patterns/waf_patterns/nginx/php.conf

# Nginx WAF rules for PHP
# Automatically generated from OWASP rules.
# Include this file in your server or location block.

map $request_uri $waf_block_php {
    default 0;
    "~*(?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b" 1;
    "~*(?i)<?(?:=|php)?s+" 1;
    "~*(?:<?(?:[^x]|x[^m]|xm[^l]|xml[^s]|xml$|$)|<?php|[(?:/|x5c)?php])" 1;
    "~*(?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://" 1;
    "~*(?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)" 1;
    "~*@pm ?>" 1;
    "~*.*.(?:phpd*|phtml)..*$" 1;
    "~*.*.ph(?:pd*|tml|ar|ps|t|pt).*$" 1;
    "~*AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI" 1;
    "~*[oOcC]:d+:\".+?\":d+:{.*}" 1;
    "~*@pm =" 1;
}

if ($waf_block_php) {
    return 403;
    # Log the blocked request (optional)
    # access_log /var/log/nginx/waf_blocked.log;
}
Automated update: OWASP CRS to Caddy and Nginx WAF rules [Sat Dec 21 00:30:30 UTC 2024] 2024-12-21 00:30:30 +00:00			`# Nginx WAF rules for PHP`
nginx generation improved 2025-01-16 13:49:54 +01:00			`# Automatically generated from OWASP rules.`
			`# Include this file in your server or location block.`

			`map $request_uri $waf_block_php {`
			`default 0;`
			`"~*(?:b(?:f(?:tp_(?:nb_)?f?(?:ge\|pu)t\|get(?:s?s\|c)\|scanf\|write\|open\|read)\|gz(?:(?:encod\|writ)e\|compress\|open\|read)\|s(?:ession_start\|candir)\|read(?:(?:gz)?file\|dir)\|move_uploaded_file\|(?:proc_\|bz)open\|call_user_func)\|$_(?:(?:pos\|ge)t\|session))b" 1;`
			`"~*(?i)<?(?:=\|php)?s+" 1;`
			`"~*(?:<?(?:[^x]\|x[^m]\|xm[^l]\|xml[^s]\|xml$\|$)\|<?php\|[(?:/\|x5c)?php])" 1;`
			`"~*(?:bzip2\|expect\|glob\|ogg\|(?:ph\|r)ar\|ssh2(?:.(?:s(?:hell\|(?:ft\|c)p)\|exec\|tunnel))?\|z(?:ip\|lib))://" 1;`
			`"~*(?i)php://(?:std(?:in\|out\|err)\|(?:in\|out)put\|fd\|memory\|temp\|filter)" 1;`
			`"~*@pm ?>" 1;`
			`"~..(?:phpd\|phtml)..$" 1;`
			`"~..ph(?:pd\|tml\|ar\|ps\|t\|pt).$" 1;`
			`"~*AUTH_TYPE\|HTTP_(?:ACCEPT(?:_(?:CHARSET\|ENCODING\|LANGUAGE))?\|CONNECTION\|(?:HOS\|USER_AGEN)T\|KEEP_ALIVE\|(?:REFERE\|X_FORWARDED_FO)R)\|ORIG_PATH_INFO\|PATH_(?:INFO\|TRANSLATED)\|QUERY_STRING\|REQUEST_URI" 1;`
			`"~[oOcC]:d+:\".+?\":d+:{.}" 1;`
			`"~*@pm =" 1;`
			`}`
Automated update: OWASP CRS to Caddy and Nginx WAF rules [Sat Dec 21 00:30:30 UTC 2024] 2024-12-21 00:30:30 +00:00
nginx generation improved 2025-01-16 13:49:54 +01:00			`if ($waf_block_php) {`
			`return 403;`
			`# Log the blocked request (optional)`
			`# access_log /var/log/nginx/waf_blocked.log;`
Automated update: OWASP CRS to Caddy and Nginx WAF rules [Sat Dec 21 00:30:30 UTC 2024] 2024-12-21 00:30:30 +00:00			`}`
nginx generation improved 2025-01-16 13:49:54 +01:00