Need help creating a NAXSI whitelist

Started by netshi, July 07, 2023, 02:10:43 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 07, 2023, 02:10:43 PM
I switched from NGINX Proxy Manager to the OPNsense nginx and acme plugins.
I have enabled the learning mode of the WAF, but I am trying to figure out how to decipher the HTTP error logs, so that I can create a whitelist. My assumption at this point is creating a whitelist is located in Nginx / Configuration / HTTP(S) / Naxsi WAF Rule.

Here is one of my logs:
Code Select
*14984 NAXSI_FMT: ip=10.0.11.22&server=search.domain.tld&uri=/autocomplete&config=block&rid=feb5f386b80b994a5416fada8d76524e38&zone0=BODY&id0=11&var_name0=, client: 10.0.11.22, server: search.domain.tld, request: "POST /autocomplete HTTP/2.0", host: "search.domain.tld"

How do you guys create your whitelist for your specific service behind the NGINX?
The sample HTTP error logs is from my Whoogle container. The 10.0.11.22 is my laptop. But I am not sure how I can create a whitelist based on this sample log.
July 07, 2023, 07:36:53 PM #1
from terminal I do not know how to do it, but from opnsense nginx gui:
Go HTTP-server, and tick advanced mode,
than look for the field " Naxsi Trusted Source IPs"
(Enter a list of IP addresses or CIDR networks which will be whitelisted for the Naxsi rules.)
Deciso DEC850v2
July 08, 2023, 12:30:09 AM #2
My use case is I change IP all the time because of mobile devices. Is there a way to whitelist a different way?
Here is one of the HTTP error logs from my Firefly III instance. Here I am using my mobile phone.

Code Select
*1712 NAXSI_FMT: ip=180.33.22.180&server=firefly.domain.tld&uri=/api/v1/autocomplete/accounts&config=block&rid=985213e2f5sd7b1de583b1fc56f7864557d&cscore0=$policy3a02eef8b50142fda2792das7e66c008547&score0=22&zone0=HEADERS&id0=1002&var_name0=cookie&zone1=ARGS&id1=1015&var_name1=types, client: 180.33.22.180, server: firefly.domain.tld, request: "GET /api/v1/autocomplete/accounts?types=Asset%20account,Expense%20account,Loan,Debt,Mortgage&query= HTTP/2.0", host: "firefly.domain.tld"
July 08, 2023, 07:42:05 AM #3
Maybe you can use a VPN on opnsense and with that you can use static ip's and use those in nginx whitelist.
Deciso DEC850v2
July 08, 2023, 11:55:22 AM #4
If it was me, yes, I would use the vpn; unfortunately, my have family members are not home labbers and has no desire to keep flipping the vpn button. For some services, vpn is not the answer for my use case.
July 08, 2023, 02:42:04 PM #5
I use wireguard with my fam. Can be always on on the mobile devices. It's that fast that they do not even see the difference being on and/or off, so it can be allways on (although you can set when to connect or not to connect when e.g. on wifi at home automatically). And with doing so, and using e.g. adguard, they have adguard ads blocking on the go also :-)
Deciso DEC850v2
Print
Go Up Pages1
User actions