Closed cuper6 closed 2 years ago
are you sure that is not the 8th server configuration different from the others?
are you sure that is not the 8th server configuration different from the others?
Yes. The all servers are identical. The “8th server” can be any one from 20 servers, I tested it.
are you using the git version or a release? and how are you including that config?
I use naxsi 1.3 release version. Each location where naxsi enabled has the one line:
include naxsi/naxsi.conf;
The contents of naxsi.conf I listed above.
I created nginx test config with one server and 8 locations. This config failed. But it works if I comment any one location.
events {
}
http {
error_log /dev/stderr debug;
include naxsi/naxsi_core.rules;
server {
listen 127.0.0.1:8888;
server_name localhost;
location /8.html {
#LearningMode;
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl '/rd';
## check rules
CheckRule '$XSS >= 4' BLOCK;
CheckRule '$TRAVERSAL >= 4' BLOCK;
CheckRule '$EVADE >= 8' BLOCK;
CheckRule '$UPLOAD >= 8' BLOCK;
CheckRule '$RFI >= 8' BLOCK;
CheckRule '$SQL >= 8' BLOCK;
}
location /1.html {
#LearningMode;
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl '/rd';
## check rules
CheckRule '$XSS >= 4' BLOCK;
CheckRule '$TRAVERSAL >= 4' BLOCK;
CheckRule '$EVADE >= 8' BLOCK;
CheckRule '$UPLOAD >= 8' BLOCK;
CheckRule '$RFI >= 8' BLOCK;
CheckRule '$SQL >= 8' BLOCK;
}
location /2.html {
#LearningMode;
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl '/rd';
## check rules
CheckRule '$XSS >= 4' BLOCK;
CheckRule '$TRAVERSAL >= 4' BLOCK;
CheckRule '$EVADE >= 8' BLOCK;
CheckRule '$UPLOAD >= 8' BLOCK;
CheckRule '$RFI >= 8' BLOCK;
CheckRule '$SQL >= 8' BLOCK;
}
location /3.html {
#LearningMode;
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl '/rd';
## check rules
CheckRule '$XSS >= 4' BLOCK;
CheckRule '$TRAVERSAL >= 4' BLOCK;
CheckRule '$EVADE >= 8' BLOCK;
CheckRule '$UPLOAD >= 8' BLOCK;
CheckRule '$RFI >= 8' BLOCK;
CheckRule '$SQL >= 8' BLOCK;
}
location /4.html {
#LearningMode;
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl '/rd';
## check rules
CheckRule '$XSS >= 4' BLOCK;
CheckRule '$TRAVERSAL >= 4' BLOCK;
CheckRule '$EVADE >= 8' BLOCK;
CheckRule '$UPLOAD >= 8' BLOCK;
CheckRule '$RFI >= 8' BLOCK;
CheckRule '$SQL >= 8' BLOCK;
}
location /5.html {
#LearningMode;
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl '/rd';
## check rules
CheckRule '$XSS >= 4' BLOCK;
CheckRule '$TRAVERSAL >= 4' BLOCK;
CheckRule '$EVADE >= 8' BLOCK;
CheckRule '$UPLOAD >= 8' BLOCK;
CheckRule '$RFI >= 8' BLOCK;
CheckRule '$SQL >= 8' BLOCK;
}
location /6.html {
#LearningMode;
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl '/rd';
## check rules
CheckRule '$XSS >= 4' BLOCK;
CheckRule '$TRAVERSAL >= 4' BLOCK;
CheckRule '$EVADE >= 8' BLOCK;
CheckRule '$UPLOAD >= 8' BLOCK;
CheckRule '$RFI >= 8' BLOCK;
CheckRule '$SQL >= 8' BLOCK;
}
location /7.html {
#LearningMode;
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl '/rd';
## check rules
CheckRule '$XSS >= 4' BLOCK;
CheckRule '$TRAVERSAL >= 4' BLOCK;
CheckRule '$EVADE >= 8' BLOCK;
CheckRule '$UPLOAD >= 8' BLOCK;
CheckRule '$RFI >= 8' BLOCK;
CheckRule '$SQL >= 8' BLOCK;
}
location /rd {
return 403;
}
}
}
You can save this config to test.conf and test it with command: /path_to_nginx_executable/nginx -t -c /path_to_this_config/test.conf
I fixed error (not in naxsi). Thank all!
I have nginx.conf with ~ 20 servers. Each server has the same type and the same config (with the same locations). I try to include naxsi for one location at the each server (only for one location per server). The issue: I can include naxsi for only 7 locations in nginx.conf file. When I try to enable nasxi for the 8 location I get "nginx.conf test failed" (without any details) while testing nginx.conf The order of naxsi locations among servers in nginx.conf does not matter for this issue. The naxsi config is the same for all locations:
LearningMode; SecRulesEnabled; include naxsi/naxsi_wl.rules; DeniedUrl "/RequestDenied"; CheckRule "$SQL >= 8" BLOCK; CheckRule "$RFI >= 8" BLOCK; CheckRule "$TRAVERSAL >= 4" BLOCK; CheckRule "$UPLOAD >= 8" BLOCK; CheckRule "$XSS >= 8" BLOCK; CheckRule "$EVADE >= 4" BLOCK;
What's wrong?