nginx generation improved

2025-12-29 16:15:12 +00:00 · 2025-01-16 13:49:54 +01:00
parent de35fec973
commit 1da19ed802
22 changed files with 515 additions and 1105 deletions
--- a/waf_patterns/nginx/php.conf
+++ b/waf_patterns/nginx/php.conf
@@ -1,52 +1,25 @@
 # Nginx WAF rules for PHP
-location / {
-    set $attack_detected 0;
+# Automatically generated from OWASP rules.
+# Include this file in your server or location block.

-    if ($request_uri ~* "(?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* ".*.ph(?:pd*|tml|ar|ps|t|pt).*$") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "(?i)<?(?:=|php)?s+") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* ".*.(?:phpd*|phtml)..*$") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "@pm =") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "[oOcC]:d+:\".+?\":d+:{.*}") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "(?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "(?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "@pm ?>") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "(?:<?(?:[^x]|x[^m]|xm[^l]|xml[^s]|xml$|$)|<?php|[(?:/|x5c)?php])") {
-        set $attack_detected 1;
-    }
-
-    if ($request_uri ~* "AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI") {
-        set $attack_detected 1;
-    }
-
-    if ($attack_detected = 1) {
-        return 403;
-    }
+map $request_uri $waf_block_php {
+    default 0;
+    "~*(?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b" 1;
+    "~*(?i)<?(?:=|php)?s+" 1;
+    "~*(?:<?(?:[^x]|x[^m]|xm[^l]|xml[^s]|xml$|$)|<?php|[(?:/|x5c)?php])" 1;
+    "~*(?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://" 1;
+    "~*(?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)" 1;
+    "~*@pm ?>" 1;
+    "~*.*.(?:phpd*|phtml)..*$" 1;
+    "~*.*.ph(?:pd*|tml|ar|ps|t|pt).*$" 1;
+    "~*AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI" 1;
+    "~*[oOcC]:d+:\".+?\":d+:{.*}" 1;
+    "~*@pm =" 1;
 }
+
+if ($waf_block_php) {
+    return 403;
+    # Log the blocked request (optional)
+    # access_log /var/log/nginx/waf_blocked.log;
+}
+