External/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2025-12-17 17:55:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
patterns/waf_patterns/nginx/README.md
Fabrizio Salmi 6bcca53eae Fix CI workflow and clarify Nginx WAF usage 
- Remove redundant 'gh auth login' command in CI workflow (fixes exit code 1 error)
- Use GH_TOKEN env var instead of GITHUB_TOKEN for gh CLI
- Update Nginx README to clarify that individual category .conf files should not be included directly
- Document that users must use waf_maps.conf (http block) + waf_rules.conf (server block)

Fixes #17
2025-12-09 07:59:25 +01:00

36 lines
1.5 KiB
Markdown
Raw Permalink Blame History

# Nginx WAF Configuration
This directory contains Nginx WAF configuration files generated from OWASP rules.
You can include these files in your existing Nginx configuration to enhance security.
## Usage
**Important:** You should only include the two main configuration files (`waf_maps.conf` and `waf_rules.conf`). The individual category files (e.g., `attack.conf`, `xss.conf`) are provided for reference only and should **not** be included directly, as they contain both `map` and `if` directives that cannot be used in the same Nginx context.
1. Include the `waf_maps.conf` file in your `nginx.conf` *inside the `http` block*:
```nginx
http {
include /path/to/waf_patterns/nginx/waf_maps.conf;
# ... other http configurations ...
}
```
2. Include the `waf_rules.conf` file in your `server` block:
```nginx
server {
# ... other server configurations ...
include /path/to/waf_patterns/nginx/waf_rules.conf;
}
```
3. Reload Nginx to apply the changes:
```bash
sudo nginx -t && sudo systemctl reload nginx
```
## Notes
- The `map` directives (defined in `waf_maps.conf`) must be placed in the `http` context.
- The `if` rules (defined in `waf_rules.conf`) must be placed in a `server` or `location` context.
- **Do not** try to include individual category files like `attack.conf` directly - they are auto-generated for reference and viewing purposes only.
- Blocked requests return a `403 Forbidden` response by default.
- You can enable logging for blocked requests by uncommenting the `access_log` line.
Reference in New Issue View Git Blame Copy Permalink