WAF violation status code 403

[wickeren]

Is there a way to let nginx give a status code of 403 in case of violation of the NAXSI rules?
Some security scanners now can't detect a WAF and flag that as a security issue. The cause seems to be the 200 response instead of a 403, even if the request is actually denied. Setting a custom error violation page won't work too, cause "Only the page content itself is used. Status code rewriting and redirection is not supported"

Any ideas how to get a 403?

[wickeren]

Ok I can see in the config:

location = /waf_denied.html {
        root /usr/local/etc/nginx/views;
        access_log /var/log/nginx/waf_denied.access.log main;

If i add return 403; it works as expected, WAF is detected fine by different security scanners.

But it's overwritten/deleted evertime I hit Aplly in the GUI.
Any way to make a permanant custom config? Or any other way to add the return 403; ?

[wickeren]

or even better: add a  "Violation status code" setting in the gui, setting the required status code

[wickeren]

Not any idea how to return a more formal correct status 403 for WAF violation?
Unlike as in haproxy there no such thing in NGINX to do custom options?

[Fright]

looks like a reasonable idea imho
but so far I can not offer other options except for adding a

Code Select Expand

  return 403;
line to the http.conf template after https://github.com/opnsense/plugins/blob/ec4d29100ccf3117fb68c341c8749cf1f1ba3b66/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf#L251 line.
it won't survive the plugin update

[wickeren]

Tnx! I think I can live with that for now.
What's the best way to do suggestions to get things like this probably embedded in a next version?

[Fright]

Feature request in https://github.com/opnsense/plugins/issues/new?assignees=&labels=&projects=&template=feature_request.md&title= is the best option imho. so that all contributors can see the request  ;)