Fixed: $naxsi_request_id (issue #142)

[lubomudr]

Hi

I propose a solution to issue #142

The first commit is simply a fix for $naxsi_request_id not being available in an internal redirect

The second one has been fixed: now $naxsi_request_id is inherited by NGINX $request_id and is calculated only when necessary, for example, logging an error or directly accessing a variable.

Since the size of $request_id is fixed in NGINX and is always 16 random bytes, in hexadecimal, the size of the string is explicitly specified in the code

[lubomudr]

Ok

I specifically removed the "request_id" size constants because I believed that since this is inherited from NGINX, then these are internal structures and should not be changed in any way in the NAXSI code

But if you maintain compatibility with NGINX, when it does not yet contain the “request_id” variable, you will have to implement it yourself and these constants are needed. So I got excited here :smile:

But in any case, calculating naxsi_request_id for EVERY request is expensive. The algorithm has been slightly modified - it is calculated only by demand and only if the "request_id" variable is not defined. Otherwise naxsi_request_id is equal to request_id.

[lubomudr]

Information about naxsi _request_id has already been leaked :smile:

[wargio]

Information about naxsi _request_id has already been leaked 😄

could be just an alias.

[lubomudr]

To be clear, i'm very ok with this optimization, but i just checked the code that nginx uses for generating the value and is essentially the same as ours.

Yes The optimization is that this is not calculated for EVERY request, regardless of whether the value is needed or not