nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

The audit log ID #622

Closed toadzhou closed 1 year ago

toadzhou commented 2 years ago

In order to prevent accidental interception, you need to display a unique access ID on the interception prompt page so that the user can provide the ID to the administrator to view the upgrade log. How do I do this? For example Ray ID: 757****090

wargio commented 2 years ago

normally you do not have this issue since the logs will be written on the error.log (or any custom path) and what you have to do is just to ask when it happen and see why it was logged. Normally audit logs are used in the opposite way, to find where a certain request has gone when you have multiple reverse proxy. Anyway i'm quite sure that NGINX itself support this by using something like proxy_set_header Request-Id $request_id.

toadzhou commented 2 years ago

I can get a unique ID by doing this, but how does this ID correspond to the audit log?

My configuration is as follows

        location / {
            root   html;
            index  index.html index.htm;

            SecRulesEnabled; 
            #LearningMode;
            DeniedUrl "/RequestDenied";
            CheckRule "$SQL >= 8" BLOCK;
            CheckRule "$RFI >= 8" BLOCK;
            CheckRule "$TRAVERSAL >= 4" BLOCK;
            CheckRule "$EVADE >= 4" BLOCK;
            CheckRule "$XSS >= 8" BLOCK;
            error_log /tmp/error.log;
        }

        location /RequestDenied {
            add_header Content-Type 'text/html; charset=utf-8';
            return 200 "WAF interception ID:$request_id";
        }
wargio commented 2 years ago

that is a very good question and i do not have an answer for this, probably is just worth to add an option to have this directly in the log

toadzhou commented 2 years ago

If naxsi's audit log supports log formatting and can write $request_id this variable should be easy