2024-12-21 00:30:30 +00:00
|
|
|
# Nginx WAF rules for ATTACK
|
2025-01-16 13:49:54 +01:00
|
|
|
# Automatically generated from OWASP rules.
|
|
|
|
|
# Include this file in your server or location block.
|
|
|
|
|
|
|
|
|
|
map $request_uri $waf_block_attack {
|
|
|
|
|
default 0;
|
2025-01-27 00:26:20 +00:00
|
|
|
"~*content-transfer-encoding:(.*)" 1;
|
2025-01-25 00:24:31 +00:00
|
|
|
"~*TX:paramcounter_(.*)" 1;
|
2025-01-26 00:25:41 +00:00
|
|
|
"~*[nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:" 1;
|
|
|
|
|
"~*^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)" 1;
|
2025-01-25 00:24:31 +00:00
|
|
|
"~*@gt 0" 1;
|
2025-01-27 00:26:20 +00:00
|
|
|
"~*^content-types*:s*(.*)$" 1;
|
2025-01-24 00:25:21 +00:00
|
|
|
"~*^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b" 1;
|
2025-01-27 00:26:20 +00:00
|
|
|
"~*(?:bhttp/d|<(?:html|meta)b)" 1;
|
|
|
|
|
"~*." 1;
|
|
|
|
|
"~*[nr]" 1;
|
|
|
|
|
"~*unix:[^|]*|" 1;
|
|
|
|
|
"~*@gt 1" 1;
|
|
|
|
|
"~*(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d" 1;
|
|
|
|
|
"~*[rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w" 1;
|
2025-01-16 13:49:54 +01:00
|
|
|
}
|
2024-12-21 00:30:30 +00:00
|
|
|
|
2025-01-16 13:49:54 +01:00
|
|
|
if ($waf_block_attack) {
|
|
|
|
|
return 403;
|
|
|
|
|
# Log the blocked request (optional)
|
|
|
|
|
# access_log /var/log/nginx/waf_blocked.log;
|
2024-12-21 00:30:30 +00:00
|
|
|
}
|
2025-01-16 13:49:54 +01:00
|
|
|
|
