patterns/waf_patterns/nginx/rfi.conf

# Nginx WAF rules for RFI
location / {
    set $attack_detected 0;

    if ($request_uri ~* "@lt 1") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@lt 1") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx ^(?i:file|ftps?|https?)://(?:d{1,3}.d{1,3}.d{1,3}.d{1,3})") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx (?i)(?:bincludes*([^)]*|mosConfig_absolute_path|_CONF[path]|_SERVER[DOCUMENT_ROOT]|GALLERY_BASEDIR|path[docroot]|appserv_root|config[root_dir])=(?:file|ftps?|https?)://") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx ^(?i:file|ftps?|https?).*??+$") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@lt 2") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@lt 2") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "!@endsWith .%{request_headers.host}") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@rx (?i)(?:(?:url|jar):)?(?:a(?:cap|f[ps]|ttachment)|b(?:eshare|itcoin|lob)|c(?:a(?:llto|p)|id|vs|ompress.(?:zlib|bzip2))|d(?:a(?:v|ta)|ict|n(?:s|tp))|e(?:d2k|xpect)|f(?:(?:ee)?d|i(?:le|nger|sh)|tps?)|g(?:it|o(?:pher)?|lob)|h(?:323|ttps?)|i(?:ax|cap|(?:ma|p)ps?|rc[6s]?)|ja(?:bbe)?r|l(?:dap[is]?|ocal_file)|m(?:a(?:ilto|ven)|ms|umble)|n(?:e(?:tdoc|ws)|fs|ntps?)|ogg|p(?:aparazzi|h(?:ar|p)|op(?:2|3s?)|r(?:es|oxy)|syc)|r(?:mi|sync|tm(?:f?p)?|ar)|s(?:3|ftp|ips?|m(?:[bs]|tps?)|n(?:ews|mp)|sh(?:2(?:.(?:s(?:hell|(?:ft|c)p)|exec|tunnel))?)?|vn(?:+ssh)?)|t(?:e(?:amspeak|lnet)|ftp|urns?)|u(?:dp|nreal|t2004)|v(?:entrilo|iew-source|nc)|w(?:ebcal|ss?)|x(?:mpp|ri)|zip)://(?:[^@]+@)?([^/]*)") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "!@endsWith .%{request_headers.host}") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@lt 3") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@lt 3") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@lt 4") {
        set $attack_detected 1;
    }

    if ($request_uri ~* "@lt 4") {
        set $attack_detected 1;
    }

    if ($attack_detected = 1) {
        return 403;
    }
}