# Nginx WAF rules for PHP
# Automatically generated from OWASP rules.
# Include this file in your server or location block.

map $request_uri $waf_block_php {
    default 0;
    "~*@pm =" 1;
    "~*@pm ?>" 1;
    "~*AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI" 1;
    "~*(?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)" 1;
    "~*.*.(?:phpd*|phtml)..*$" 1;
    "~*(?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b" 1;
    "~*(?:<?(?:[^x]|x[^m]|xm[^l]|xml[^s]|xml$|$)|<?php|[(?:/|x5c)?php])" 1;
    "~*.*.ph(?:pd*|tml|ar|ps|t|pt).*$" 1;
    "~*[oOcC]:d+:\".+?\":d+:{.*}" 1;
    "~*(?i)<?(?:=|php)?s+" 1;
    "~*(?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://" 1;
}

if ($waf_block_php) {
    return 403;
    # Log the blocked request (optional)
    # access_log /var/log/nginx/waf_blocked.log;
}