2024-12-21 00:30:30 +00:00
|
|
|
# Nginx WAF rules for ENFORCEMENT
|
2025-01-16 13:49:54 +01:00
|
|
|
# Automatically generated from OWASP rules.
|
|
|
|
|
# Include this file in your server or location block.
|
|
|
|
|
|
|
|
|
|
map $request_uri $waf_block_enforcement {
|
|
|
|
|
default 0;
|
2025-01-28 00:25:35 +00:00
|
|
|
"~*@streq POST" 1;
|
|
|
|
|
"~*^$" 1;
|
2025-01-27 00:26:20 +00:00
|
|
|
"~*@gt %{tx.max_file_size}" 1;
|
2025-01-28 00:25:35 +00:00
|
|
|
"~*@gt 50" 1;
|
|
|
|
|
"~*^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}" 1;
|
|
|
|
|
"~*%[0-9a-fA-F]{2}" 1;
|
2025-01-27 00:26:20 +00:00
|
|
|
"~*!@rx ^(?:OPTIONS|CONNECT)$" 1;
|
2025-01-28 00:25:35 +00:00
|
|
|
"~*%u[fF]{2}[0-9a-fA-F]{2}" 1;
|
|
|
|
|
"~*@gt 1" 1;
|
|
|
|
|
"~*@eq 1" 1;
|
|
|
|
|
"~*@gt 0" 1;
|
|
|
|
|
"~*(d+)-(d+)" 1;
|
|
|
|
|
"~*!@rx ^[w/.+*-]+(?:s?;s?(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['\"w.()+,/:=?<>@#*-]+)*$" 1;
|
|
|
|
|
"~*@endsWith .pdf" 1;
|
|
|
|
|
"~*@validateByteRange 9,10,13,32-126,128-255" 1;
|
|
|
|
|
"~*@validateUtf8Encoding" 1;
|
|
|
|
|
"~*!@endsWith .pdf" 1;
|
|
|
|
|
"~*!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:s*,s*|$)){1,7}$" 1;
|
|
|
|
|
"~*!@rx ^d+$" 1;
|
|
|
|
|
"~*^(?:GET|HEAD)$" 1;
|
|
|
|
|
"~*(?:^([d.]+|[[da-f:]+]|[da-f:]+)(:[d]+)?$)" 1;
|
|
|
|
|
"~*.[^.~]+~(?:/.*|)$" 1;
|
|
|
|
|
"~*charsets*=s*[\"']?([^;\"'s]+)" 1;
|
|
|
|
|
"~*@validateUrlEncoding" 1;
|
|
|
|
|
"~*(?i)x5cu[0-9a-f]{4}" 1;
|
|
|
|
|
"~*!@rx ^0?$" 1;
|
2025-01-27 00:26:20 +00:00
|
|
|
"~*@ge 1" 1;
|
2025-01-28 00:25:35 +00:00
|
|
|
"~*@gt %{tx.arg_length}" 1;
|
2025-01-27 00:26:20 +00:00
|
|
|
"~*@validateByteRange 32,34,38,42-59,61,65-90,95,97-122" 1;
|
|
|
|
|
"~*@within %{tx.restricted_extensions}" 1;
|
2025-01-28 00:25:35 +00:00
|
|
|
"~*@within %{tx.restricted_headers_basic}" 1;
|
|
|
|
|
"~*b(?:keep-alive|close),s?(?:keep-alive|close)b" 1;
|
|
|
|
|
"~*@contains #" 1;
|
2025-01-27 00:26:20 +00:00
|
|
|
"~*@gt %{tx.total_arg_length}" 1;
|
2025-01-28 00:25:35 +00:00
|
|
|
"~*.([^.]+)$" 1;
|
|
|
|
|
"~*@gt %{tx.max_num_args}" 1;
|
|
|
|
|
"~*!@pm AppleWebKit Android" 1;
|
|
|
|
|
"~*!@pm AppleWebKit Android Business Enterprise Entreprise" 1;
|
2025-01-27 00:26:20 +00:00
|
|
|
"~*@validateByteRange 1-255" 1;
|
2025-01-28 00:25:35 +00:00
|
|
|
"~*@eq 0" 1;
|
|
|
|
|
"~*!@rx ^OPTIONS$" 1;
|
|
|
|
|
"~*^[^;s]+" 1;
|
2025-01-27 00:26:20 +00:00
|
|
|
"~*!@streq JSON" 1;
|
2025-01-28 00:25:35 +00:00
|
|
|
"~*@validateByteRange 32-36,38-126" 1;
|
2025-01-27 00:26:20 +00:00
|
|
|
"~*@validateByteRange 38,44-46,48-58,61,65-90,95,97-122" 1;
|
|
|
|
|
"~*(?:^|[^x5c])x5c[cdeghijklmpqwxyz123456789]" 1;
|
2025-01-28 00:25:35 +00:00
|
|
|
"~*@within %{tx.restricted_headers_extended}" 1;
|
2025-01-27 00:26:20 +00:00
|
|
|
"~*['\";=]" 1;
|
2025-01-28 00:25:35 +00:00
|
|
|
"~*@gt %{tx.arg_name_length}" 1;
|
|
|
|
|
"~*x25" 1;
|
|
|
|
|
"~*!@rx ^0$" 1;
|
|
|
|
|
"~*@gt %{tx.combined_file_sizes}" 1;
|
|
|
|
|
"~*^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){63}" 1;
|
|
|
|
|
"~*^.*$" 1;
|
|
|
|
|
"~*charset.*?charset" 1;
|
2025-01-16 13:49:54 +01:00
|
|
|
}
|
2024-12-21 00:30:30 +00:00
|
|
|
|
2025-01-16 13:49:54 +01:00
|
|
|
if ($waf_block_enforcement) {
|
|
|
|
|
return 403;
|
|
|
|
|
# Log the blocked request (optional)
|
|
|
|
|
# access_log /var/log/nginx/waf_blocked.log;
|
2024-12-21 00:30:30 +00:00
|
|
|
}
|
2025-01-16 13:49:54 +01:00
|
|
|
|
