# Nginx WAF rules for ENFORCEMENT
# Automatically generated from OWASP rules.
# Include this file in your server or location block.

map $request_uri $waf_block_enforcement {
    default 0;
    "~*^.*$" 1;
    "~*@eq 1" 1;
    "~*@gt %{tx.arg_length}" 1;
    "~*(?:^([d.]+|[[da-f:]+]|[da-f:]+)(:[d]+)?$)" 1;
    "~*^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){63}" 1;
    "~*!@rx ^OPTIONS$" 1;
    "~*!@rx ^[w/.+*-]+(?:s?;s?(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['\"w.()+,/:=?<>@#*-]+)*$" 1;
    "~*@within %{tx.restricted_extensions}" 1;
    "~*%[0-9a-fA-F]{2}" 1;
    "~*!@rx (?i)^(?:&(?:(?:[acegiln-or-suz]acut|[aeiou]grav|[ain-o]tild)e|[c-elnr-tz]caron|(?:[cgk-lnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^\"';=])*$" 1;
    "~*^(?i)multipart/form-data" 1;
    "~*(d+)-(d+)" 1;
    "~*['\";=]" 1;
    "~*@ge 1" 1;
    "~*@validateByteRange 9,10,13,32-126,128-255" 1;
    "~*!@pm AppleWebKit Android Business Enterprise Entreprise" 1;
    "~*@validateByteRange 1-255" 1;
    "~*!@rx ^d+$" 1;
    "~*^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}" 1;
    "~*@within %{tx.restricted_headers_extended}" 1;
    "~*^(?i)up" 1;
    "~*@streq POST" 1;
    "~*^$" 1;
    "~*@gt %{tx.total_arg_length}" 1;
    "~*@gt %{tx.max_file_size}" 1;
    "~*@gt 1" 1;
    "~*.([^.]+)$" 1;
    "~*@gt 50" 1;
    "~*@validateByteRange 32-36,38-126" 1;
    "~*b(?:keep-alive|close),s?(?:keep-alive|close)b" 1;
    "~*@contains #" 1;
    "~*!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:s*,s*|$)){1,7}$" 1;
    "~*@gt %{tx.combined_file_sizes}" 1;
    "~*@validateByteRange 38,44-46,48-58,61,65-90,95,97-122" 1;
    "~*(?:^|[^x5c])x5c[cdeghijklmpqwxyz123456789]" 1;
    "~*@eq 0" 1;
    "~*!@endsWith .pdf" 1;
    "~*!@streq JSON" 1;
    "~*charsets*=s*[\"']?([^;\"'s]+)" 1;
    "~*!@rx ^0?$" 1;
    "~*^(?i)application/x-www-form-urlencoded" 1;
    "~*@endsWith .pdf" 1;
    "~*!@rx ^0$" 1;
    "~*.[^.~]+~(?:/.*|)$" 1;
    "~*@gt 0" 1;
    "~*(?i)x5cu[0-9a-f]{4}" 1;
    "~*@validateByteRange 32,34,38,42-59,61,65-90,95,97-122" 1;
    "~*!@pm AppleWebKit Android" 1;
    "~*@within %{tx.restricted_headers_basic}" 1;
    "~*charset.*?charset" 1;
    "~*^[^;s]+" 1;
    "~*@validateUtf8Encoding" 1;
    "~*@gt %{tx.arg_name_length}" 1;
    "~*!@rx ^(?:OPTIONS|CONNECT)$" 1;
    "~*@validateUrlEncoding" 1;
    "~*@gt %{tx.max_num_args}" 1;
    "~*^(?:GET|HEAD)$" 1;
    "~*%u[fF]{2}[0-9a-fA-F]{2}" 1;
    "~*x25" 1;
}

if ($waf_block_enforcement) {
    return 403;
    # Log the blocked request (optional)
    # access_log /var/log/nginx/waf_blocked.log;
}