External/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2025-12-17 17:55:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
patterns/waf_patterns/nginx/enforcement.conf
github-actions[bot] f969ca91cc Update: [Tue Jan 7 00:27:08 UTC 2025]
2025-01-07 00:27:08 +00:00

457 lines
11 KiB
Plaintext
Raw Blame History

# Nginx WAF rules for ENFORCEMENT
location / {
set $attack_detected 0;
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "!@within %{tx.allowed_methods}") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx (?i)^(?:get /[^#?]*(?:?[^sv#]*)?(?:#[^sv]*)?|(?:connect (?:(?:[0-9]{1,3}.){3}[0-9]{1,3}.?(?::[0-9]+)?|[--9A-Z_a-z]+:[0-9]+)|options *|[a-z]{3,10}[sv]+(?:[0-9A-Z_a-z]{3,7}?://[--9A-Z_a-z]*(?::[0-9]+)?)?/[^#?]*(?:?[^sv#]*)?(?:#[^sv]*)?)[sv]+[.-9A-Z_a-z]+)$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx (?i)^(?:&(?:(?:[acegiln-or-suz]acut|[aeiou]grav|[ain-o]tild)e|[c-elnr-tz]caron|(?:[cgk-lnr-t]cedi|[aeiouy]um)l|[aceg-josuwy]circ|[au]ring|a(?:mp|pos)|nbsp|oslash);|[^"';=])*$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^d+$") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?:GET|HEAD)$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^0?$") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?:GET|HEAD)$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "!@within HTTP/2 HTTP/2.0 HTTP/3 HTTP/3.0") {
set $attack_detected 1;
}
if ($request_uri ~* "@streq POST") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "!@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "!@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (d+)-(d+)") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt %{tx.1}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx b(?:keep-alive|close),s?(?:keep-alive|close)b") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx x25") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateUrlEncoding") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?i)application/x-www-form-urlencoded") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx x25") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateUrlEncoding") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateUtf8Encoding") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx %u[fF]{2}[0-9a-fA-F]{2}") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateByteRange 1-255") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^$") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^OPTIONS$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@pm AppleWebKit Android Business Enterprise Entreprise") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^OPTIONS$") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^0$") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:^([d.]+|[[da-f:]+]|[da-f:]+)(:[d]+)?$)") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.max_num_args}") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.arg_name_length}") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.arg_length}") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.total_arg_length}") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?i)multipart/form-data") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.max_file_size}") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt %{tx.combined_file_sizes}") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^[w/.+*-]+(?:s?;s?(?:action|boundary|charset|component|start(?:-info)?|type|version)s?=s?['"w.()+,/:=?<>@#*-]+)*$") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^[^;s]+") {
set $attack_detected 1;
}
if ($request_uri ~* "!@within %{tx.allowed_request_content_type}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx charsets*=s*["']?([^;"'s]+)") {
set $attack_detected 1;
}
if ($request_uri ~* "!@within %{tx.allowed_request_content_type_charset}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx charset.*?charset") {
set $attack_detected 1;
}
if ($request_uri ~* "!@within %{tx.allowed_http_versions}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx .([^.]+)$") {
set $attack_detected 1;
}
if ($request_uri ~* "@within %{tx.restricted_extensions}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx .[^.~]+~(?:/.*|)$") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^.*$") {
set $attack_detected 1;
}
if ($request_uri ~* "@within %{tx.restricted_headers_basic}") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 50") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*(?:[sv]*,[sv]*(?:(?:*|[^!-"(-),/:-?[-]{}]+)/(?:*|[^!-"(-),/:-?[-]{}]+)|*)(?:[sv]*;[sv]*(?:charset[sv]*=[sv]*"?(?:iso-8859-15?|utf-8|windows-1252)b"?|(?:[^sv -"(-),/:-?[-]c{}]|c(?:[^!-"(-),/:-?[-]h{}]|h(?:[^!-"(-),/:-?[-]a{}]|a(?:[^!-"(-),/:-?[-]r{}]|r(?:[^!-"(-),/:-?[-]s{}]|s(?:[^!-"(-),/:-?[-]e{}]|e[^!-"(-),/:-?[-]t{}]))))))[^!-"(-),/:-?[-]{}]*[sv]*=[sv]*[^!(-),/:-?[-]{}]+);?)*)*$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@streq JSON") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?i)x5cu[0-9a-f]{4}") {
set $attack_detected 1;
}
if ($request_uri ~* "@contains #") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 2") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}") {
set $attack_detected 1;
}
if ($request_uri ~* "!@endsWith .pdf") {
set $attack_detected 1;
}
if ($request_uri ~* "@endsWith .pdf") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){63}") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx %[0-9a-fA-F]{2}") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateByteRange 9,10,13,32-126,128-255") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ['";=]") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^0$") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^.*$") {
set $attack_detected 1;
}
if ($request_uri ~* "@within %{tx.restricted_headers_extended}") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 3") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateByteRange 32-36,38-126") {
set $attack_detected 1;
}
if ($request_uri ~* "@eq 0") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^(?:OPTIONS|CONNECT)$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@pm AppleWebKit Android") {
set $attack_detected 1;
}
if ($request_uri ~* "@ge 1") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^(?i)up") {
set $attack_detected 1;
}
if ($request_uri ~* "@gt 0") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^(?:(?:max-age=[0-9]+|min-fresh=[0-9]+|no-cache|no-store|no-transform|only-if-cached|max-stale(?:=[0-9]+)?)(?:s*,s*|$)){1,7}$") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx br|compress|deflate|(?:pack200-)?gzip|identity|*|^$|aes128gcm|exi|zstd|x-(?:compress|gzip)") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@lt 4") {
set $attack_detected 1;
}
if ($request_uri ~* "@endsWith .pdf") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx ^bytes=(?:(?:d+)?-(?:d+)?s*,?s*){6}") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateByteRange 38,44-46,48-58,61,65-90,95,97-122") {
set $attack_detected 1;
}
if ($request_uri ~* "@validateByteRange 32,34,38,42-59,61,65-90,95,97-122") {
set $attack_detected 1;
}
if ($request_uri ~* "!@rx ^(?:?[01])?$") {
set $attack_detected 1;
}
if ($request_uri ~* "@rx (?:^|[^x5c])x5c[cdeghijklmpqwxyz123456789]") {
set $attack_detected 1;
}
if ($attack_detected = 1) {
return 403;
}
}
Reference in New Issue View Git Blame Copy Permalink