nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

Nginx with naxsi enabled does not finish standard request processing under some configs #628

Closed cuper6 closed 11 months ago

cuper6 commented 1 year ago

Nginx does not finish standard processing cycle for some requests under some configs with naxsi enabled. At least: 1) The response are not sent to client. 2) A request is not logged in the access.log 3) nginx stub status module's (ngx_http_stub_status_module) "writing" counter is not decremented.

How to reproduce:

  1. Use the sample config (below) with needed changes to the directives such as server_name, root, listen, access_log, etc.
  2. Send 2 simultaneous GET requests: http://some_site.net:888/1/index.html?v<<<<>>>>

These requests will be processed by naxsi and triggered an denied action. The key factor here is "limit_req" in the /403.html location. The second request is paused by limit rate. After resuming processing the second request is not finished by nginx as normal. access.log has only one request logged.

We can send 2 simultaneous GET requests to the second location (without naxsi): http://some_site.net:888/2/index.html?v<<<<>>>> to satisfy that the similar requests are finished if naxsi is not using.

Was tested on clean nginx 1.22.1 with naxsi 1.3 module linked as static.

Sample nginx.conf

user www-data;
worker_processes  auto;

error_log  /var/log/nginx-test/error.log debug;
pid        /var/run/nginx-test.pid;

events {
    worker_connections  4096;
}

http {
    include naxsi_core.rules; # naxsi core rules

    index index.php index.html;
    resolver 8.8.8.8 ipv6=off;

    limit_req_zone $binary_remote_addr zone=test:1m rate=1r/s;

    log_format main '[$host] $remote_addr $remote_user [$time_local] "$request" '
            '$status $body_bytes_sent "$http_referer" '
            '"$http_user_agent" "$http_x_forwarded_for"';

    include mime.types;
    default_type application/octet-stream;

    access_log  /var/log/nginx-test/access.log main;

    server {
        root /home/some_site/www;
                server_name some_site.net;

                listen *:888;

        error_page 403 /403.html;
        location = /403.html {
                limit_req zone=test burst=1;
            internal;
            etag off;
        }

        # special location for naxsi
                location /RequestDenied {
            internal;
                        return 403;
                }

                location /1 {
            SecRulesEnabled;

            ## check rules
            DeniedUrl "/RequestDenied";
            CheckRule "$SQL >= 8" BLOCK;
            CheckRule "$RFI >= 8" BLOCK;
            CheckRule "$TRAVERSAL >= 4" BLOCK;
            CheckRule "$UPLOAD >= 8" BLOCK;
            CheckRule "$XSS >= 8" BLOCK;
            CheckRule "$EVADE >= 4" BLOCK;
                }

                location /2 {
            return 403;
                }
   }
}
wargio commented 1 year ago

sounds like the ngx_http_limit_req_module module is doing something weird, not naxsi. I do not see any reason to rate limit /403.html

cuper6 commented 1 year ago

ngx_http_limit_req_module module is doing something weird

it just delays the processing request.

I do not see any reason to rate limit /403.html

This is minimal config to illustrate the problem. In real environment rate limit may be set at the upper level.

wargio commented 1 year ago

@cuper6 could you please try with the latest version of naxsi? https://github.com/wargio/naxsi/releases/tag/1.4 (yes different repo because this is now abandonware)

cuper6 commented 1 year ago

try with the latest version of naxsi?

I tried with: https://github.com/wargio/naxsi/archive/refs/tags/1.4.zip

There are the missing files errors during configure and make:

...
configuring additional modules
adding module in /usr/local/src/nginx-test/naxsi/naxsi-1.4/naxsi_src
cp: cannot stat '/usr/local/src/nginx-test/naxsi/naxsi-1.4/naxsi_src/libinjection/src/*.h': No such file or directory
cat: /usr/local/src/nginx-test/naxsi/naxsi-1.4/naxsi_src/libinjection/src/libinjection_html5.c: No such file or directory
cat: /usr/local/src/nginx-test/naxsi/naxsi-1.4/naxsi_src/libinjection/src/libinjection_sqli.c: No such file or directory
cat: /usr/local/src/nginx-test/naxsi/naxsi-1.4/naxsi_src/libinjection/src/libinjection_xss.c: No such file or directory
 + naxsi was configured
...
        /usr/local/src/nginx-test/naxsi/naxsi-1.4/naxsi_src/naxsi_config.c
In file included from /usr/local/src/nginx-test/naxsi/naxsi-1.4/naxsi_src/naxsi_config.c:6:0:
/usr/local/src/nginx-test/naxsi/naxsi-1.4/naxsi_src/naxsi.h:19:48: fatal error: libinjection/src/libinjection_sqli.h: No such file or directory
 #include "libinjection/src/libinjection_sqli.h"
                                                ^
wargio commented 1 year ago

there are not. you haven't followed the building instructions. If you are using the tarball/zip files that GH has created, please instead download the one named naxsi-1.4-src-with-deps.zip

cuper6 commented 1 year ago

please instead download the one named

ok, I did it with 1.4. Got the same results as with 1.3:

For second (delayed by Limit_req) request:
    The response is not sent to client.
    A request is not logged in the access.log
    nginx stub status module's (ngx_http_stub_status_module) "writing" counter is not decremented.
wargio commented 1 year ago

I have no clue on what is wrong. i have to check that other module