theMiddle

> I do not think I have seen a fragment like ever in a referer really? I'm full of logs... even from google! 

no sorry, it's not a matter of finding evidence. Maybe you are trying to determine who is right or wrong. I want to clarify that these false positives comes from...

wow @j3sux thanks, awesome work! Let me check all changes

Hi @emphazer the rule tries to catch PHP code injection bypass technique such as `(string)"system"("uname");`. Maybe we can remove the REQUEST_FILENAME from the rule, I need to do some tests....

> How about URLs like /app/index.php/connector/. On a reverse proxy, this is part of the REQUEST_FILENAME. totally agree, didn't think about it. need more time to test :/

IIRC we already talk about that in a meeting (refer to https://www.secjuice.com/web-application-firewall-waf-evasion/). If you agree, I would try to catch this bypass technique in PL1.

still in progress...

Thanks @marcstern This is just a try to handle bypass in PL1 (as we do in PL2, 3 and 4). Unfortunately, we can't use `t:bash` because is not part of...

Thank you very much @agentzh i tried with the following configuration: ``` sh location ~* /.* { set $skip_filter ''; proxy_pass mywebsite; header_filter_by_lua_block { if ngx.status ~= 404 then ngx.var.skip_filter...

@agentzh i've used the following configuration for make it works with OpenResty using body_filter_by_lua_block: ``` location ~* /.* { proxy_pass mywebsite; body_filter_by_lua_block { if ngx.status == 404 then local from,to,err...