nginx: [emerg] Naxsi-Config : Incorrect line MainRule id:1500 since 23.1.10_1

[shproto]

hi,
using:
OPNsense 23.1.10_1-amd64 ( from hardware appliance )

service nginx not starting since last OPNsense  update

root@fw:~ # service nginx start
/usr/local/etc/rc.d/nginx: WARNING: failed to setup nginx
Performing sanity check on nginx configuration:
nginx: [emerg] Naxsi-Config : Incorrect line MainRule id:1500 (/usr/obj/usr/ports/www/nginx/work/naxsi-29793dc/naxsi_src/naxsi_skeleton.c/973)... in /usr/local/etc/nginx/nginx.conf:51
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
Starting nginx.
nginx: [emerg] Naxsi-Config : Incorrect line MainRule id:1500 (/usr/obj/usr/ports/www/nginx/work/naxsi-29793dc/naxsi_src/naxsi_skeleton.c/973)... in /usr/local/etc/nginx/nginx.conf:51
/usr/local/etc/rc.d/nginx: WARNING: failed to start nginx

Naxsi-Config : MainRule id:1500 is

    MainRule id:1500 "rx:\.ph|\.asp|\.ht|\.jsp" "msg:asp/php/jsp file upload" "mz:FILE_EXT" "s:$policycd6d033b9a494994a4f73375c23b214e:8";

plz see attachment ( screen nginx 's conf )

thx &
Best Regards

[shproto]

same pb with line 81 after i'v  commented line 51

root@fw:~ # /usr/sbin/service nginx start
/usr/local/etc/rc.d/nginx: WARNING: failed to setup nginx
Performing sanity check on nginx configuration:
nginx: [emerg] Naxsi-Config : Incorrect line MainRule id:1000 (/usr/obj/usr/ports/www/nginx/work/naxsi-29793dc/naxsi_src/naxsi_skeleton.c/973)... in /usr/local/etc/nginx/nginx.conf:81
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
Starting nginx.
nginx: [emerg] Naxsi-Config : Incorrect line MainRule id:1000 (/usr/obj/usr/ports/www/nginx/work/naxsi-29793dc/naxsi_src/naxsi_skeleton.c/973)... in /usr/local/etc/nginx/nginx.conf:81
/usr/local/etc/rc.d/nginx: WARNING: failed to start nginx

MainRule id:1000 "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop|load_file|substr|group_concat|dumpfile" "msg:sql keywords" "mz:BODY|ARGS|URL|$HEADERS_VAR_X:Cookie" "s:$policye5cc303f2c4d419da82d91435bf7b
85b:4"

nginx start but with warning

Code: [Select]

root@fw:~ # /usr/sbin/service nginx start
/usr/local/etc/rc.d/nginx: WARNING: failed to setup nginx
Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Starting nginx.
root@fw:~ # /usr/sbin/service nginx status
nginx is running as pid 42341.

[shproto]

issue

https://github.com/opnsense/plugins/issues/3480

wait & see now

[franco]

There is a test version now based on the new naxsi upstream version 1.4:

# opnsense-revert -z nginx

I appreciate all comments on this.


Cheers,
Franco

[shproto]

hi,
testing with, before , re-enabled line ( 51 & 81 )

MainRule id:1000 "rx..........
MainRule id:1500 "rx..........

root@fw:~ # opnsense-revert -z nginx
Fetching nginx.pkg: ... done
Verifying signature with trusted certificate pkg.opnsense.org.20221213... done
nginx-1.24.0_6,3: already unlocked
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        nginx: 1.24.0_8,3

Number of packages to be installed: 1

The process will require 4 MiB more space.
[1/1] Installing nginx-1.24.0_8,3...
===> Creating groups.
Using existing group 'www'.
===> Creating users
Using existing user 'www'.
Extracting nginx-1.24.0_8,3: 100%
=====
Message from nginx-1.24.0_8,3:

--
Recent version of the NGINX introduces dynamic modules support.  In
FreeBSD ports tree this feature was enabled by default with the DSO
knob.  Several vendor's and third-party modules have been converted
to dynamic modules.  Unset the DSO knob builds an NGINX without
dynamic modules support.

To load a module at runtime, include the new `load_module'
directive in the main context, specifying the path to the shared
object file for the module, enclosed in quotation marks.  When you
reload the configuration or restart NGINX, the module is loaded in.
It is possible to specify a path relative to the source directory,
or a full path, please see
https://www.nginx.com/blog/dynamic-modules-nginx-1-9-11/ and
http://nginx.org/en/docs/ngx_core_module.html#load_module for
details.

Default path for the NGINX dynamic modules is

/usr/local/libexec/nginx.
root@fw:~ # service nginx stop
Stopping nginx.
Waiting for PIDS: 63871.
root@fw:~ # service nginx start
/usr/local/etc/rc.d/nginx: WARNING: failed to setup nginx
Performing sanity check on nginx configuration:
nginx: [warn] could not build optimal variables_hash, you should increase either variables_hash_max_size: 1024 or variables_hash_bucket_size: 64; ignoring variables_hash_bucket_size
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Starting nginx.
nginx: [warn] could not build optimal variables_hash, you should increase either variables_hash_max_size: 1024 or variables_hash_bucket_size: 64; ignoring variables_hash_bucket_size
root@fw:~ # service nginx status
nginx is running as pid 66182

2023/06/24 12:50:00 [warn] 79720#100103: could not build optimal variables_hash, you should increase either variables_hash_max_size: 1024 or variables_hash_bucket_size: 64; ignoring variables_hash_bucket_size
2023/06/24 12:50:00 [notice] 79720#100103: signal process started
root@fw:/var/log/nginx # tail -100 error.log

root@fw:/usr/local/etc/nginx # find . -type f -name "*.conf" -exec grep hash {} /dev/null \;
./nginx.conf:ip_hash;
./nginx.conf:ip_hash;
./nginx.conf:ip_hash;
./nginx.conf:ip_hash;
./nginx.conf:           hash $remote_addr consistent;
./nginx.conf:           hash $remote_addr consistent;
./nginx.conf:           hash $remote_addr consistent;
./nginx.conf:           hash $remote_addr consistent;
./nginx.conf:           hash $remote_addr consistent;
./nginx.conf:           hash $remote_addr consistent;
./nginx.conf:           hash $remote_addr consistent;
./nginx.conf:           hash $remote_addr consistent;

root@fw:/usr/local/etc/nginx # nginx -V
nginx version: nginx/1.24.0
built with OpenSSL 1.1.1u  30 May 2023
TLS SNI support enabled
configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx/error.log --user=www --group=www --with-compat --with-pcre --modules-path=/usr/local/libexec/nginx --with-file-aio --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --with-http_v2_module --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --without-mail_smtp_module --with-mail_ssl_module --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-http_xslt_module=dynamic --with-mail=dynamic --with-stream=dynamic --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/ngx_brotli-9aec15e --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/headers-more-nginx-module-33b646d --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/naxsi-1.4/naxsi_src --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/njs-0.7.12/nginx --add-dynamic-module=/usr/obj/usr/ports/www/nginx/work/nginx-module-vts-bf64dbf --with-ld-opt='-L /usr/local/lib'

root@fw:/usr/local/etc/nginx # cd /usr/local/libexec/nginx
root@fw:/usr/local/libexec/nginx # ls -latr
total 3136
drwxr-xr-x  10 root  wheel      512 Jun 23 06:23 ..
-r-xr-xr-x   1 root  wheel   171336 Jun 24 10:52 ngx_stream_module.so
-r-xr-xr-x   1 root  wheel   982968 Jun 24 10:52 ngx_stream_js_module.so
-r-xr-xr-x   1 root  wheel    88616 Jun 24 10:52 ngx_mail_module.so
-r-xr-xr-x   1 root  wheel    18816 Jun 24 10:52 ngx_http_xslt_filter_module.so
-r-xr-xr-x   1 root  wheel   172080 Jun 24 10:52 ngx_http_vhost_traffic_status_module.so
-r-xr-xr-x   1 root  wheel   567216 Jun 24 10:52 ngx_http_naxsi_module.so
-r-xr-xr-x   1 root  wheel  1001536 Jun 24 10:52 ngx_http_js_module.so
-r-xr-xr-x   1 root  wheel    25440 Jun 24 10:52 ngx_http_headers_more_filter_module.so
-r-xr-xr-x   1 root  wheel     9088 Jun 24 10:52 ngx_http_brotli_static_module.so
-r-xr-xr-x   1 root  wheel    14472 Jun 24 10:52 ngx_http_brotli_filter_module.so

[franco]

I've made an upstream patch and submitted it here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271963

[shproto]

great ! thx a lot  opnsense & naxsi 

[Grossartig]

Thank you both for testing this out for the rest of us. For those who haven't updated to 23.1.10 yet, should we stay on 23.1.9 for now, or is updating to .10 and then doing a

# opnsense-revert -z nginx

a safe choice?

Thanks!

[franco]

23.1.11 has the fix.


Cheers,
Franco