178 lines
4.3 KiB
Markdown
178 lines
4.3 KiB
Markdown
# Directives
|
|
|
|
## DeniedUrl
|
|
* alias: denied_url
|
|
* context: location
|
|
|
|
`DeniedUrl` is a directive that indicates where naxsi will redirect (nginx's internal redirect) blocked requests.
|
|
|
|
As the request might be modified during redirect (url & arguments), extra http headers orig_url (original url),
|
|
orig_args (original GET args) and naxsi_sig (NAXSI_FMT) are added.
|
|
|
|
The headers that are forwarded to the location denied page are :
|
|
|
|
NAXSI_HEADER_ORIG_URL "x-orig_url"
|
|
NAXSI_HEADER_ORIG_ARGS "x-orig_args"
|
|
NAXSI_HEADER_NAXSI_SIG "x-naxsi_sig"
|
|
|
|
example:
|
|
```
|
|
location / {
|
|
...
|
|
DeniedUrl "/RequestDenied";
|
|
}
|
|
|
|
location /RequestDenied {
|
|
return 418; #I'm a teapot
|
|
}
|
|
```
|
|
|
|
## LearningMode
|
|
* alias: learning_mode
|
|
* context: location
|
|
|
|
`LearningMode` if instructs naxsi to enable learning mode (don't honor `BLOCK` directive) in the location.
|
|
|
|
For example:
|
|
|
|
```nginx
|
|
location /a {
|
|
# request triggering BLOCK score won't be blocked here, but simply logued.
|
|
LearningMode;
|
|
}
|
|
```
|
|
|
|
Keep in mind that internal rules (those with an `id` inferior to 1000) will drop the request even in learning mode, because it means that something fishy is going on, since naxsi can't correctly process the request.
|
|
You can of course apply [whitelist](whitelists-bnf.md) if those are false-positives.
|
|
|
|
## SecRulesEnabled
|
|
* alias: rules_enabled
|
|
* context: location
|
|
|
|
`SecRulesEnabled` is a mandatory keyword to enable naxsi in a location.
|
|
|
|
## SecRulesDisabled
|
|
* alias: rules_disabled
|
|
* context: location
|
|
|
|
`SecRulesDisabled` can be used to explicitely disable naxsi in a location.
|
|
|
|
## CheckRule
|
|
* alias: check_rule
|
|
* context: location
|
|
|
|
See [CheckRule](checkrules-bnf.md)
|
|
|
|
## BasicRule
|
|
* alias: basic_rule
|
|
* context: location
|
|
|
|
A directive used to declare a [rule](rules-bnf.md) or a [whitelist](whitelist-bnf.md).
|
|
|
|
## MainRule
|
|
* alias: main_rule
|
|
* context: http
|
|
|
|
A directive used to declare a [rule](rule-bnf.md) or a [whitelist](whitelist-bnf.md).
|
|
|
|
## LibInjectionXss
|
|
* alias: libinjection_xss
|
|
* context: location
|
|
|
|
A directive to enable [libinjection's xss detection](libinjection-integration.md) on *all* part of the http request.
|
|
|
|
## LibInjectionSql
|
|
* alias: libinjection_sql
|
|
* context: location
|
|
|
|
A directive to enable [libinjection's sqli detection](libinjection-integration.md) on *all* part of the http request.
|
|
|
|
## naxsi_extensive_log
|
|
* context: server
|
|
|
|
A flag that can be set at [runtime](runtime-modifiers.md) to enable [naxsi extensive logs](naxsilogs.md#naxsi_exlog).
|
|
|
|
```
|
|
server {
|
|
...
|
|
|
|
if ($remote_addr = "1.2.3.4") {
|
|
set $naxsi_extensive_log 1;
|
|
}
|
|
|
|
location / {
|
|
...
|
|
}
|
|
}
|
|
```
|
|
|
|
## naxsi_json_log
|
|
* context: server
|
|
|
|
Enable JSON in logs. Examples:
|
|
|
|
```
|
|
# normal log in JSON format
|
|
2022/12/22 20:36:35 [error] 1189262#0: *1 {"ip":"127.0.0.1","server":"localhost","uri":"/a","config":"block","rid":"a0333f697ff8f12b6a200a24117ff320","cscore0":"$SQL","score0":"8","cscore1":"$XSS","score1":"8","zone0":"ARGS","id0":"1001","var_name0":"b"}, client: 127.0.0.1, server: localhost, request: "GET /a?b="\dasdasdasdadsa HTTP/1.1", host: "localhost"
|
|
# extended log in json format
|
|
2022/12/22 20:36:35 [error] 1189262#0: *1 {"ip":"127.0.0.1","server":"localhost","uri":"/a","config":"block","rid":"a0333f697ff8f12b6a200a24117ff320","cscore0":"$SQL","score0":"8","cscore1":"$XSS","score1":"8","zone0":"ARGS","id0":"1001","var_name0":"b"}, client: 127.0.0.1, server: localhost, request: "GET /a?b="\dasdasdasdadsa HTTP/1.1", host: "localhost"
|
|
```
|
|
|
|
TODO DOCUMENTATION
|
|
|
|
## naxsi_flag_enable
|
|
* context: server
|
|
|
|
A flag that can be set at [runtime](runtime-modifiers.md) to enable or disable naxsi.
|
|
|
|
```
|
|
server {
|
|
set $naxsi_flag_enable 1;
|
|
location / {
|
|
...
|
|
}
|
|
}
|
|
```
|
|
|
|
## naxsi_flag_learning
|
|
* context: server
|
|
|
|
A flag that can be set at [runtime](runtime-modifiers.md) to enable or disable learning.
|
|
|
|
```
|
|
server {
|
|
set $naxsi_flag_learning 1;
|
|
location / {
|
|
...
|
|
}
|
|
}
|
|
```
|
|
|
|
## naxsi_flag_libinjection_sql
|
|
* context: server
|
|
|
|
A flag that can be set at [runtime](runtime-modifiers.md) to enable or disable [libinjection's sql detection](libinjection-integration.md)
|
|
|
|
```
|
|
server {
|
|
set $naxsi_flag_libinjection_sql 1;
|
|
location / {
|
|
...
|
|
}
|
|
}
|
|
```
|
|
|
|
## naxsi_flag_libinjection_xss
|
|
|
|
A flag that can be set at [runtime](runtime-modifiers.md) to enable or disable [libinjection's xss detection](libinjection-integration.md)
|
|
|
|
```
|
|
server {
|
|
set $naxsi_flag_libinjection_xss 1;
|
|
location / {
|
|
...
|
|
}
|
|
}
|
|
```
|
|
|