# Nginx WAF rules for PHP
location / {
    set $attack_detected 0;

    if ($request_uri ~* "(?:<?(?:[^x]|x[^m]|xm[^l]|xml[^s]|xml$|$)|<?php|[(?:/|x5c)?php])") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "(?i)<?(?:=|php)?s+") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@pm =") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "(?:b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|$_(?:(?:pos|ge)t|session))b") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "AUTH_TYPE|HTTP_(?:ACCEPT(?:_(?:CHARSET|ENCODING|LANGUAGE))?|CONNECTION|(?:HOS|USER_AGEN)T|KEEP_ALIVE|(?:REFERE|X_FORWARDED_FO)R)|ORIG_PATH_INFO|PATH_(?:INFO|TRANSLATED)|QUERY_STRING|REQUEST_URI") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@pm ?>") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "(?i)php://(?:std(?:in|out|err)|(?:in|out)put|fd|memory|temp|filter)") {
        set $attack_detected 1;
    }

    if ($request_uri ~* ".*.(?:phpd*|phtml)..*$") {
        set $attack_detected 1;
    }

    if ($request_uri ~* ".*.ph(?:pd*|tml|ar|ps|t|pt).*$") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "(?:bzip2|expect|glob|ogg|(?:ph|r)ar|ssh2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?|z(?:ip|lib))://") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "[oOcC]:d+:\".+?\":d+:{.*}") {
        set $attack_detected 1;
    }

    if ($attack_detected = 1) {
        return 403;
    }
}