OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: ccesario on November 28, 2018, 03:28:11 pm

Title: Nginx Plugin :: WAF Whitelist
Post by: ccesario on November 28, 2018, 03:28:11 pm
Hi folks, could someone can please instruct howto create a Whistelist Rule/Policy in NGINX WAF plugin!?

In my tests, it seems that whitelist is not interpreted.

Best regards
Carlos
Title: Re: Nginx Plugin :: WAF Whitelist
Post by: fabian on November 28, 2018, 06:07:52 pm
I desined it to work this way: create rules which do whitelist some main rules and add them to a policy (may be the same as the main rules and add it to your location).

you should find them by searching wl: in the config.
Title: Re: Nginx Plugin :: WAF Whitelist
Post by: ccesario on November 28, 2018, 06:26:25 pm
Hi @fabian, thanks by info.

Well, I think that I tried create this way, but not sucess.
Is it possible you provide any simple example about it!?

Regards
Carlos
Title: Re: Nginx Plugin :: WAF Whitelist
Post by: fabian on November 28, 2018, 06:45:08 pm
not really, because it is too large, the ids of the wl rules must match the block rules
Title: Re: Nginx Plugin :: WAF Whitelist
Post by: ccesario on November 28, 2018, 06:48:17 pm
I mean an example of how to create a whitelist (one or two screenshot)

:)
Title: Re: Nginx Plugin :: WAF Whitelist
Post by: fabian on November 28, 2018, 07:08:36 pm
this thee settings are required for WL rules (due to some constraints there are some more fields which are required)
Title: Re: Nginx Plugin :: WAF Whitelist
Post by: juliocbc on November 29, 2018, 01:05:13 pm
Hi Fabian!

Is there any plans to implement this? https://github.com/nbs-system/nxtool-ng

Franco told me that probabily 19.x will include elasticsearch.. so will be a good new plugin's feature to make the work of whitelisting easier.
Title: Re: Nginx Plugin :: WAF Whitelist
Post by: fabian on November 29, 2018, 05:06:58 pm
No I have not and I also don't want to include that. It may be a separate plugin which can be developed by someone else.
Title: Re: Nginx Plugin :: WAF Whitelist
Post by: juliocbc on November 29, 2018, 09:51:04 pm
OK! I respect your point of view... but why? Don't you think in this manner the number of plugins can be increase in an unnecessary way?

I remember the time, that I were "another firewall pf's based" user and watched the number of plugins increase till the project's leaders starts to reject new plugins...

Probabilly I'll use a forked version of the this plugin with nxtoolng embedded to make our life here easier.. :-)

Anyway... You're making an excellent work with this plugin!!

Cheers!

Title: Re: Nginx Plugin :: WAF Whitelist
Post by: fabian on November 29, 2018, 10:41:44 pm
OK! I respect your point of view... but why? Don't you think in this manner the number of plugins can be increase in an unnecessary way?

Two reasons: extra dependencies I and many other users won't need (but have to install) and in case of an error I don't want to get the tickets / debug it.

I remember the time, that I were "another firewall pf's based" user and watched the number of plugins increase till the project's leaders starts to reject new plugins...

What has this to do with me / OPNsense? Plugins are not rejected because there are many. They are for example rejected if there are some problems with licensing, poor quality or if the contributor is unable to maintain it (fix bugs) - at least until now.

Probabilly I'll use a forked version of the this plugin with nxtoolng embedded to make our life here easier.. :-)
Why should anyone do this? It is easier to create a nxtoolng plugin which embeds into the menu section without touching the nginx plugin. It can also have the nginx plugin (os-nginx or os-nginx-devel as a dependency so it ensures that it will be installed).

Anyway... You're making an excellent work with this plugin!!
Thanks for the compliment.
Title: Re: Nginx Plugin :: WAF Whitelist
Post by: juliocbc on November 30, 2018, 11:24:02 am
OK Fabian!

All your considerations are noted!! As I wrote, it's a question of point of view. Is not my goal to flame this thread!  ;D

So, the way we're using the nxtool by now, depends on an external elastic search server, so, everything is in tests stage and done by manual modification in configs. If everything works well, I'll try to do a plugin, with the community support of course! If someone else doesn't get it done before.

Thanks again!
Title: Re: Nginx Plugin :: WAF Whitelist
Post by: ccesario on December 05, 2018, 08:17:19 pm
@Fabian,

How can I whitelist of an internal rule ? Like this.

Code: [Select]
BasicRule wl:10;

I only got success put this code directly into nginx.conf file :)

Best regards
Carlos
Title: Re: Nginx Plugin :: WAF Whitelist
Post by: fabian on December 05, 2018, 10:53:44 pm
This currently does not work but it should be simple to support this feature with the new constraint (which will be in next OPNsense release). The code was written when you had the possibility to generate an invalid blacklist entry so some fields had to be mandatory.
Title: Re: Nginx Plugin :: WAF Whitelist
Post by: ccesario on December 06, 2018, 11:19:58 am
Hi @Fabian,

I understood, lets wait the next release :)
Thanks by clarify me.

Best regards
Carlos
Title: Re: Nginx Plugin :: WAF Whitelist
Post by: fabian on December 06, 2018, 05:25:42 pm
If I have some time, this may go into 1.5 but you cannot apply it using opnsense-patch because it will probably not work due to the big changes between 1.3 and 1.5
Title: Re: Nginx Plugin :: WAF Whitelist
Post by: fabian on December 08, 2018, 07:30:21 pm
Pull Request is ready: https://github.com/opnsense/plugins/pull/1051/files

You cannot apply that as a patch because you would need os-nginx 1.5.
Title: Re: Nginx Plugin :: WAF Whitelist
Post by: ccesario on December 12, 2018, 12:16:23 am
Nice @fabian!!!
 
Title: Re: Nginx Plugin :: WAF Whitelist
Post by: fabian on December 12, 2018, 05:46:00 pm
1.4 + 1.5 were a lot of work and diff of 1.3 and 1.5 is around the same size as the first version (~2k lines of code).

So I hope it became a good release ;)