feat: Generate Nginx WAF config with separate map and rule files

This commit modifies the script to output two files: - waf_maps.conf (for http block) - waf_rules.conf (for server block) to avoid conflicts and provide more flexibility. This update should fix the bugged nginx rules integration on existing setups: https://github.com/fabriziosalmi/patterns/issues/8
2025-12-29 16:15:12 +00:00 · 2025-01-28 22:40:56 +01:00
parent eaf5714520
commit f1bae07d6c
6 changed files with 534 additions and 105 deletions
--- a/waf_patterns/nginx/waf_rules.conf
+++ b/waf_patterns/nginx/waf_rules.conf
@@ -0,0 +1,119 @@
+# Nginx WAF Rules
+# Automatically generated from OWASP rules.
+# Include this file inside server block
+
+  # WAF rules
+    if ($waf_block_initialization) {
+      return 403;
+      # Log the blocked request (optional)
+      # access_log /var/log/nginx/waf_blocked.log;
+    }
+
+    if ($waf_block_attack) {
+      return 403;
+      # Log the blocked request (optional)
+      # access_log /var/log/nginx/waf_blocked.log;
+    }
+
+    if ($waf_block_exceptions) {
+      return 403;
+      # Log the blocked request (optional)
+      # access_log /var/log/nginx/waf_blocked.log;
+    }
+
+    if ($waf_block_rfi) {
+      return 403;
+      # Log the blocked request (optional)
+      # access_log /var/log/nginx/waf_blocked.log;
+    }
+
+    if ($waf_block_lfi) {
+      return 403;
+      # Log the blocked request (optional)
+      # access_log /var/log/nginx/waf_blocked.log;
+    }
+
+    if ($waf_block_enforcement) {
+      return 403;
+      # Log the blocked request (optional)
+      # access_log /var/log/nginx/waf_blocked.log;
+    }
+
+    if ($waf_block_php) {
+      return 403;
+      # Log the blocked request (optional)
+      # access_log /var/log/nginx/waf_blocked.log;
+    }
+
+    if ($waf_block_fixation) {
+      return 403;
+      # Log the blocked request (optional)
+      # access_log /var/log/nginx/waf_blocked.log;
+    }
+
+    if ($waf_block_evaluation) {
+      return 403;
+      # Log the blocked request (optional)
+      # access_log /var/log/nginx/waf_blocked.log;
+    }
+
+    if ($waf_block_sql) {
+      return 403;
+      # Log the blocked request (optional)
+      # access_log /var/log/nginx/waf_blocked.log;
+    }
+
+    if ($waf_block_generic) {
+      return 403;
+      # Log the blocked request (optional)
+      # access_log /var/log/nginx/waf_blocked.log;
+    }
+
+    if ($waf_block_leakages) {
+      return 403;
+      # Log the blocked request (optional)
+      # access_log /var/log/nginx/waf_blocked.log;
+    }
+
+    if ($waf_block_java) {
+      return 403;
+      # Log the blocked request (optional)
+      # access_log /var/log/nginx/waf_blocked.log;
+    }
+
+    if ($waf_block_xss) {
+      return 403;
+      # Log the blocked request (optional)
+      # access_log /var/log/nginx/waf_blocked.log;
+    }
+
+    if ($waf_block_rce) {
+      return 403;
+      # Log the blocked request (optional)
+      # access_log /var/log/nginx/waf_blocked.log;
+    }
+
+    if ($waf_block_sqli) {
+      return 403;
+      # Log the blocked request (optional)
+      # access_log /var/log/nginx/waf_blocked.log;
+    }
+
+    if ($waf_block_iis) {
+      return 403;
+      # Log the blocked request (optional)
+      # access_log /var/log/nginx/waf_blocked.log;
+    }
+
+    if ($waf_block_shells) {
+      return 403;
+      # Log the blocked request (optional)
+      # access_log /var/log/nginx/waf_blocked.log;
+    }
+
+    if ($waf_block_correlation) {
+      return 403;
+      # Log the blocked request (optional)
+      # access_log /var/log/nginx/waf_blocked.log;
+    }
+