Nginx Plugin :: WAF Whitelist

Started by ccesario, November 28, 2018, 03:28:11 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
November 28, 2018, 03:28:11 PM
Hi folks, could someone can please instruct howto create a Whistelist Rule/Policy in NGINX WAF plugin!?

In my tests, it seems that whitelist is not interpreted.

Best regards
Carlos
November 28, 2018, 06:07:52 PM #1
I desined it to work this way: create rules which do whitelist some main rules and add them to a policy (may be the same as the main rules and add it to your location).

you should find them by searching wl: in the config.
November 28, 2018, 06:26:25 PM #2
Hi @fabian, thanks by info.

Well, I think that I tried create this way, but not sucess.
Is it possible you provide any simple example about it!?

Regards
Carlos
November 28, 2018, 06:45:08 PM #3
not really, because it is too large, the ids of the wl rules must match the block rules
November 28, 2018, 06:48:17 PM #4
I mean an example of how to create a whitelist (one or two screenshot)

:)
November 28, 2018, 07:08:36 PM #5
this thee settings are required for WL rules (due to some constraints there are some more fields which are required)
November 29, 2018, 01:05:13 PM #6 Last Edit: November 29, 2018, 09:41:41 PM by juliocbc
Hi Fabian!

Is there any plans to implement this? https://github.com/nbs-system/nxtool-ng

Franco told me that probabily 19.x will include elasticsearch.. so will be a good new plugin's feature to make the work of whitelisting easier.
Cloudfence Open Source Team
November 29, 2018, 05:06:58 PM #7
No I have not and I also don't want to include that. It may be a separate plugin which can be developed by someone else.
November 29, 2018, 09:51:04 PM #8
OK! I respect your point of view... but why? Don't you think in this manner the number of plugins can be increase in an unnecessary way?

I remember the time, that I were "another firewall pf's based" user and watched the number of plugins increase till the project's leaders starts to reject new plugins...

Probabilly I'll use a forked version of the this plugin with nxtoolng embedded to make our life here easier.. :-)

Anyway... You're making an excellent work with this plugin!!

Cheers!

Cloudfence Open Source Team
November 29, 2018, 10:41:44 PM #9
Quote from: juliocbc on November 29, 2018, 09:51:04 PM
OK! I respect your point of view... but why? Don't you think in this manner the number of plugins can be increase in an unnecessary way?

Two reasons: extra dependencies I and many other users won't need (but have to install) and in case of an error I don't want to get the tickets / debug it.

Quote from: juliocbc on November 29, 2018, 09:51:04 PM
I remember the time, that I were "another firewall pf's based" user and watched the number of plugins increase till the project's leaders starts to reject new plugins...

What has this to do with me / OPNsense? Plugins are not rejected because there are many. They are for example rejected if there are some problems with licensing, poor quality or if the contributor is unable to maintain it (fix bugs) - at least until now.

Quote from: juliocbc on November 29, 2018, 09:51:04 PM
Probabilly I'll use a forked version of the this plugin with nxtoolng embedded to make our life here easier.. :-)
Why should anyone do this? It is easier to create a nxtoolng plugin which embeds into the menu section without touching the nginx plugin. It can also have the nginx plugin (os-nginx or os-nginx-devel as a dependency so it ensures that it will be installed).

Quote from: juliocbc on November 29, 2018, 09:51:04 PM
Anyway... You're making an excellent work with this plugin!!
Thanks for the compliment.
November 30, 2018, 11:24:02 AM #10
OK Fabian!

All your considerations are noted!! As I wrote, it's a question of point of view. Is not my goal to flame this thread!  ;D

So, the way we're using the nxtool by now, depends on an external elastic search server, so, everything is in tests stage and done by manual modification in configs. If everything works well, I'll try to do a plugin, with the community support of course! If someone else doesn't get it done before.

Thanks again!
Cloudfence Open Source Team
December 05, 2018, 08:17:19 PM #11
@Fabian,

How can I whitelist of an internal rule ? Like this.

Code Select
BasicRule wl:10;


I only got success put this code directly into nginx.conf file :)

Best regards
Carlos
December 05, 2018, 10:53:44 PM #12
This currently does not work but it should be simple to support this feature with the new constraint (which will be in next OPNsense release). The code was written when you had the possibility to generate an invalid blacklist entry so some fields had to be mandatory.
December 06, 2018, 11:19:58 AM #13
Hi @Fabian,

I understood, lets wait the next release :)
Thanks by clarify me.

Best regards
Carlos
December 06, 2018, 05:25:42 PM #14
If I have some time, this may go into 1.5 but you cannot apply it using opnsense-patch because it will probably not work due to the big changes between 1.3 and 1.5
Print
Go Up Pages1 2
User actions