NAXSI WAF Configuration Not Applying

[agreenbhm]

I'm trying to get NAXSI working with NGINX but I believe I'm running into a bug.  I tried this on my running OPNSense 24.1 system and also tried on a fresh 24.7 VM to validate if the bug is consistent.

I'm finding that the only thing from NAXSI that applies are the rules from the downloaded default rules config file.  Custom rules don't apply, and modifications to the default rules don't apply either.  For example, I modified a rule's score from 4 to 8 (which should have resulted in the request being blocked), but the request still goes through.  Default rules that have a score of 8 are blocked as expected.  I see in the OPNSense config file (/conf/config.xml) that the updated values are there, but I don't see anywhere that this is actually applied to NGINX.  I see in my NGINX config "SecRulesEnable" but I don't see anything referencing my custom rules or edits to the defaults.  Reading through a bunch of the template files, I get the impression that when saving/applying the NGINX settings the settings for NAXSI in /conf/config.xml are supposed to be enumerated and applied to the NGINX config accordingly via template.  However, I see no evidence in the NGINX config that this has occurred.  What I think is happening is that the NAXSI .so loaded by the NGINX config is just using the downloaded NAXSI default rules file from the same directory and working off of that with no additional rules.

It's possible I have done something very wrong and broken things, but I'm leaning more towards this being a bug, as the setup seems relatively straightforward.  Can anyone either point me in the right direction or confirm it being a bug?  My config is below.  "server3.example.com" is the one that blocking is enabled for.

Code Select Expand


# configuration file /usr/local/etc/nginx/nginx.conf:
load_module /usr/local/libexec/nginx/ngx_stream_module.so;
load_module /usr/local/libexec/nginx/ngx_http_naxsi_module.so;
load_module /usr/local/libexec/nginx/ngx_mail_module.so;
load_module /usr/local/libexec/nginx/ngx_http_brotli_filter_module.so;
load_module /usr/local/libexec/nginx/ngx_http_brotli_static_module.so;
load_module /usr/local/libexec/nginx/ngx_http_js_module.so;
load_module /usr/local/libexec/nginx/ngx_http_vhost_traffic_status_module.so;

user www staff;
worker_processes 1;

#error_log  /var/log/nginx/error.log;
error_log  syslog:server=unix:/var/run/log,facility=local6,nohostname warn;

events {
    worker_connections  1024;
}

http {
include       mime.types;



log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';
log_format  main_ext  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" '
                      '"$host" sn="$server_name" '
                      'rt=$request_time '
                      'ua="$upstream_addr" us="$upstream_status" '
                      'ut="$upstream_response_time" ul="$upstream_response_length" '
                      'cs=$upstream_cache_status';
log_format  main_ban  '$remote_addr - $remote_user [$time_local] "$scheme://$host$request_uri" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
log_format  handshake   '"$http_user_agent" "$ssl_ciphers" "$ssl_curves"';
log_format  anonymized  ':: - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

#tcp_nopush     on;
# https intercept detection
js_import /usr/local/opnsense/scripts/nginx/ngx_functions.js;
js_set $tls_intercepted ngx_functions.check_intercept;

# 200M should be big enough for file servers etc.
client_max_body_size 200M;
brotli_static on;
brotli on;
gzip_static on;
gzip on;
server_tokens off;
sendfile Off;
default_type  application/octet-stream;
keepalive_timeout 60;

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

# Map used in location.conf for proxy_ssl_name
map $ssl_server_name $upstream_sni_name {
    default $ssl_server_name;
    '' $host;
}

include http_post/*.conf;

# TODO add when core is ready for allowing nginx to serve the web interface
# include nginx_web.conf;




# UPSTREAM SERVERS
upstream upstream255b185d721747dfb5ac0b286420f7f8 {
server 172.25.25.244:443 weight=1;

}
upstream upstreame3a68f25739c4accb838951250e7b389 {
server 172.25.25.245:443 weight=1;

}


include opnsense_http_vhost_plugins/*.conf;

server {


    listen 443 ssl;
    http2 on;
    ssl_client_certificate /usr/local/etc/nginx/key/server1.example.com_ca.pem;
    ssl_verify_client on;
    ssl_certificate_key /usr/local/etc/nginx/key/server1.example.com.key;
    ssl_certificate /usr/local/etc/nginx/key/server1.example.com.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_dhparam /usr/local/opnsense/data/OPNsense/Nginx/dh-parameters.4096.rfc7919;
    ssl_ciphers ECDHE-ECDSA-CAMELLIA256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CAMELLIA256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CAMELLIA128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CAMELLIA128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-AES128-SHA256;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_prefer_server_ciphers on;
    ssl_stapling off;

    sendfile On;
    server_name  server1.example.com;

    client_header_buffer_size 1k;
    large_client_header_buffers 4 8k;
    charset utf-8;
    access_log  /var/log/nginx/server1.example.com.access.log main;
    access_log  /var/log/nginx/tls_handshake.log handshake;
    error_log  /var/log/nginx/server1.example.com.error.log error;
    #include tls.conf;
    error_page 403 /opnsense_error_403.html;
    error_page 404 /opnsense_error_404.html;
    error_page 405 /waf_denied.html;
    error_page 500 501 502 503 504 /opnsense_server_error.html;

    location = /opnsense_error_403.html {
        internal;
        root /usr/local/etc/nginx/views;
    }
    location = /opnsense_error_404.html {
        internal;
        root /usr/local/etc/nginx/views;
    }
    location = /opnsense_server_error.html {
        internal;
        root /usr/local/etc/nginx/views;
    }
    # location to ban the host permanently
    set $naxsi_extensive_log 0;
    location @permanentban {
        access_log /var/log/nginx/permanentban.access.log main;
        access_log /var/log/nginx/perm_ban.access.log main_ban;
        internal;
        add_header "Content-Type" "text/plain; charset=UTF-8" always;
        return 444;
    }
    error_page 418 = @permanentban;
    location = /waf_denied.html {
        root /usr/local/etc/nginx/views;
        access_log /var/log/nginx/waf_denied.access.log main;
    }
    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        proxy_pass http://127.0.0.1:43580;
    }
    # block based on User Agents defined in global http settings
    if ($http_user_agent ~* Python-urllib|Nmap|python-requests|libwww-perl|MJ12bot|Jorgee|fasthttp|libwww|Telesphoreo|A6-Indexer|ltx71|ZmEu|sqlmap|LMAO/2.0|l9explore|l9tcpid|Masscan|zgrab|Ronin/2.0|Hakai/2.0|Indy\sLibrary|^Mozilla/[\d\.]+$|Morfeus\sFucking\sScanner|MSIE\s[0-6]\.\d+) {
        return 418;
    }
    location /opnsense-auth-request {
      internal;
      fastcgi_pass  unix:/var/run/php-webgui.socket;
      fastcgi_index index.php;
      fastcgi_param TLS-Cipher $ssl_cipher;
      fastcgi_param TLS-Protocol $ssl_protocol;
      fastcgi_param TLS-SNI-Host $ssl_server_name;
      fastcgi_param Original-URI $request_uri;
      fastcgi_param Original-HOST $host;
      fastcgi_param SERVER-UUID "bbfb1db1-01ed-4194-94ef-62368001081e";
      fastcgi_param SCRIPT_FILENAME  /usr/local/opnsense/scripts/nginx/ngx_auth.php;
      fastcgi_param AUTH_SERVER "Local Database";
      fastcgi_intercept_errors on;
      include        fastcgi_params;
    }
    include bbfb1db1-01ed-4194-94ef-62368001081e_pre/*.conf;


location  / {
    BasicRule wl:19;
    DeniedUrl "/waf_denied.html";
    autoindex off;
    proxy_set_header Host $host;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    proxy_set_header X-TLS-Cipher $ssl_cipher;
    proxy_set_header X-TLS-Protocol $ssl_protocol;
    proxy_set_header X-TLS-SNI-Host $ssl_server_name;
    # proxy headers for backend server
    proxy_set_header X-Client-Dn $ssl_client_s_dn;
    proxy_set_header X-Client-Verify $ssl_client_verify;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-TLS-Client-Intercepted $tls_intercepted;
    proxy_read_timeout 120s;
    proxy_send_timeout 120s;
    proxy_ignore_client_abort off;
    proxy_request_buffering on;
    proxy_max_temp_file_size 1024m;
    proxy_buffering on;
    proxy_pass https://upstream255b185d721747dfb5ac0b286420f7f8;
    proxy_ssl_server_name on;
    proxy_ssl_name server1.example.com;
    proxy_ssl_session_reuse on;
    proxy_ssl_trusted_certificate /etc/ssl/cert.pem;
    proxy_ssl_verify on;
    proxy_ssl_verify_depth 1;
    proxy_store off;
    proxy_hide_header X-Powered-By;
    include ef0a7e0a-2b6b-4a9a-9db2-0a913753e8a4_post/*.conf;
}
    include bbfb1db1-01ed-4194-94ef-62368001081e_post/*.conf;

}

server {


    listen 443 ssl;
    http2 on;
    ssl_client_certificate /usr/local/etc/nginx/key/server2.example.com_ca.pem;
    ssl_verify_client on;
    ssl_certificate_key /usr/local/etc/nginx/key/server2.example.com.key;
    ssl_certificate /usr/local/etc/nginx/key/server2.example.com.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_dhparam /usr/local/opnsense/data/OPNsense/Nginx/dh-parameters.4096.rfc7919;
    ssl_ciphers ECDHE-ECDSA-CAMELLIA256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CAMELLIA256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CAMELLIA128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CAMELLIA128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-AES128-SHA256;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_prefer_server_ciphers on;
    ssl_stapling off;

    sendfile On;
    server_name  server2.example.com;

    client_header_buffer_size 1k;
    large_client_header_buffers 4 8k;
    charset utf-8;
    access_log  /var/log/nginx/server2.example.com.access.log main;
    access_log  /var/log/nginx/tls_handshake.log handshake;
    error_log  /var/log/nginx/server2.example.com.error.log error;
    #include tls.conf;
    error_page 403 /opnsense_error_403.html;
    error_page 404 /opnsense_error_404.html;
    error_page 405 /waf_denied.html;
    error_page 500 501 502 503 504 /opnsense_server_error.html;

    location = /opnsense_error_403.html {
        internal;
        root /usr/local/etc/nginx/views;
    }
    location = /opnsense_error_404.html {
        internal;
        root /usr/local/etc/nginx/views;
    }
    location = /opnsense_server_error.html {
        internal;
        root /usr/local/etc/nginx/views;
    }
    # location to ban the host permanently
    set $naxsi_extensive_log 0;
    location @permanentban {
        access_log /var/log/nginx/permanentban.access.log main;
        access_log /var/log/nginx/perm_ban.access.log main_ban;
        internal;
        add_header "Content-Type" "text/plain; charset=UTF-8" always;
        return 444;
    }
    error_page 418 = @permanentban;
    location = /waf_denied.html {
        root /usr/local/etc/nginx/views;
        access_log /var/log/nginx/waf_denied.access.log main;
    }
    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        proxy_pass http://127.0.0.1:43580;
    }
    # block based on User Agents defined in global http settings
    if ($http_user_agent ~* Python-urllib|Nmap|python-requests|libwww-perl|MJ12bot|Jorgee|fasthttp|libwww|Telesphoreo|A6-Indexer|ltx71|ZmEu|sqlmap|LMAO/2.0|l9explore|l9tcpid|Masscan|zgrab|Ronin/2.0|Hakai/2.0|Indy\sLibrary|^Mozilla/[\d\.]+$|Morfeus\sFucking\sScanner|MSIE\s[0-6]\.\d+) {
        return 418;
    }
    location /opnsense-auth-request {
      internal;
      fastcgi_pass  unix:/var/run/php-webgui.socket;
      fastcgi_index index.php;
      fastcgi_param TLS-Cipher $ssl_cipher;
      fastcgi_param TLS-Protocol $ssl_protocol;
      fastcgi_param TLS-SNI-Host $ssl_server_name;
      fastcgi_param Original-URI $request_uri;
      fastcgi_param Original-HOST $host;
      fastcgi_param SERVER-UUID "d9f9ba66-d5a7-4047-b3c8-b1fda9cabcdf";
      fastcgi_param SCRIPT_FILENAME  /usr/local/opnsense/scripts/nginx/ngx_auth.php;
      fastcgi_param AUTH_SERVER "Local Database";
      fastcgi_intercept_errors on;
      include        fastcgi_params;
    }
    include d9f9ba66-d5a7-4047-b3c8-b1fda9cabcdf_pre/*.conf;


location  / {
    BasicRule wl:19;
    DeniedUrl "/waf_denied.html";
    autoindex off;
    proxy_set_header Host $host;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    proxy_set_header X-TLS-Cipher $ssl_cipher;
    proxy_set_header X-TLS-Protocol $ssl_protocol;
    proxy_set_header X-TLS-SNI-Host $ssl_server_name;
    # proxy headers for backend server
    proxy_set_header X-Client-Dn $ssl_client_s_dn;
    proxy_set_header X-Client-Verify $ssl_client_verify;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-TLS-Client-Intercepted $tls_intercepted;
    proxy_ignore_client_abort off;
    proxy_request_buffering on;
    proxy_max_temp_file_size 1024m;
    proxy_buffering on;
    proxy_pass https://upstreame3a68f25739c4accb838951250e7b389;
    proxy_ssl_server_name on;
    proxy_ssl_name $upstream_sni_name;
    proxy_ssl_session_reuse on;
    proxy_ssl_trusted_certificate /etc/ssl/cert.pem;
    proxy_ssl_verify on;
    proxy_ssl_verify_depth 1;
    proxy_store off;
    proxy_hide_header X-Powered-By;
    include d1284175-c02a-42af-8f46-816febe0be94_post/*.conf;
}
    include d9f9ba66-d5a7-4047-b3c8-b1fda9cabcdf_post/*.conf;

}

server {


    listen 443 ssl;
    http2 on;
    ssl_certificate_key /usr/local/etc/nginx/key/server3.example.com.key;
    ssl_certificate /usr/local/etc/nginx/key/server3.example.com.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_dhparam /usr/local/opnsense/data/OPNsense/Nginx/dh-parameters.4096.rfc7919;
    ssl_ciphers ECDHE-ECDSA-CAMELLIA256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CAMELLIA256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CAMELLIA128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CAMELLIA128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-AES128-SHA256;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_prefer_server_ciphers on;
    ssl_stapling off;

    sendfile On;
    server_name  server3.example.com;

    client_header_buffer_size 1k;
    large_client_header_buffers 4 8k;
    charset utf-8;
    access_log  /var/log/nginx/server3.example.com.access.log main;
    access_log  /var/log/nginx/tls_handshake.log handshake;
    error_log  /var/log/nginx/server3.example.com.error.log info;
    #include tls.conf;
    error_page 400 401 403 404 405 407 408 410 415 429 431 500 501 502 503 504 =200 /error_770ce3fdc609422d96c5f0894f407fac.html;
    location = /error_770ce3fdc609422d96c5f0894f407fac.html {
        internal;
        root /usr/local/etc/nginx/views;
    }
    # location to ban the host permanently
    set $naxsi_extensive_log 1;
    location @permanentban {
        access_log /var/log/nginx/permanentban.access.log main;
        access_log /var/log/nginx/perm_ban.access.log main_ban;
        internal;
        add_header "Content-Type" "text/plain; charset=UTF-8" always;
        return 444;
    }
    error_page 418 = @permanentban;
    location = /waf_denied.html {
        root /usr/local/etc/nginx/views;
        access_log /var/log/nginx/waf_denied.access.log main;
    }
    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        proxy_pass http://127.0.0.1:43580;
    }
    # block based on User Agents defined in global http settings
    if ($http_user_agent ~* Python-urllib|Nmap|python-requests|libwww-perl|MJ12bot|Jorgee|fasthttp|libwww|Telesphoreo|A6-Indexer|ltx71|ZmEu|sqlmap|LMAO/2.0|l9explore|l9tcpid|Masscan|zgrab|Ronin/2.0|Hakai/2.0|Indy\sLibrary|^Mozilla/[\d\.]+$|Morfeus\sFucking\sScanner|MSIE\s[0-6]\.\d+) {
        return 418;
    }
    location /opnsense-auth-request {
      internal;
      fastcgi_pass  unix:/var/run/php-webgui.socket;
      fastcgi_index index.php;
      fastcgi_param TLS-Cipher $ssl_cipher;
      fastcgi_param TLS-Protocol $ssl_protocol;
      fastcgi_param TLS-SNI-Host $ssl_server_name;
      fastcgi_param Original-URI $request_uri;
      fastcgi_param Original-HOST $host;
      fastcgi_param SERVER-UUID "dd6d7666-2aa0-42fd-825c-9fdc3f0c0b29";
      fastcgi_param SCRIPT_FILENAME  /usr/local/opnsense/scripts/nginx/ngx_auth.php;
      fastcgi_param AUTH_SERVER "Local Database";
      fastcgi_intercept_errors on;
      include        fastcgi_params;
    }
    include dd6d7666-2aa0-42fd-825c-9fdc3f0c0b29_pre/*.conf;


location ~* ^/(sdk/testing|php/testing) {
    SecRulesEnabled;
    BasicRule wl:19;
    DeniedUrl "/error_770ce3fdc609422d96c5f0894f407fac.html";
    error_page 400 401 403 404 405 407 408 410 415 429 431 500 501 502 503 504 =200 /error_770ce3fdc609422d96c5f0894f407fac.html;
    autoindex off;
    proxy_set_header Host $host;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    proxy_set_header X-TLS-Cipher $ssl_cipher;
    proxy_set_header X-TLS-Protocol $ssl_protocol;
    proxy_set_header X-TLS-SNI-Host $ssl_server_name;
    # proxy headers for backend server
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-TLS-Client-Intercepted $tls_intercepted;
    proxy_read_timeout 120s;
    proxy_send_timeout 120s;
    proxy_ignore_client_abort off;
    proxy_request_buffering on;
    proxy_max_temp_file_size 1024m;
    proxy_buffering on;
    proxy_pass https://upstream255b185d721747dfb5ac0b286420f7f8;
    proxy_ssl_server_name on;
    proxy_ssl_name server1.example.com;
    proxy_ssl_session_reuse on;
    proxy_ssl_trusted_certificate /etc/ssl/cert.pem;
    proxy_ssl_verify on;
    proxy_ssl_verify_depth 1;
    proxy_store off;
    proxy_hide_header X-Powered-By;
    include 3f472f02-27eb-4f1b-ba12-2ef72215f8a0_post/*.conf;
}
    include dd6d7666-2aa0-42fd-825c-9fdc3f0c0b29_post/*.conf;

}

}
stream {
    # LOG FORMATS
    log_format main '$remote_addr [$time_local] '
                     '$protocol $status $bytes_sent $bytes_received '
                     '$session_time';
    log_format anonymized ':: [$time_local] '
                     '$protocol $status $bytes_sent $bytes_received '
                     '$session_time';

    # UPSTREAM SERVERS
    upstream upstream255b185d721747dfb5ac0b286420f7f8 {
        server 172.25.25.244:443 weight=1;
    }
    upstream upstreame3a68f25739c4accb838951250e7b389 {
        server 172.25.25.245:443 weight=1;
    }

    # upstream maps


    include opnsense_stream_vhost_plugins/*.conf;

}
# mail {
# }

# configuration file /usr/local/etc/nginx/mime.types:
types {
    text/html                                        html htm shtml;
    text/css                                         css;
    text/xml                                         xml;
    image/gif                                        gif;
    image/jpeg                                       jpeg jpg;
    application/javascript                           js;
    application/atom+xml                             atom;
    application/rss+xml                              rss;

    text/mathml                                      mml;
    text/plain                                       txt;
    text/vnd.sun.j2me.app-descriptor                 jad;
    text/vnd.wap.wml                                 wml;
    text/x-component                                 htc;

    image/png                                        png;
    image/svg+xml                                    svg svgz;
    image/tiff                                       tif tiff;
    image/vnd.wap.wbmp                               wbmp;
    image/webp                                       webp;
    image/x-icon                                     ico;
    image/x-jng                                      jng;
    image/x-ms-bmp                                   bmp;

    application/font-woff                            woff;
    application/java-archive                         jar war ear;
    application/json                                 json;
    application/mac-binhex40                         hqx;
    application/msword                               doc;
    application/pdf                                  pdf;
    application/postscript                           ps eps ai;
    application/rtf                                  rtf;
    application/vnd.apple.mpegurl                    m3u8;
    application/vnd.google-earth.kml+xml             kml;
    application/vnd.google-earth.kmz                 kmz;
    application/vnd.ms-excel                         xls;
    application/vnd.ms-fontobject                    eot;
    application/vnd.ms-powerpoint                    ppt;
    application/vnd.oasis.opendocument.graphics      odg;
    application/vnd.oasis.opendocument.presentation  odp;
    application/vnd.oasis.opendocument.spreadsheet   ods;
    application/vnd.oasis.opendocument.text          odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                     pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                     xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                     docx;
    application/vnd.wap.wmlc                         wmlc;
    application/x-7z-compressed                      7z;
    application/x-cocoa                              cco;
    application/x-java-archive-diff                  jardiff;
    application/x-java-jnlp-file                     jnlp;
    application/x-makeself                           run;
    application/x-perl                               pl pm;
    application/x-pilot                              prc pdb;
    application/x-rar-compressed                     rar;
    application/x-redhat-package-manager             rpm;
    application/x-sea                                sea;
    application/x-shockwave-flash                    swf;
    application/x-stuffit                            sit;
    application/x-tcl                                tcl tk;
    application/x-x509-ca-cert                       der pem crt;
    application/x-xpinstall                          xpi;
    application/xhtml+xml                            xhtml;
    application/xspf+xml                             xspf;
    application/zip                                  zip;
    application/gzip                                 gz;
    application/xz                                   xz;

    application/octet-stream                         bin exe dll;
    application/octet-stream                         deb;
    application/octet-stream                         dmg;
    application/octet-stream                         iso img;
    application/octet-stream                         msi msp msm;

    audio/midi                                       mid midi kar;
    audio/mpeg                                       mp3;
    audio/ogg                                        ogg oga;
    audio/opus                                       opus
    audio/speex                                      spx;
    audio/x-m4a                                      m4a;
    audio/x-realaudio                                ra;
    audio/flac                                       flac;

    video/3gpp                                       3gpp 3gp;
    video/mp2t                                       ts;
    video/mp4                                        mp4;
    video/mpeg                                       mpeg mpg;
    video/quicktime                                  mov;
    video/webm                                       webm;
    video/ogg                                        ogv;
    video/x-flv                                      flv;
    video/x-m4v                                      m4v;
    video/x-mng                                      mng;
    video/x-ms-asf                                   asx asf;
    video/x-ms-wmv                                   wmv;
    video/x-msvideo                                  avi;
}

# configuration file /usr/local/etc/nginx/opnsense_http_vhost_plugins/vts.conf:
vhost_traffic_status_zone shared:vhost_traffic_status:20m;
server {
    listen unix:/var/run/nginx_status.sock;
    location /vts {
        vhost_traffic_status_bypass_stats on;
        vhost_traffic_status_display;
        vhost_traffic_status_display_format json;
    }
}

# configuration file /usr/local/etc/nginx/fastcgi_params:

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;


[Fright]

Hi.
It is necessary to create WAF rule(s), combine them into WAF policie(s) and assign policies to Location(s).
Has this been done?

[agreenbhm]

Yes, I created a single custom rule and a single policy, and assigned that rule to the policy. The policy is configured for the location. I also tried downloading the default rules and policies and modifying one of the rules. Both tests resulted in the behavior I described.

[agreenbhm]

Apparently I'm an idiot and didn't properly select the policy on the Location, I just enabled security rules there. I could have sworn I did, but looking at my setup and enabling the policy on the Location made it finally work. Embarrassing mistake...