OPNsense Forum
English Forums => Web Proxy Filtering and Caching => Topic started by: wickeren on May 01, 2023, 07:27:34 pm
-
Is there a way to let nginx give a status code of 403 in case of violation of the NAXSI rules?
Some security scanners now can’t detect a WAF and flag that as a security issue. The cause seems to be the 200 response instead of a 403, even if the request is actually denied. Setting a custom error violation page won’t work too, cause “Only the page content itself is used. Status code rewriting and redirection is not supported”
Any ideas how to get a 403?
-
Ok I can see in the config:
location = /waf_denied.html {
root /usr/local/etc/nginx/views;
access_log /var/log/nginx/waf_denied.access.log main;
If i add return 403; it works as expected, WAF is detected fine by different security scanners.
But it's overwritten/deleted evertime I hit Aplly in the GUI.
Any way to make a permanant custom config? Or any other way to add the return 403; ?
-
or even better: add a "Violation status code" setting in the gui, setting the required status code
-
Not any idea how to return a more formal correct status 403 for WAF violation?
Unlike as in haproxy there no such thing in NGINX to do custom options?
-
looks like a reasonable idea imho
but so far I can not offer other options except for adding a
return 403;line to the http.conf template after https://github.com/opnsense/plugins/blob/ec4d29100ccf3117fb68c341c8749cf1f1ba3b66/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf#L251 line.
it won't survive the plugin update
-
Tnx! I think I can live with that for now.
What’s the best way to do suggestions to get things like this probably embedded in a next version?
-
Feature request in https://github.com/opnsense/plugins/issues/new?assignees=&labels=&projects=&template=feature_request.md&title= is the best option imho. so that all contributors can see the request ;)