DeniedUrl '/rd';
             ## check rules
             CheckRule '$XSS >= 4' BLOCK;
             CheckRule '$TRAVERSAL >= 4' BLOCK;
             CheckRule '$EVADE >= 8' BLOCK;
             CheckRule '$UPLOAD >= 8' BLOCK;
             CheckRule '$RFI >= 8' BLOCK;
             CheckRule '$SQL >= 8' BLOCK;

        }

        location /4.html {
             #LearningMode;
             SecRulesEnabled;
             #SecRulesDisabled;

             DeniedUrl '/rd';
             ## check rules
             CheckRule '$XSS >= 4' BLOCK;
             CheckRule '$TRAVERSAL >= 4' BLOCK;
             CheckRule '$EVADE >= 8' BLOCK;
             CheckRule '$UPLOAD >= 8' BLOCK;
             CheckRule '$RFI >= 8' BLOCK;
             CheckRule '$SQL >= 8' BLOCK;

        }

        location /5.html {
             #LearningMode;
             SecRulesEnabled;
             #SecRulesDisabled;

             DeniedUrl '/rd';
             ## check rules
             CheckRule '$XSS >= 4' BLOCK;
             CheckRule '$TRAVERSAL >= 4' BLOCK;
             CheckRule '$EVADE >= 8' BLOCK;
             CheckRule '$UPLOAD >= 8' BLOCK;
             CheckRule '$RFI >= 8' BLOCK;
             CheckRule '$SQL >= 8' BLOCK;

        }

        location /6.html {
             #LearningMode;
             SecRulesEnabled;
             #SecRulesDisabled;

             DeniedUrl '/rd';
             ## check rules
             CheckRule '$XSS >= 4' BLOCK;
             CheckRule '$TRAVERSAL >= 4' BLOCK;
             CheckRule '$EVADE >= 8' BLOCK;
             CheckRule '$UPLOAD >= 8' BLOCK;
             CheckRule '$RFI >= 8' BLOCK;
             CheckRule '$SQL >= 8' BLOCK;
        }

        location /7.html {
             #LearningMode;
             SecRulesEnabled;
             #SecRulesDisabled;

             DeniedUrl '/rd';
             ## check rules
             CheckRule '$XSS >= 4' BLOCK;
             CheckRule '$TRAVERSAL >= 4' BLOCK;
             CheckRule '$EVADE >= 8' BLOCK;
             CheckRule '$UPLOAD >= 8' BLOCK;
             CheckRule '$RFI >= 8' BLOCK;
             CheckRule '$SQL >= 8' BLOCK;

        }

        location /rd {
             return 403;
        }

    }
}
cuper6 commented 2 years ago

You can save this config to test.conf and test it with command: /path_to_nginx_executable/nginx -t -c /path_to_this_config/test.conf

cuper6 commented 2 years ago

I fixed error (not in naxsi). Thank all!