"
We are currently testing opnsense as waf and enabled naxsi rules. Some were too restrictive and we allow-listed them. But there are still some internal naxsi rules that we need to allow list as well, for those I can't just edit an existing rule and change to "Whitelist", I need to create one.
But it doesn't matter if I add a custom MainRule or Basic Rule, it doesn't end up in the nginx config file. I also tested with different codes outside the already provided Naxsi policies, with the same result.
We also created a Naxsi Policy with our custom rule and enabled it at the location setting /.
I can save and reload and restart nginx as much as I want, but these config changes don't end up in the nginx config file, and therefore don't get applied.
I can manually add the naxsi rules to the config file if I edit the file via ssh on the server, like this:
Then the override works and the internal rule is allow listed. BUT... what if I ever were to change the location or trigger a config update... so this is nice for testing, but I need a different way to get additional nginx config applied via the interface, and a way to debug why it is not adding rules in the first place.
I don't get any visual feedback or error logs that my custom rules via the interface are missing something, now I'm hitting a wall. It looks like this should be working.
Did anyone also run into similar issues? What are your solutions and workarounds? Can you spot anything maybe obvious I might be missing?
Is there a way to add additional nginx config via the interface? A file, some lines of code?
But it doesn't matter if I add a custom MainRule or Basic Rule, it doesn't end up in the nginx config file. I also tested with different codes outside the already provided Naxsi policies, with the same result.
We also created a Naxsi Policy with our custom rule and enabled it at the location setting /.
I can save and reload and restart nginx as much as I want, but these config changes don't end up in the nginx config file, and therefore don't get applied.
I can manually add the naxsi rules to the config file if I edit the file via ssh on the server, like this:
Code Select
http {
include mime.types;
MainRule id:1302 "str:<" "msg:html open tag" "mz:BODY|ARGS|URL|$HEADERS_VAR:Cookie" "s:$policy0545fff8df3d43d8b68c1256ea3923bd:8";
MainRule id:1303 "str:>" "msg:html close tag" "mz:BODY|ARGS|URL|$HEADERS_VAR:Cookie" "s:$policy0545fff8df3d43d8b68c1256ea3923bd:8";
MainRule wl:1310 "mz:BODY|ARGS|URL|$HEADERS_VAR:Cookie";
...
MainRule wl:11 "mz:BODY|ARGS|URL";
MainRule wl:15 "mz:BODY|ARGS|URL";
...
location ^~ / {
SecRulesEnabled;
LibInjectionXss;
CheckRule "$LIBINJECTION_XSS >= 4" BLOCK;
BasicRule wl:11; # our custom naxsi internal rule override
BasicRule wl:15; # our custom naxsi internal rule override
BasicRule wl:19; # this one was already present
...
Then the override works and the internal rule is allow listed. BUT... what if I ever were to change the location or trigger a config update... so this is nice for testing, but I need a different way to get additional nginx config applied via the interface, and a way to debug why it is not adding rules in the first place.
I don't get any visual feedback or error logs that my custom rules via the interface are missing something, now I'm hitting a wall. It looks like this should be working.
Did anyone also run into similar issues? What are your solutions and workarounds? Can you spot anything maybe obvious I might be missing?
Is there a way to add additional nginx config via the interface? A file, some lines of code?
