I'm trying to get NAXSI working with NGINX but I believe I'm running into a bug. I tried this on my running OPNSense 24.1 system and also tried on a fresh 24.7 VM to validate if the bug is consistent.
I'm finding that the only thing from NAXSI that applies are the rules from the downloaded default rules config file. Custom rules don't apply, and modifications to the default rules don't apply either. For example, I modified a rule's score from 4 to 8 (which should have resulted in the request being blocked), but the request still goes through. Default rules that have a score of 8 are blocked as expected. I see in the OPNSense config file (/conf/config.xml) that the updated values are there, but I don't see anywhere that this is actually applied to NGINX. I see in my NGINX config "SecRulesEnable" but I don't see anything referencing my custom rules or edits to the defaults. Reading through a bunch of the template files, I get the impression that when saving/applying the NGINX settings the settings for NAXSI in /conf/config.xml are supposed to be enumerated and applied to the NGINX config accordingly via template. However, I see no evidence in the NGINX config that this has occurred. What I think is happening is that the NAXSI .so loaded by the NGINX config is just using the downloaded NAXSI default rules file from the same directory and working off of that with no additional rules.
It's possible I have done something very wrong and broken things, but I'm leaning more towards this being a bug, as the setup seems relatively straightforward. Can anyone either point me in the right direction or confirm it being a bug? My config is below. "server3.example.com" is the one that blocking is enabled for.
# configuration file /usr/local/etc/nginx/nginx.conf:
load_module /usr/local/libexec/nginx/ngx_stream_module.so;
load_module /usr/local/libexec/nginx/ngx_http_naxsi_module.so;
load_module /usr/local/libexec/nginx/ngx_mail_module.so;
load_module /usr/local/libexec/nginx/ngx_http_brotli_filter_module.so;
load_module /usr/local/libexec/nginx/ngx_http_brotli_static_module.so;
load_module /usr/local/libexec/nginx/ngx_http_js_module.so;
load_module /usr/local/libexec/nginx/ngx_http_vhost_traffic_status_module.so;
user www staff;
worker_processes 1;
#error_log /var/log/nginx/error.log;
error_log syslog:server=unix:/var/run/log,facility=local6,nohostname warn;
events {
worker_connections 1024;
}
http {
include mime.types;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format main_ext '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'"$host" sn="$server_name" '
'rt=$request_time '
'ua="$upstream_addr" us="$upstream_status" '
'ut="$upstream_response_time" ul="$upstream_response_length" '
'cs=$upstream_cache_status';
log_format main_ban '$remote_addr - $remote_user [$time_local] "$scheme://$host$request_uri" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format handshake '"$http_user_agent" "$ssl_ciphers" "$ssl_curves"';
log_format anonymized ':: - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#tcp_nopush on;
# https intercept detection
js_import /usr/local/opnsense/scripts/nginx/ngx_functions.js;
js_set $tls_intercepted ngx_functions.check_intercept;
# 200M should be big enough for file servers etc.
client_max_body_size 200M;
brotli_static on;
brotli on;
gzip_static on;
gzip on;
server_tokens off;
sendfile Off;
default_type application/octet-stream;
keepalive_timeout 60;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Map used in location.conf for proxy_ssl_name
map $ssl_server_name $upstream_sni_name {
default $ssl_server_name;
'' $host;
}
include http_post/*.conf;
# TODO add when core is ready for allowing nginx to serve the web interface
# include nginx_web.conf;
# UPSTREAM SERVERS
upstream upstream255b185d721747dfb5ac0b286420f7f8 {
server 172.25.25.244:443 weight=1;
}
upstream upstreame3a68f25739c4accb838951250e7b389 {
server 172.25.25.245:443 weight=1;
}
include opnsense_http_vhost_plugins/*.conf;
server {
listen 443 ssl;
http2 on;
ssl_client_certificate /usr/local/etc/nginx/key/server1.example.com_ca.pem;
ssl_verify_client on;
ssl_certificate_key /usr/local/etc/nginx/key/server1.example.com.key;
ssl_certificate /usr/local/etc/nginx/key/server1.example.com.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_dhparam /usr/local/opnsense/data/OPNsense/Nginx/dh-parameters.4096.rfc7919;
ssl_ciphers ECDHE-ECDSA-CAMELLIA256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CAMELLIA256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CAMELLIA128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CAMELLIA128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_prefer_server_ciphers on;
ssl_stapling off;
sendfile On;
server_name server1.example.com;
client_header_buffer_size 1k;
large_client_header_buffers 4 8k;
charset utf-8;
access_log /var/log/nginx/server1.example.com.access.log main;
access_log /var/log/nginx/tls_handshake.log handshake;
error_log /var/log/nginx/server1.example.com.error.log error;
#include tls.conf;
error_page 403 /opnsense_error_403.html;
error_page 404 /opnsense_error_404.html;
error_page 405 /waf_denied.html;
error_page 500 501 502 503 504 /opnsense_server_error.html;
location = /opnsense_error_403.html {
internal;
root /usr/local/etc/nginx/views;
}
location = /opnsense_error_404.html {
internal;
root /usr/local/etc/nginx/views;
}
location = /opnsense_server_error.html {
internal;
root /usr/local/etc/nginx/views;
}
# location to ban the host permanently
set $naxsi_extensive_log 0;
location @permanentban {
access_log /var/log/nginx/permanentban.access.log main;
access_log /var/log/nginx/perm_ban.access.log main_ban;
internal;
add_header "Content-Type" "text/plain; charset=UTF-8" always;
return 444;
}
error_page 418 = @permanentban;
location = /waf_denied.html {
root /usr/local/etc/nginx/views;
access_log /var/log/nginx/waf_denied.access.log main;
}
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
proxy_pass http://127.0.0.1:43580;
}
# block based on User Agents defined in global http settings
if ($http_user_agent ~* Python-urllib|Nmap|python-requests|libwww-perl|MJ12bot|Jorgee|fasthttp|libwww|Telesphoreo|A6-Indexer|ltx71|ZmEu|sqlmap|LMAO/2.0|l9explore|l9tcpid|Masscan|zgrab|Ronin/2.0|Hakai/2.0|Indy\sLibrary|^Mozilla/[\d\.]+$|Morfeus\sFucking\sScanner|MSIE\s[0-6]\.\d+) {
return 418;
}
location /opnsense-auth-request {
internal;
fastcgi_pass unix:/var/run/php-webgui.socket;
fastcgi_index index.php;
fastcgi_param TLS-Cipher $ssl_cipher;
fastcgi_param TLS-Protocol $ssl_protocol;
fastcgi_param TLS-SNI-Host $ssl_server_name;
fastcgi_param Original-URI $request_uri;
fastcgi_param Original-HOST $host;
fastcgi_param SERVER-UUID "bbfb1db1-01ed-4194-94ef-62368001081e";
fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/scripts/nginx/ngx_auth.php;
fastcgi_param AUTH_SERVER "Local Database";
fastcgi_intercept_errors on;
include fastcgi_params;
}
include bbfb1db1-01ed-4194-94ef-62368001081e_pre/*.conf;
location / {
BasicRule wl:19;
DeniedUrl "/waf_denied.html";
autoindex off;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-TLS-Cipher $ssl_cipher;
proxy_set_header X-TLS-Protocol $ssl_protocol;
proxy_set_header X-TLS-SNI-Host $ssl_server_name;
# proxy headers for backend server
proxy_set_header X-Client-Dn $ssl_client_s_dn;
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-TLS-Client-Intercepted $tls_intercepted;
proxy_read_timeout 120s;
proxy_send_timeout 120s;
proxy_ignore_client_abort off;
proxy_request_buffering on;
proxy_max_temp_file_size 1024m;
proxy_buffering on;
proxy_pass https://upstream255b185d721747dfb5ac0b286420f7f8;
proxy_ssl_server_name on;
proxy_ssl_name server1.example.com;
proxy_ssl_session_reuse on;
proxy_ssl_trusted_certificate /etc/ssl/cert.pem;
proxy_ssl_verify on;
proxy_ssl_verify_depth 1;
proxy_store off;
proxy_hide_header X-Powered-By;
include ef0a7e0a-2b6b-4a9a-9db2-0a913753e8a4_post/*.conf;
}
include bbfb1db1-01ed-4194-94ef-62368001081e_post/*.conf;
}
server {
listen 443 ssl;
http2 on;
ssl_client_certificate /usr/local/etc/nginx/key/server2.example.com_ca.pem;
ssl_verify_client on;
ssl_certificate_key /usr/local/etc/nginx/key/server2.example.com.key;
ssl_certificate /usr/local/etc/nginx/key/server2.example.com.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_dhparam /usr/local/opnsense/data/OPNsense/Nginx/dh-parameters.4096.rfc7919;
ssl_ciphers ECDHE-ECDSA-CAMELLIA256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CAMELLIA256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CAMELLIA128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CAMELLIA128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_prefer_server_ciphers on;
ssl_stapling off;
sendfile On;
server_name server2.example.com;
client_header_buffer_size 1k;
large_client_header_buffers 4 8k;
charset utf-8;
access_log /var/log/nginx/server2.example.com.access.log main;
access_log /var/log/nginx/tls_handshake.log handshake;
error_log /var/log/nginx/server2.example.com.error.log error;
#include tls.conf;
error_page 403 /opnsense_error_403.html;
error_page 404 /opnsense_error_404.html;
error_page 405 /waf_denied.html;
error_page 500 501 502 503 504 /opnsense_server_error.html;
location = /opnsense_error_403.html {
internal;
root /usr/local/etc/nginx/views;
}
location = /opnsense_error_404.html {
internal;
root /usr/local/etc/nginx/views;
}
location = /opnsense_server_error.html {
internal;
root /usr/local/etc/nginx/views;
}
# location to ban the host permanently
set $naxsi_extensive_log 0;
location @permanentban {
access_log /var/log/nginx/permanentban.access.log main;
access_log /var/log/nginx/perm_ban.access.log main_ban;
internal;
add_header "Content-Type" "text/plain; charset=UTF-8" always;
return 444;
}
error_page 418 = @permanentban;
location = /waf_denied.html {
root /usr/local/etc/nginx/views;
access_log /var/log/nginx/waf_denied.access.log main;
}
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
proxy_pass http://127.0.0.1:43580;
}
# block based on User Agents defined in global http settings
if ($http_user_agent ~* Python-urllib|Nmap|python-requests|libwww-perl|MJ12bot|Jorgee|fasthttp|libwww|Telesphoreo|A6-Indexer|ltx71|ZmEu|sqlmap|LMAO/2.0|l9explore|l9tcpid|Masscan|zgrab|Ronin/2.0|Hakai/2.0|Indy\sLibrary|^Mozilla/[\d\.]+$|Morfeus\sFucking\sScanner|MSIE\s[0-6]\.\d+) {
return 418;
}
location /opnsense-auth-request {
internal;
fastcgi_pass unix:/var/run/php-webgui.socket;
fastcgi_index index.php;
fastcgi_param TLS-Cipher $ssl_cipher;
fastcgi_param TLS-Protocol $ssl_protocol;
fastcgi_param TLS-SNI-Host $ssl_server_name;
fastcgi_param Original-URI $request_uri;
fastcgi_param Original-HOST $host;
fastcgi_param SERVER-UUID "d9f9ba66-d5a7-4047-b3c8-b1fda9cabcdf";
fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/scripts/nginx/ngx_auth.php;
fastcgi_param AUTH_SERVER "Local Database";
fastcgi_intercept_errors on;
include fastcgi_params;
}
include d9f9ba66-d5a7-4047-b3c8-b1fda9cabcdf_pre/*.conf;
location / {
BasicRule wl:19;
DeniedUrl "/waf_denied.html";
autoindex off;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-TLS-Cipher $ssl_cipher;
proxy_set_header X-TLS-Protocol $ssl_protocol;
proxy_set_header X-TLS-SNI-Host $ssl_server_name;
# proxy headers for backend server
proxy_set_header X-Client-Dn $ssl_client_s_dn;
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-TLS-Client-Intercepted $tls_intercepted;
proxy_ignore_client_abort off;
proxy_request_buffering on;
proxy_max_temp_file_size 1024m;
proxy_buffering on;
proxy_pass https://upstreame3a68f25739c4accb838951250e7b389;
proxy_ssl_server_name on;
proxy_ssl_name $upstream_sni_name;
proxy_ssl_session_reuse on;
proxy_ssl_trusted_certificate /etc/ssl/cert.pem;
proxy_ssl_verify on;
proxy_ssl_verify_depth 1;
proxy_store off;
proxy_hide_header X-Powered-By;
include d1284175-c02a-42af-8f46-816febe0be94_post/*.conf;
}
include d9f9ba66-d5a7-4047-b3c8-b1fda9cabcdf_post/*.conf;
}
server {
listen 443 ssl;
http2 on;
ssl_certificate_key /usr/local/etc/nginx/key/server3.example.com.key;
ssl_certificate /usr/local/etc/nginx/key/server3.example.com.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_dhparam /usr/local/opnsense/data/OPNsense/Nginx/dh-parameters.4096.rfc7919;
ssl_ciphers ECDHE-ECDSA-CAMELLIA256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CAMELLIA256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CAMELLIA128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CAMELLIA128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_prefer_server_ciphers on;
ssl_stapling off;
sendfile On;
server_name server3.example.com;
client_header_buffer_size 1k;
large_client_header_buffers 4 8k;
charset utf-8;
access_log /var/log/nginx/server3.example.com.access.log main;
access_log /var/log/nginx/tls_handshake.log handshake;
error_log /var/log/nginx/server3.example.com.error.log info;
#include tls.conf;
error_page 400 401 403 404 405 407 408 410 415 429 431 500 501 502 503 504 =200 /error_770ce3fdc609422d96c5f0894f407fac.html;
location = /error_770ce3fdc609422d96c5f0894f407fac.html {
internal;
root /usr/local/etc/nginx/views;
}
# location to ban the host permanently
set $naxsi_extensive_log 1;
location @permanentban {
access_log /var/log/nginx/permanentban.access.log main;
access_log /var/log/nginx/perm_ban.access.log main_ban;
internal;
add_header "Content-Type" "text/plain; charset=UTF-8" always;
return 444;
}
error_page 418 = @permanentban;
location = /waf_denied.html {
root /usr/local/etc/nginx/views;
access_log /var/log/nginx/waf_denied.access.log main;
}
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
proxy_pass http://127.0.0.1:43580;
}
# block based on User Agents defined in global http settings
if ($http_user_agent ~* Python-urllib|Nmap|python-requests|libwww-perl|MJ12bot|Jorgee|fasthttp|libwww|Telesphoreo|A6-Indexer|ltx71|ZmEu|sqlmap|LMAO/2.0|l9explore|l9tcpid|Masscan|zgrab|Ronin/2.0|Hakai/2.0|Indy\sLibrary|^Mozilla/[\d\.]+$|Morfeus\sFucking\sScanner|MSIE\s[0-6]\.\d+) {
return 418;
}
location /opnsense-auth-request {
internal;
fastcgi_pass unix:/var/run/php-webgui.socket;
fastcgi_index index.php;
fastcgi_param TLS-Cipher $ssl_cipher;
fastcgi_param TLS-Protocol $ssl_protocol;
fastcgi_param TLS-SNI-Host $ssl_server_name;
fastcgi_param Original-URI $request_uri;
fastcgi_param Original-HOST $host;
fastcgi_param SERVER-UUID "dd6d7666-2aa0-42fd-825c-9fdc3f0c0b29";
fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/scripts/nginx/ngx_auth.php;
fastcgi_param AUTH_SERVER "Local Database";
fastcgi_intercept_errors on;
include fastcgi_params;
}
include dd6d7666-2aa0-42fd-825c-9fdc3f0c0b29_pre/*.conf;
location ~* ^/(sdk/testing|php/testing) {
SecRulesEnabled;
BasicRule wl:19;
DeniedUrl "/error_770ce3fdc609422d96c5f0894f407fac.html";
error_page 400 401 403 404 405 407 408 410 415 429 431 500 501 502 503 504 =200 /error_770ce3fdc609422d96c5f0894f407fac.html;
autoindex off;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-TLS-Cipher $ssl_cipher;
proxy_set_header X-TLS-Protocol $ssl_protocol;
proxy_set_header X-TLS-SNI-Host $ssl_server_name;
# proxy headers for backend server
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-TLS-Client-Intercepted $tls_intercepted;
proxy_read_timeout 120s;
proxy_send_timeout 120s;
proxy_ignore_client_abort off;
proxy_request_buffering on;
proxy_max_temp_file_size 1024m;
proxy_buffering on;
proxy_pass https://upstream255b185d721747dfb5ac0b286420f7f8;
proxy_ssl_server_name on;
proxy_ssl_name server1.example.com;
proxy_ssl_session_reuse on;
proxy_ssl_trusted_certificate /etc/ssl/cert.pem;
proxy_ssl_verify on;
proxy_ssl_verify_depth 1;
proxy_store off;
proxy_hide_header X-Powered-By;
include 3f472f02-27eb-4f1b-ba12-2ef72215f8a0_post/*.conf;
}
include dd6d7666-2aa0-42fd-825c-9fdc3f0c0b29_post/*.conf;
}
}
stream {
# LOG FORMATS
log_format main '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time';
log_format anonymized ':: [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time';
# UPSTREAM SERVERS
upstream upstream255b185d721747dfb5ac0b286420f7f8 {
server 172.25.25.244:443 weight=1;
}
upstream upstreame3a68f25739c4accb838951250e7b389 {
server 172.25.25.245:443 weight=1;
}
# upstream maps
include opnsense_stream_vhost_plugins/*.conf;
}
# mail {
# }
# configuration file /usr/local/etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/gzip gz;
application/xz xz;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg oga;
audio/opus opus
audio/speex spx;
audio/x-m4a m4a;
audio/x-realaudio ra;
audio/flac flac;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/ogg ogv;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /usr/local/etc/nginx/opnsense_http_vhost_plugins/vts.conf:
vhost_traffic_status_zone shared:vhost_traffic_status:20m;
server {
listen unix:/var/run/nginx_status.sock;
location /vts {
vhost_traffic_status_bypass_stats on;
vhost_traffic_status_display;
vhost_traffic_status_display_format json;
}
}
# configuration file /usr/local/etc/nginx/fastcgi_params:
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
Hi.
It is necessary to create WAF rule(s), combine them into WAF policie(s) and assign policies to Location(s).
Has this been done?
Yes, I created a single custom rule and a single policy, and assigned that rule to the policy. The policy is configured for the location. I also tried downloading the default rules and policies and modifying one of the rules. Both tests resulted in the behavior I described.
Apparently I'm an idiot and didn't properly select the policy on the Location, I just enabled security rules there. I could have sworn I did, but looking at my setup and enabling the policy on the Location made it finally work. Embarrassing mistake...