# Nginx WAF rules for ATTACK
# Automatically generated from OWASP rules.
# Include this file in your server or location block.

map $request_uri $waf_block_attack {
    default 0;
    "~*^content-types*:s*(.*)$" 1;
    "~*[nr]" 1;
    "~*." 1;
    "~*[rn]W*?(?:content-(?:type|length)|set-cookie|location):s*w" 1;
    "~*@gt 1" 1;
    "~*@gt 0" 1;
    "~*^[^sv,;]+[sv,;].*?(?:application/(?:.++)?json|(?:application/(?:soap+)?|text/)xml)" 1;
    "~*[nr]+(?:s|location|refresh|(?:set-)?cookie|(?:x-)?(?:forwarded-(?:for|host|server)|host|via|remote-ip|remote-addr|originating-IP))s*:" 1;
    "~*unix:[^|]*|" 1;
    "~*(?:bhttp/d|<(?:html|meta)b)" 1;
    "~*content-transfer-encoding:(.*)" 1;
    "~*^[^sv,;]+[sv,;].*?b(?:((?:tex|multipar)t|application)|((?:audi|vide)o|image|cs[sv]|(?:vn|relate)d|p(?:df|lain)|json|(?:soa|cs)p|x(?:ml|-www-form-urlencoded)|form-data|x-amf|(?:octe|repor)t|stream)|([+/]))b" 1;
    "~*TX:paramcounter_(.*)" 1;
    "~*(?:get|post|head|options|connect|put|delete|trace|track|patch|propfind|propatch|mkcol|copy|move|lock|unlock)s+[^s]+s+http/d" 1;
}

if ($waf_block_attack) {
    return 403;
    # Log the blocked request (optional)
    # access_log /var/log/nginx/waf_blocked.log;
}