nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

configuration file /etc/nginx/nginx.conf test failed #593

Closed keramahos closed 2 years ago

keramahos commented 2 years ago

Hello. I am getting this:

nginx: [emerg] Naxsi-Config : Incorrect line MainRule rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop|load_file|substr|group_concat|dumpfile (/usr/local/src/naxsi/naxsi_src//naxsi_skeleton.c/973)... in /etc/nginx/naxsi_core.rules:23
nginx: configuration file /etc/nginx/nginx.conf test failed

There is no quote problem as this was added as raw file, nginx module is included (as this is message from naxsi itself). Logs are not providing any additional description of problem. This line is first one in file - so it is failing on very first line... Nginx 1.21.6, debian bullseye, naxsi from https://github.com/dvershinin/naxsi.git as you guys don't have that libpcre fix merged into master...

wargio commented 2 years ago

i think you are including the naxsi_core.rules file in the wrong location. naxsi_core.rules needs to be included within the http context, not within location.

wargio commented 2 years ago

The documentation https://github.com/nbs-system/naxsi/wiki/naxsi-setup#example-configuration shows exactly how to configure it.

keramahos commented 2 years ago

unfortunately, it is configured in correct location: http { include /etc/nginx/naxsi_core.rules;

wargio commented 2 years ago

maybe then is a regex issue.

keramahos commented 2 years ago

Ok so let's sum this whole stuff from early beginning. I am in search of local WAF and this project is just one of options. So I did the research and decided to try. Certainly, I went through documentation but:

wargio commented 2 years ago

I understand the frustration and i feel partially the same. The project is indeed abandoned by the company and i'm the only maintainer (i do not work anymore for NBS). i'm working on my fork on the new version 1.4/2.0 (not sure yet on the release), but i'm behind with its development, therefore you cannot use it yet. Back to your problem: the issue is that you are using a version of naxsi which i have not tested so i cannot help you without knowing how you have set it up.

Can you please write here lines 22-23-24 of the /etc/nginx/naxsi_core.rules and also your NGINX configuration (remove the real ip addresses and anything confidential, like website name, etc..)?

keramahos commented 2 years ago

the version is just clone from this master + added pcre2 support under newer nginx... core rules 22-24:

##################################
MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop|load_file|substr|group_concat|dumpfile" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000;
MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001;

nginx config:
http {
    include /etc/nginx/naxsi_core.rules;
+ some other stuffs unrelated to this issue

one default vhost config:
server {
    SecRulesEnabled; #enable naxsi
    LearningMode; #enable learning mode
    LibInjectionSql; #enable libinjection support for SQLI
    LibInjectionXss; #enable libinjection support for XSS

    DeniedUrl "/RequestDenied"; #the location where naxsi will redirect the request when it is blocked
    CheckRule "$SQL >= 8" BLOCK; #the action to take when the $SQL score is superior or equal to 8
    CheckRule "$RFI >= 8" BLOCK;
    CheckRule "$TRAVERSAL >= 5" BLOCK;
    CheckRule "$UPLOAD >= 5" BLOCK;
    CheckRule "$XSS >= 8" BLOCK;

nothing else...

wargio commented 2 years ago

i think the issue is with the regex, but i do not know why. i have to check the pr

Nriver commented 2 years ago

any update?

Dezaro commented 2 years ago

Hello, I can confirm same issue when try to update nginx stable 1.20.2 to 1.22.0 stable + pcre2. Any line form naxsi_core.rules for regex checking and starting with "rx:" fail to be compilated from pcre2_compile. My workaround to start server successfully is to comment rule or this code "if (ngx_regex_compile(rgc) != NGX_OK) return (NGX_ERROR);" before build nginx and naxsi, but regex rules no work any more.

timmah91 commented 2 years ago

@wargio I've also just confirmed this issue on nginx stable 1.23.0. Any chance for an official fix/workaround ?

wargio commented 2 years ago

Not yet, i'm sorry :(

eilandert commented 2 years ago

temporarily fix:

git clone https://github.com/nbs-system/naxsi.git cd naxsi git reset --hard 304e66d86fc4771821585b1bc32169de8afc9cea wget https://patch-diff.githubusercontent.com/raw/nbs-system/naxsi/pull/598.patch patch -p1 < 598.patch (1 hunk fails but that's no problem, it tries to replace a line with the same line)

And start building nginx with --with-pcre --without-pcre2

Basicly, clone this repo, go back to before the PCRE2 PR (it prevents building as pcre), apply the patch for the new 1.23.0 api and build NGINX with PCRE instead of PCRE2

tester: @tim-snapt

wargio commented 2 years ago

closing since this issue has been fixed here: https://github.com/wargio/naxsi/commit/9e06c5f53b2e393e40e9df7746a7b8bc4c2abfa4