Closed toadzhou closed 1 year ago
normally you do not have this issue since the logs will be written on the error.log (or any custom path) and what you have to do is just to ask when it happen and see why it was logged.
Normally audit logs are used in the opposite way, to find where a certain request has gone when you have multiple reverse proxy.
Anyway i'm quite sure that NGINX itself support this by using something like proxy_set_header Request-Id $request_id
.
I can get a unique ID by doing this, but how does this ID correspond to the audit log?
My configuration is as follows
location / {
root html;
index index.html index.htm;
SecRulesEnabled;
#LearningMode;
DeniedUrl "/RequestDenied";
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
error_log /tmp/error.log;
}
location /RequestDenied {
add_header Content-Type 'text/html; charset=utf-8';
return 200 "WAF interception ID:$request_id";
}
that is a very good question and i do not have an answer for this, probably is just worth to add an option to have this directly in the log
If naxsi's audit log supports log formatting and can write $request_id this variable should be easy
In order to prevent accidental interception, you need to display a unique access ID on the interception prompt page so that the user can provide the ID to the administrator to view the upgrade log. How do I do this? For example
Ray ID: 757****090