patterns/waf_patterns/caddy/rce.conf

@block_rce {
    path_regexp rce "(?i)(@lt 1|@lt 1|@rx (?i)(?:t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|".*")[sv]+)*[sv]*["']*(?:["'-+--9?A-]_a-z|]+/)?["'x5c]*(?:7["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[arx])?|(?:(?:b["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|x)["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z|h["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?u["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p)["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|[ckz]["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?s["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h|d["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?f|e["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:n["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?v|s["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?h)|f["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[dg]|g["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:[&,<>|]|(?:[--.0-9A-Z_a-z]["'[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#*-0-9?-@_a-{]*)?x5c?)+[sv&,<>|]).*|p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?g)|i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?r["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?b|l["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:s|z["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:4|[sv&),<>|].*))|p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:h["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|w["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|x["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?z)|r["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?c(?:["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*)?|s["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?(?:c["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|(?:e["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d|(?:s["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?)?h)["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?[sv&),<>|].*|v["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?n)|u["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?d["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?p|w["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?3["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m)b|@rx (?i)(?:t["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?i["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?m["')[-x5c]*(?:(?:(?:|||&&)[sv]*)?$[!#(*-0-9?-@_a-{]*)?x5c?e|[nr;`{]|||?|&&?|$(?:((?|{)|[<>](|([sv]*))[sv]*(?:[${]|(?:[sv]*(|!)[sv]*|[0-9A-Z_a-z]+=(?:[^sv]*|$(?:.*|.*)|[<>].*|'.*'|".*")[sv]+)*[sv]*["']*(?:["'-+--9?A-]_a-z|]+/)?["'x5c]*(?:(?:HEAD|POST|y(?:arn|elp))[sv&)<>|]|a(?:dd(?:group|user)|getty|l(?:ias|pine)[sv&)<>|]|nsible-playbook|pt(?:-get|itude[sv&)<>|])|r(?:ch[sv&)<>|]|ia2c)|s(?:cii(?:-xfr|85)|pell)|tobm|xel)|b(?:a(?:s(?:e(?:32|64|n(?:ame[sv&)<>|]|c))|h[sv&)<>|])|tch[sv&)<>|])|lkid|pftrace|r(?:eaksw|idge[sv&)<>|])|sd(?:cat|iff|tar)|u(?:iltin|n(?:dler[sv&)<>|]|zip2)|s(?:ctl|ybox))|y(?:ebug|obu)|z(?:c(?:at|mp)|diff|e(?:grep|xe)|f?grep|ip2(?:recover)?|less|more))|c(?:a(?:ncel|psh)[sv&)<>|]|ertbot|h(?:attr|(?:dir|root)[sv&)<>|]|eck_(?:by_ssh|cups|log|memory|raid|s(?:sl_cert|tatusfile))|(?:flag|pas)s|g(?:passwd|rp)|mod|o(?:om|wn)|sh)|lang(?:[sv&)<>|]|++)|o(?:(?:b|pro)c|lumn[sv&)<>|]|m(?:m(?:and[sv&)<>|])?|p(?:oser|r
}
respond @block_rce 403
Automated update: OWASP CRS to Caddy and Nginx WAF rules [Sat Dec 21 00:30:30 UTC 2024] 2024-12-21 00:30:30 +00:00			`@block_rce {`
Update: [Sun Dec 29 23:20:18 UTC 2024] 2024-12-29 23:20:18 +00:00			path_regexp rce "(?i)(@lt 1\|@lt 1\|@rx (?i)(?:t["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?i["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?m["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?e\|[nr;`{]\|\|\|?\|&&?\|$(?:((?\|{)\|[<>](\|([sv]))[sv](?:[${]\|(?:[sv](\|!)[sv]\|[0-9A-Z_a-z]+=(?:[^sv]\|$(?:.\|.)\|[<>].\|'.'\|".")[sv]+)[sv]["'](?:["'-+--9?A-]_a-z\|]+/)?["'x5c](?:7["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?z(?:["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?[arx])?\|(?:(?:b["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?z\|x)["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?z\|h["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?u["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?p)["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?[sv&),<>\|].\|[ckz]["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?s["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?h\|d["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?f\|e["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?(?:n["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?v\|s["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?h)\|f["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?[dg]\|g["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?(?:c["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?c["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?(?:[&,<>\|]\|(?:[--.0-9A-Z_a-z]["'[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#-0-9?-@_a-{])?x5c?)+[sv&,<>\|]).\|p["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?g)\|i["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?r["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?b\|l["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?(?:s\|z["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?(?:4\|[sv&),<>\|].))\|p["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?(?:h["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?p["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?[sv&),<>\|].\|w["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?d\|x["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?z)\|r["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?c(?:["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?p["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?[sv&),<>\|].)?\|s["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?(?:c["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?p\|(?:e["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?d\|(?:s["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?)?h)["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?[sv&),<>\|].\|v["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?n)\|u["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?d["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?p\|w["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?3["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?m)b\|@rx (?i)(?:t["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?i["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?m["')[-x5c](?:(?:(?:\|\|\|&&)[sv])?$[!#(-0-9?-@_a-{])?x5c?e\|[nr;`{]\|\|\|?\|&&?\|$(?:((?\|{)\|[<>](\|([sv]))[sv](?:[${]\|(?:[sv](\|!)[sv]\|[0-9A-Z_a-z]+=(?:[^sv]\|$(?:.\|.)\|[<>].\|'.'\|".")[sv]+)[sv]["'](?:["'-+--9?A-]_a-z\|]+/)?["'x5c](?:(?:HEAD\|POST\|y(?:arn\|elp))[sv&)<>\|]\|a(?:dd(?:group\|user)\|getty\|l(?:ias\|pine)[sv&)<>\|]\|nsible-playbook\|pt(?:-get\|itude[sv&)<>\|])\|r(?:ch[sv&)<>\|]\|ia2c)\|s(?:cii(?:-xfr\|85)\|pell)\|tobm\|xel)\|b(?:a(?:s(?:e(?:32\|64\|n(?:ame[sv&)<>\|]\|c))\|h[sv&)<>\|])\|tch[sv&)<>\|])\|lkid\|pftrace\|r(?:eaksw\|idge[sv&)<>\|])\|sd(?:cat\|iff\|tar)\|u(?:iltin\|n(?:dler[sv&)<>\|]\|zip2)\|s(?:ctl\|ybox))\|y(?:ebug\|obu)\|z(?:c(?:at\|mp)\|diff\|e(?:grep\|xe)\|f?grep\|ip2(?:recover)?\|less\|more))\|c(?:a(?:ncel\|psh)[sv&)<>\|]\|ertbot\|h(?:attr\|(?:dir\|root)[sv&)<>\|]\|eck_(?:by_ssh\|cups\|log\|memory\|raid\|s(?:sl_cert\|tatusfile))\|(?:flag\|pas)s\|g(?:passwd\|rp)\|mod\|o(?:om\|wn)\|sh)\|lang(?:[sv&)<>\|]\|++)\|o(?:(?:b\|pro)c\|lumn[sv&)<>\|]\|m(?:m(?:and[sv&)<>\|])?\|p(?:oser\|r
Automated update: OWASP CRS to Caddy and Nginx WAF rules [Sat Dec 21 00:30:30 UTC 2024] 2024-12-21 00:30:30 +00:00			`}`
			`respond @block_rce 403`