Files

253 lines
6.2 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# **Naxsi Directives**
This section explains all the directives, with examples, that are available when the Naxsi module (`ngx_http_naxsi_module.so`) is enabled.
## **SecRulesEnabled**
> ️ Info
>
> NGINX block: `location`
This directive is mandatory to `enable` naxsi in a NGINX `location`.
### Example:
```nginx
location / {
SecRulesEnabled;
}
```
## **CheckRule**
> ️ Info
>
> NGINX block: `location`
This directive is required to instruct Naxsi on which action to take when there is a rule match.
The directive requires you to specify a **score** with a variable name and its min/max value (for example `$FOO_BAR >= 4`); the score is then followed by an action to take (`LOG`, `BLOCK`, `DROP`, or `ALLOW`) when is met.
> 📣 Important
>
> Score variable names must starts with a "dollar sign" `$` and can contains "underscores" `_`.
> ⚠️ Warning
>
> The action `BLOCK` will behave like `DROP` only when `LearningMode` is not enabled.
### Example:
```nginx
location / {
CheckRule "$FOO_UU >= 8" LOG;
CheckRule "$BARRRR < 99" DROP;
CheckRule "$SOMETHING <= 33" BLOCK;
}
```
## **LibInjectionXss**
> ️ Info
>
> NGINX block: `location`
When defined, this directive enables [libinjection's](https://github.com/libinjection/libinjection) xss detection on *all* requests.
> 📣 Important
>
> The detected XSS will increase the score `$LIBINJECTION_XSS` by `1` for each match; this means that is required to define `$LIBINJECTION_XSS` as a `CheckRule`.
### Example:
```nginx
location / {
# enable libinjection xss
LibInjectionXss;
# define LIBINJECTION_XSS for libinjection
CheckRule "$LIBINJECTION_XSS >= 8" BLOCK;
}
```
## **LibInjectionSql**
> ️ Info
>
> NGINX block: `location`
When defined, this directive enables [libinjection's](https://github.com/libinjection/libinjection) sqli detection on *all* requests.
> 📣 Important
>
> The detected SQLi will increase the score `$LIBINJECTION_SQL` by `1` for each match; this means that is required to define `$LIBINJECTION_SQL` as a `CheckRule`.
### Example:
```nginx
location / {
# enable libinjection sqli
LibInjectionSql;
# define LIBINJECTION_SQL for libinjection
CheckRule "$LIBINJECTION_SQL >= 8" BLOCK;
}
```
## **LearningMode**
> ️ Info
>
> NGINX block: `location`
This directive instructs Naxsi that to not honor `CheckRules` which defines actions as `BLOCK` in a NGINX `location`.
All the `BLOCK` actions will be interpreted as `LOG`; this is a useful mode when deploying a new web application and detect all false positives that might be generated by the WAF.
> 📣 Important
>
> Keep in mind that internal rules (those with an `id` inferior to 1000) will drop the request even in learning mode, because it means something fishy is going on and Naxsi can't correctly process the request. You can of course apply whitelists if those are false positives.
### Example:
```nginx
location / {
# enable Naxsi learning mode
LearningMode;
}
```
## **DeniedUrl**
> ️ Info
>
> NGINX block: `location`
This directive is used to define where Naxsi has to redirect (it's an NGINX's internal redirect) when blocking, dropping or logging requests.
The following headers that are added are when blocking, dropping or logging requests:
- `x-orig_url`
- `x-orig_args`
- `x-naxsi_sig`
> 💡 Tip
>
> It is **strongly** suggested to mark the `DeniedUrl` location as `internal` to prevent possible pre-detection of the WAF as per example.
### Example:
```nginx
location / {
DeniedUrl "/RequestDenied";
}
location /RequestDenied {
# Mark this location as internal only to prevent possible pre-detection of the WAF
internal;
# return code of the location.
return 403;
}
```
## **MainRule**
> ️ Info
>
> NGINX block: `http`
This directive is required to declare a **global** [rule](rules.md) or a [whitelist](whitelist.md).
> 💡 Tip
>
> You can define these within a config file and use the `include` directive to include them within the NGINX configuration.
You can find within the [Naxsi source code a list of global rules](https://github.com/wargio/naxsi/blob/main/naxsi_rules/) which provides a basic ruleset to protect any web application; these rules requires to include the following `CheckRules`:
```nginx
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 5" BLOCK;
CheckRule "$UPLOAD >= 5" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
CheckRule "$UWA >= 8" BLOCK;
CheckRule "$EVADE >= 8" BLOCK;
```
### Example:
```nginx
http {
# global whitelist
MainRule wl:12345 "mz:$URL:/robots.txt|URL";
# global rule
MainRule id:45678 "s:$UWA:8" "str:nmap" "mz:$HEADERS_VAR:User-Agent" "msg:nmap in user-agent";
}
```
## **BasicRule**
> ️ Info
>
> NGINX block: `location`
This directive is required to declare a **location-specific** (i.e. not global) [rule](rules.md) or a [whitelist](whitelist.md).
> 💡 Tip
>
> You can define these within a config file and use the `include` directive to include them within the NGINX configuration.
> 💡 Tip
>
> You can find within the [Naxsi source code a list of location-specific whitelist](https://github.com/wargio/naxsi/tree/main/naxsi_rules/whitelists) which can be used for known web applications like Wordpress, Etherpad, Drupal, and more...
### Example:
```nginx
location / {
# location-specific whitelist
BasicRule wl:12345 "mz:$URL:/robots.txt|URL";
# location-specific rule
BasicRule id:45678 "s:$UWA:8" "str:nmap" "mz:$HEADERS_VAR:User-Agent" "msg:nmap in user-agent";
}
```
## **IgnoreIP**
> ️ Info
>
> NGINX block: `location`
This directive can be used to whitelist requests from certain IPs.
> 💡 Tip
>
> You can define these within a config file and use the `include` directive to include them within the NGINX configuration.
### Example:
```nginx
location / {
IgnoreIP "1.2.3.4";
IgnoreIP "2001:4860:4860::8844";
}
```
## **IgnoreCIDR**
> ️ Info
>
> NGINX block: `location`
This directive can be used to whitelist requests from certain IP ranges.
> 💡 Tip
>
> You can define these within a config file and use the `include` directive to include them within the NGINX configuration.
### Example:
```nginx
location / {
IgnoreCIDR "192.168.0.0/24";
IgnoreCIDR "2001:4860:4860::/112";
}
```