Nginx Plugin :: WAF Whitelist

[ccesario]

Hi folks, could someone can please instruct howto create a Whistelist Rule/Policy in NGINX WAF plugin!?

In my tests, it seems that whitelist is not interpreted.

Best regards
Carlos

[fabian]

I desined it to work this way: create rules which do whitelist some main rules and add them to a policy (may be the same as the main rules and add it to your location).

you should find them by searching wl: in the config.

[ccesario]

Hi @fabian, thanks by info.

Well, I think that I tried create this way, but not sucess.
Is it possible you provide any simple example about it!?

Regards
Carlos

[fabian]

not really, because it is too large, the ids of the wl rules must match the block rules

[ccesario]

I mean an example of how to create a whitelist (one or two screenshot)

[fabian]

this thee settings are required for WL rules (due to some constraints there are some more fields which are required)

[juliocbc]

Hi Fabian!

Is there any plans to implement this? https://github.com/nbs-system/nxtool-ng

Franco told me that probabily 19.x will include elasticsearch.. so will be a good new plugin's feature to make the work of whitelisting easier.

[fabian]

No I have not and I also don't want to include that. It may be a separate plugin which can be developed by someone else.

[juliocbc]

OK! I respect your point of view... but why? Don't you think in this manner the number of plugins can be increase in an unnecessary way?

I remember the time, that I were "another firewall pf's based" user and watched the number of plugins increase till the project's leaders starts to reject new plugins...

Probabilly I'll use a forked version of the this plugin with nxtoolng embedded to make our life here easier.. :-)

Anyway... You're making an excellent work with this plugin!!

Cheers!

[fabian]

OK! I respect your point of view... but why? Don't you think in this manner the number of plugins can be increase in an unnecessary way?

Two reasons: extra dependencies I and many other users won't need (but have to install) and in case of an error I don't want to get the tickets / debug it.

I remember the time, that I were "another firewall pf's based" user and watched the number of plugins increase till the project's leaders starts to reject new plugins...

What has this to do with me / OPNsense? Plugins are not rejected because there are many. They are for example rejected if there are some problems with licensing, poor quality or if the contributor is unable to maintain it (fix bugs) - at least until now.

Probabilly I'll use a forked version of the this plugin with nxtoolng embedded to make our life here easier.. :-)

Why should anyone do this? It is easier to create a nxtoolng plugin which embeds into the menu section without touching the nginx plugin. It can also have the nginx plugin (os-nginx or os-nginx-devel as a dependency so it ensures that it will be installed).

Anyway... You're making an excellent work with this plugin!!

Thanks for the compliment.

[juliocbc]

OK Fabian!

All your considerations are noted!! As I wrote, it's a question of point of view. Is not my goal to flame this thread! 

So, the way we're using the nxtool by now, depends on an external elastic search server, so, everything is in tests stage and done by manual modification in configs. If everything works well, I'll try to do a plugin, with the community support of course! If someone else doesn't get it done before.

Thanks again!

[ccesario]

@Fabian,

How can I whitelist of an internal rule ? Like this.

Code: [Select]

BasicRule wl:10;

I only got success put this code directly into nginx.conf file

Best regards
Carlos

[fabian]

This currently does not work but it should be simple to support this feature with the new constraint (which will be in next OPNsense release). The code was written when you had the possibility to generate an invalid blacklist entry so some fields had to be mandatory.

[ccesario]

Hi @Fabian,

I understood, lets wait the next release
Thanks by clarify me.

Best regards
Carlos

[fabian]

If I have some time, this may go into 1.5 but you cannot apply it using opnsense-patch because it will probably not work due to the big changes between 1.3 and 1.5