Closed keramahos closed 2 years ago
i think you are including the naxsi_core.rules
file in the wrong location.
naxsi_core.rules
needs to be included within the http
context, not within location
.
http
location
The documentation https://github.com/nbs-system/naxsi/wiki/naxsi-setup#example-configuration shows exactly how to configure it.
unfortunately, it is configured in correct location: http { include /etc/nginx/naxsi_core.rules;
maybe then is a regex issue.
Ok so let's sum this whole stuff from early beginning. I am in search of local WAF and this project is just one of options. So I did the research and decided to try. Certainly, I went through documentation but:
I understand the frustration and i feel partially the same. The project is indeed abandoned by the company and i'm the only maintainer (i do not work anymore for NBS). i'm working on my fork on the new version 1.4/2.0 (not sure yet on the release), but i'm behind with its development, therefore you cannot use it yet. Back to your problem: the issue is that you are using a version of naxsi which i have not tested so i cannot help you without knowing how you have set it up.
Can you please write here lines 22-23-24 of the /etc/nginx/naxsi_core.rules
and also your NGINX configuration (remove the real ip addresses and anything confidential, like website name, etc..)?
the version is just clone from this master + added pcre2 support under newer nginx... core rules 22-24:
##################################
MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop|load_file|substr|group_concat|dumpfile" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000;
MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001;
nginx config:
http {
include /etc/nginx/naxsi_core.rules;
+ some other stuffs unrelated to this issue
one default vhost config:
server {
SecRulesEnabled; #enable naxsi
LearningMode; #enable learning mode
LibInjectionSql; #enable libinjection support for SQLI
LibInjectionXss; #enable libinjection support for XSS
DeniedUrl "/RequestDenied"; #the location where naxsi will redirect the request when it is blocked
CheckRule "$SQL >= 8" BLOCK; #the action to take when the $SQL score is superior or equal to 8
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 5" BLOCK;
CheckRule "$UPLOAD >= 5" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
nothing else...
i think the issue is with the regex, but i do not know why. i have to check the pr
any update?
Hello, I can confirm same issue when try to update nginx stable 1.20.2 to 1.22.0 stable + pcre2. Any line form naxsi_core.rules for regex checking and starting with "rx:" fail to be compilated from pcre2_compile. My workaround to start server successfully is to comment rule or this code "if (ngx_regex_compile(rgc) != NGX_OK) return (NGX_ERROR);" before build nginx and naxsi, but regex rules no work any more.
@wargio I've also just confirmed this issue on nginx stable 1.23.0. Any chance for an official fix/workaround ?
Not yet, i'm sorry :(
temporarily fix:
git clone https://github.com/nbs-system/naxsi.git cd naxsi git reset --hard 304e66d86fc4771821585b1bc32169de8afc9cea wget https://patch-diff.githubusercontent.com/raw/nbs-system/naxsi/pull/598.patch patch -p1 < 598.patch (1 hunk fails but that's no problem, it tries to replace a line with the same line)
And start building nginx with --with-pcre --without-pcre2
Basicly, clone this repo, go back to before the PCRE2 PR (it prevents building as pcre), apply the patch for the new 1.23.0 api and build NGINX with PCRE instead of PCRE2
tester: @tim-snapt
closing since this issue has been fixed here: https://github.com/wargio/naxsi/commit/9e06c5f53b2e393e40e9df7746a7b8bc4c2abfa4
Hello. I am getting this:
There is no quote problem as this was added as raw file, nginx module is included (as this is message from naxsi itself). Logs are not providing any additional description of problem. This line is first one in file - so it is failing on very first line... Nginx 1.21.6, debian bullseye, naxsi from https://github.com/dvershinin/naxsi.git as you guys don't have that libpcre fix merged into master...