-
Notifications
You must be signed in to change notification settings - Fork 606
directives
- alias: denied_url
- context: location
DeniedUrl
is a directive that indicates where naxsi will redirect (nginx's internal redirect) blocked requests.
As the request might be modified during redirect (url & arguments), extra http headers orig_url (original url), orig_args (original GET args) and naxsi_sig (NAXSI_FMT) are added.
The headers that are forwarded to the location denied page are :
NAXSI_HEADER_ORIG_URL "x-orig_url" NAXSI_HEADER_ORIG_ARGS "x-orig_args" NAXSI_HEADER_NAXSI_SIG "x-naxsi_sig"
example:
location / {
...
DeniedUrl "/RequestDenied";
}
location /RequestDenied {
return 418; #I'm a teapot
}
- alias: learning_mode
- context: location
LearningMode
if instructs naxsi to enable learning mode (don't honor BLOCK
directive) in the location.
For example:
location /a {
# request triggering BLOCK score won't be blocked here, but simply logued.
LearningMode;
}
Keep in mind that internal rules (those with an id
inferior to 1000) will drop the request even in learning mode, because it means that something fishy is going on, since naxsi can't correctly process the request.
You can of course apply whitelist if those are false-positives.
- alias: rules_enabled
- context: location
SecRulesEnabled
is a mandatory keyword to enable naxsi in a location.
- alias: rules_disabled
- context: location
SecRulesDisabled
can be used to explicitely disable naxsi in a location.
- alias: check_rule
- context: location
See CheckRule
- alias: basic_rule
- context: location
A directive used to declare a rule or a whitelist.
- alias: main_rule
- context: http
A directive used to declare a rule or a whitelist.
- alias: libinjection_xss
- context: location
A directive to enable libinjection's xss detection on all part of the http request.
- alias: libinjection_sql
- context: location
A directive to enable libinjection's sqli detection on all part of the http request.
- context: server
A flag that can be set at runtime to enable naxsi extensive logs.
server {
...
if ($remote_addr = "1.2.3.4") {
set $naxsi_extensive_log 1;
}
location / {
...
}
}
- context: server
A flag that can be set at runtime to enable or disable naxsi.
server {
set $naxsi_flag_enable 1;
location / {
...
}
}
- context: server
A flag that can be set at runtime to enable or disable learning.
server {
set $naxsi_flag_learning 1;
location / {
...
}
}
- context: server
A flag that can be set at runtime to enable or disable libinjection's sql detection
server {
set $naxsi_flag_libinjection_sql 1;
location / {
...
}
}
A flag that can be set at runtime to enable or disable libinjection's xss detection
server {
set $naxsi_flag_libinjection_xss 1;
location / {
...
}
}