External/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2025-12-29 16:15:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

nginx generation improved

Browse Source
This commit is contained in:
fabriziosalmi
2025-01-16 13:49:54 +01:00
parent de35fec973
commit 1da19ed802
22 changed files with 515 additions and 1105 deletions
Download Patch File Download Diff File Expand all files Collapse all files

85
waf_patterns/nginx/attack.conf
View File

@@ -1,64 +1,27 @@
# Nginx WAF rules for ATTACK
location / {
set $attack_detected 0;
# Automatically generated from OWASP rules.
# Include this file in your server or location block.
if ($request_uri ~* "^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)") {
set $attack_detected 1;
}
if ($request_uri ~* "TX:paramcounter_(.*)") {
set $attack_detected 1;
}
if ($request_uri ~* "content-transfer-encoding:(.*)") {
set $attack_detected 1;
}
if ($request_uri ~* "[rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 0") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:bhttp/d|<(?:html|meta)b)") {
set $attack_detected 1;
}
if ($request_uri ~* "^content-types*:s*(.*)$") {
set $attack_detected 1;
}
if ($request_uri ~* "(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d") {
set $attack_detected 1;
}
if ($request_uri ~* "[nr]") {
set $attack_detected 1;
}
if ($request_uri ~* "unix:[^|]*|") {
set $attack_detected 1;
}
if ($request_uri ~* "[nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:") {
set $attack_detected 1;
}
if ($request_uri ~* "^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 1") {
set $attack_detected 1;
}
if ($request_uri ~* ".") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
map $request_uri $waf_block_attack {
default 0;
"~*^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b" 1;
"~*[nr]" 1;
"~*^content-types*:s*(.*)$" 1;
"~*content-transfer-encoding:(.*)" 1;
"~*(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d" 1;
"~*@gt 1" 1;
"~*TX:paramcounter_(.*)" 1;
"~*@gt 0" 1;
"~*[rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w" 1;
"~*[nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:" 1;
"~*unix:[^|]*|" 1;
"~*." 1;
"~*(?:bhttp/d|<(?:html|meta)b)" 1;
}
if ($waf_block_attack) {
return 403;
# Log the blocked request (optional)
# access_log /var/log/nginx/waf_blocked.log;
}