naxsi icon indicating copy to clipboard operation
naxsi copied to clipboard
verified publisher icon nbs-system

naxsi breaks nginx modules that use subrequests, like SSI [error]

Open selivan opened this issue 9 years ago • 7 comments

  • nginx: 1.10.3
  • nginx modules: nginx-echo naxsi
  • naxsi: 0.55.3

I tried using openresty echo-nginx-module. Plain echo works fine, but echo_location, echo_location_async, echo_subrequest, echo_subrequest_async work 50/50: sometimes return required answer, sometimes just hang indefinitely.

Then to solve the same task I switched to nginx build-in SSI, and get very similar behavior: shtml files with only <!--# echo var="time_local" --> work fine, but shtml files with <!--# include file="/somefile" --> work 50/50 like echo_location.

I suppose, both this modules use nginx subrequests, and naxsi somehow brokes this functionality.

P.S. Is there any way to get commercial support for naxsi?

selivan avatar Mar 23 '17 15:03 selivan

Hello !

Yes, it seems naxsi breaks subrequests, but I didn't encounter it yet because we are not using it. can you provide me a little test case so I can have a look ? I hope to get some time to work on this !

regards and thanks for the detailed issues :)

buixor avatar Apr 06 '17 09:04 buixor

Hi, it seem that the naxsi does not take effect within the nginx internal subrequest?

  • nginx: 1.10.1
  • modsecurity: 0.55.3
  • nginx.conf:
location /loc1 {
   #SecRulesEnabled;
   #DeniedUrl "/50x.html"; 
   #CheckRule "$SQL >= 8" BLOCK;
   #CheckRule "$RFI >= 8" BLOCK;
   #CheckRule "$TRAVERSAL >= 4" BLOCK;
   #CheckRule "$EVADE >= 4" BLOCK;
   #CheckRule "$XSS >= 8" BLOCK;
   
   content_by_lua ' ngx.location.capture('/loc2')';
}

location /loc2 {
   SecRulesEnabled;
   DeniedUrl "/50x.html"; 
   CheckRule "$SQL >= 8" BLOCK;
   CheckRule "$RFI >= 8" BLOCK;
   CheckRule "$TRAVERSAL >= 4" BLOCK;
   CheckRule "$EVADE >= 4" BLOCK;
   CheckRule "$XSS >= 8" BLOCK;

   proxy_pass http://192.168.0.11:8080$request_uri;
}
  1. enable naxsi SecRule in /loc1, the rules take effect.
  2. disable SecRule in /loc1, only enable naxsi SecRule in /loc2, the rules have no effect. that is to say, the naxsi does not take effect in the nginx internal subrequest.

Any good suggestions? Thanks!

buixor avatar Apr 06 '17 09:04 buixor

@buixor I am a little overloaded now, but I promise I'll return in a couple days with a solid test case. I remember that in configuration I was building both SSI and echo_location were glitching inside internal location used to handle blocked requests: DeniedUrl "/location_with_ssi";.

selivan avatar Apr 06 '17 20:04 selivan

Don't worry, I'm quite busy myself, and will be out of the internetz from next week till the end of the month :)

buixor avatar Apr 07 '17 07:04 buixor

@buixor seems I finally got it. It was quite a quest to catch when exactly it breaks :) Here is the test case:

  • DeniedUrl points to location, where subrequests are used:
    • echo_location from echo module
    • Also works for SSI with include file= or include virtual=,
  • keepalive is enabled in nginx
  • Client sends malformed request denied by Naxsi and then sends second request within the same keepalive connection

Expected: first request gets response from DeniedUrl location, second request is processed as usual

Actual result: first request returns expected response, second request hangs forever

Environment:

  • GNU/Linux Ubuntu 14.04 Trusty
  • nginx: 1.10.3
  • nginx -V: https://gist.github.com/selivan/cac189d3b8ba167e43899cc908195114
  • naxsi: 0.55.3
  • echo-nginx-module

If you disable echo_location inside problematic location, you will get expected result.

Here is test nginx.conf: https://gist.github.com/selivan/10ed68156a869b4095c20a2d10cc101c

To make curl send requests in a single keepalive connection, you can use --config-file option with file like this(empty lines are mandatory):

url="http://example.net/?wafprohibited=<script>"

url="http://example.net/"

P.S. And I'd like to repeat my question, is it possible to get commercial support for Naxsi? I think I can convince my bosses to pay for it.

selivan avatar Apr 07 '17 18:04 selivan

Hello,

Thanks for the detailed informatiion :) I'll be on hollidays for two weeks with no internet, but I'll try to tackle this one when I come back ! So far, I have no plan for commercial support for naxsi as I'd like to keep free hands on it, but we can always discuss the matter depending on your needs, can you mail me ?

cheers,

buixor avatar Apr 12 '17 09:04 buixor

@buixor

can you mail me ?

I can't, because nor your github profile neither your blog have any mail links. Can you please contact me [email protected]?

selivan avatar Apr 12 '17 09:04 selivan