add-sp / ngx_waf Goto Github PK

View Code? Open in Web Editor NEW

1.5K 25.0 185.0 2.29 MB

Handy, High performance, ModSecurity compatible Nginx firewall module & 方便、高性能、兼容 ModSecurity 的 Nginx 防火墙模块

Home Page: https://add-sp.github.io/ngx_waf-docs/

License: BSD 3-Clause "New" or "Revised" License

C 84.64% Shell 1.75% Lua 0.18% HTML 0.26% Makefile 0.07% Yacc 5.18% Lex 3.47% Perl 4.45%

nginx nginx-modules web-application-firewall waf modsecurity modsecurity-nginx openresty captcha hcaptcha recaptcha

ngx_waf's Introduction

ngx_waf

English | 简体中文

Handy, High performance Nginx firewall module.

Why ngx_waf

Basic protection: such as black and white list of IPs or IP range, uri black and white list, and request body black list, etc.
Easy to use: configuration files and rule files are easy to write and readable.
High performance: Efficient algorithms and caching.
Advanced protection: ModSecurity compatible, you can use OWASP(Open Web Application Security Project®) ModSecurity Core Rule Set.
Friendly crawler verification: Supports verifying Google, Bing, Baidu and Yandex crawlers and allowing them automatically to avoid false positives.
Captcha: Supports three kinds of captchas: hCaptcha, reCAPTCHAv2 and reCAPTCHAv3.

Features

ModSecurity compatible. This feature is only available in the latest Current version.
Rules that are compatible with ModSecurity.
Anti SQL injection (powered by libinjection).
Anti XSS (powered by libinjection).
IPV4 and IPV6 support.
Support for enabling CAPTCHAs, including hCaptcha, reCAPTCHAv2 and reCAPTCHAv3. This feature is only available in the latest Current version.
Support authentication-friendly crawlers (based on user agent and IP identification) to avoid blocking of these crawlers (e.g. GoogleBot). This feature is only available in the latest Current version.
Anti Challenge Collapsar, it can automatically block malicious IP.
Exceptional allow on specific IP address.
Block the specified IP address.
Block the specified request body.
Exceptional allow on specific URL.
Block the specified URL.
Block the specified query string.
Block the specified UserAgent.
Block the specified Cookie.
Exceptional allow on specific Referer.
Block the specified Referer.

Docs

Recommended link: https://docs.addesp.com/ngx_waf/
Alternate link 1: https://add-sp.github.io/ngx_waf-docs/
Alternate link 2: https://ngx-waf-docs.pages.dev/

Contact

Telegram Channel: https://t.me/ngx_waf
Telegram Group (English): https://t.me/group_ngx_waf
Telegram Group (Chinese): https://t.me/group_ngx_waf_cn

Sponsor

Hope you can help promote this project. The more stars got, the better this project is. :)

Test Suite

This module comes with a Perl-driven test suite. The test cases are declarative too. Thanks to the Test::Nginx module in the Perl world.

To run it on your side:

## It will take a lot of time, but it only needs to be run once.
cpan Test::Nginx

# You need to specify a temporary directory.
# If the directory does not exist it will be created automatically.
# If the directory already exists it will be **removed** first and then created.
export MODULE_TEST_PATH=/path/to/temp/dir

# You need to specify the absolute path to the dynamic module if you have it installed, 
# otherwise you do not need to run this line.
export MODULE_PATH=/path/to/ngx_http_waf_module.so

cd ./test/test-nginx
sh ./init.sh
sh ./start.sh ./t/*.t

Some parts of the test suite requires standard modules proxy, rewrite and SSI to be enabled as well when building Nginx.

License

BSD 3-Clause License

Thanks

ModSecurity: An open source, cross platform web application firewall (WAF) engine.
uthash: C macros for hash tables and more.
libcurl: The multiprotocol file transfer library .
cJSON: Ultralightweight JSON parser in ANSI C.
libinjection: SQL / SQLI tokenizer parser analyzer.
libsodium: A modern, portable, easy to use crypto library.
test-nginx: Data-driven test scaffold for Nginx C module and OpenResty Lua library development.
lastversion: A command line tool that helps you download or install a specific version of a project.
ngx_lua_waf: A web application firewall based on the lua-nginx-module (openresty).
nginx-book: The Chinese language development guide for nginx.
nginx-development-guide: The Chinese language development guide for nginx.

ngx_waf's People

Contributors

Stargazers

Watchers

Forkers

w796933 sfcheewill dapohou arryboom zhongcy braveheart7854 ivoidcat devilkun yqyunjie keyman9848 zhy6599 tianyaxiangdong hedou stepwen jimersylee tanxiaoshuai momodezhou weiplanet simlan slowmistio venhow commonster 76782875 fhyfhytt deepbreath liuxing9848 1008610010 1151738113 wusiwei crona7do vliuchao th-heartdawn tanylexx joe2hpimn keshiyong youngqqcn fangjunai nginx-modules orangejz liujux carltmf askmetoo fitnesses myougg heartshare lihongyang166 my-waf binbin-leo c0c1 youngqj qt-pay zhtest000 chenyuzheee xuduofeng juneman mu-l waynerqiu kenser chunhualiu linuxtoddler liuwei3230 blankqwq faisal-w chunyu-zhou pradhans0906 kysoft-github sergiikotenko simhaonline aklutz ptr1337 rogervaas opcache lzx13080010188 fastlyos xiaowei6688 nginx-with-docker gqb1zgigxvaowkcv nonomal gemgin laikee99 rekgrpth vpslala majay123 nieyuli98 521hellogithub appx-cai chenglinjava68 poseidon2011 shu7734 nghuuan flanchegong hien picassio phuongvietvu0306 ehdud8451 purplegrape mingkof viracall killbus yuanboy91

ngx_waf's Issues

build failed on CentOS 7

CentOS 7 x64
gcc 4.8.5
nginx 1.18.0
ngx_waf-3.1.0

Configuration summary

using threads
using system PCRE library
using system OpenSSL library
using system zlib library

nginx path prefix: "/etc/nginx"
nginx binary file: "/usr/sbin/nginx"
nginx modules path: "/usr/lib64/nginx/modules"
nginx configuration prefix: "/etc/nginx"
nginx configuration file: "/etc/nginx/nginx.conf"
nginx pid file: "/var/run/nginx.pid"
nginx error log file: "/var/log/nginx/error.log"
nginx http access log file: "/var/log/nginx/access.log"
nginx http client request body temporary files: "/var/cache/nginx/client_temp"
nginx http proxy temporary files: "/var/cache/nginx/proxy_temp"
nginx http fastcgi temporary files: "/var/cache/nginx/fastcgi_temp"
nginx http uwsgi temporary files: "/var/cache/nginx/uwsgi_temp"
nginx http scgi temporary files: "/var/cache/nginx/scgi_temp"

make modules
make -f objs/Makefile modules
make[1]: Entering directory /home/mock/rpmbuild/BUILD/nginx-module-http-waf-1.18.0' cc -c -fPIC -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -I src/core -I src/event -I src/event/modules -I src/os/unix -I ngx_waf-3.1.0/inc -I objs -I src/http -I src/http/modules -I src/http/v2 -I src/mail -I src/stream \ -o objs/addon/src/ngx_http_waf_module_core.o \ ngx_waf-3.1.0/src/ngx_http_waf_module_core.c In file included from ngx_waf-3.1.0/inc/ngx_http_waf_module_check.h:15:0, from ngx_waf-3.1.0/inc/ngx_http_waf_module_core.h:17, from ngx_waf-3.1.0/src/ngx_http_waf_module_core.c:1: ngx_waf-3.1.0/inc/ngx_http_waf_module_util.h: In function 'parse_ipv4': ngx_waf-3.1.0/inc/ngx_http_waf_module_util.h:126:5: error: 'for' loop initial declarations are only allowed in C99 mode for (int i = 0; i < 4; i++) { ^ ngx_waf-3.1.0/inc/ngx_http_waf_module_util.h:126:5: note: use option -std=c99 or -std=gnu99 to compile your code ngx_waf-3.1.0/inc/ngx_http_waf_module_util.h:133:13: error: 'for' loop initial declarations are only allowed in C99 mode for (uint32_t j = 0; j < suffix; j++) { ^ ngx_waf-3.1.0/inc/ngx_http_waf_module_util.h:142:14: error: redefinition of 'i' for (int i = 0; i < 4; i++) { ^ ngx_waf-3.1.0/inc/ngx_http_waf_module_util.h:126:14: note: previous definition of 'i' was here for (int i = 0; i < 4; i++) { ^ ngx_waf-3.1.0/inc/ngx_http_waf_module_util.h:142:5: error: 'for' loop initial declarations are only allowed in C99 mode for (int i = 0; i < 4; i++) { ^ ngx_waf-3.1.0/inc/ngx_http_waf_module_util.h: In function 'parse_ipv6': ngx_waf-3.1.0/inc/ngx_http_waf_module_util.h:207:5: error: 'for' loop initial declarations are only allowed in C99 mode for (int i = 0; i < 16; i++) { ^ ngx_waf-3.1.0/inc/ngx_http_waf_module_util.h:214:13: error: 'for' loop initial declarations are only allowed in C99 mode for (uint32_t j = 0; j < temp_suffix; j++) { ^ ngx_waf-3.1.0/inc/ngx_http_waf_module_util.h:222:14: error: redefinition of 'i' for (int i = 0; i < 16; i++) { ^ ngx_waf-3.1.0/inc/ngx_http_waf_module_util.h:207:14: note: previous definition of 'i' was here for (int i = 0; i < 16; i++) { ^ ngx_waf-3.1.0/inc/ngx_http_waf_module_util.h:222:5: error: 'for' loop initial declarations are only allowed in C99 mode for (int i = 0; i < 16; i++) { ^ In file included from ngx_waf-3.1.0/inc/ngx_http_waf_module_core.h:17:0, from ngx_waf-3.1.0/src/ngx_http_waf_module_core.c:1: ngx_waf-3.1.0/inc/ngx_http_waf_module_check.h: In function 'ngx_http_waf_handler_check_white_url': ngx_waf-3.1.0/inc/ngx_http_waf_module_check.h:386:13: error: 'for' loop initial declarations are only allowed in C99 mode for (size_t i = 0; i < srv_conf->white_url->nelts; i++, p++) { ^ ngx_waf-3.1.0/inc/ngx_http_waf_module_check.h: In function 'ngx_http_waf_handler_check_black_url': ngx_waf-3.1.0/inc/ngx_http_waf_module_check.h:439:13: error: 'for' loop initial declarations are only allowed in C99 mode for (size_t i = 0; i < srv_conf->black_url->nelts; i++, p++) { ^ ngx_waf-3.1.0/inc/ngx_http_waf_module_check.h: In function 'ngx_http_waf_handler_check_black_args': ngx_waf-3.1.0/inc/ngx_http_waf_module_check.h:496:13: error: 'for' loop initial declarations are only allowed in C99 mode for (size_t i = 0; i < srv_conf->black_args->nelts; i++, p++) { ^ ngx_waf-3.1.0/inc/ngx_http_waf_module_check.h: In function 'ngx_http_waf_handler_check_black_user_agent': ngx_waf-3.1.0/inc/ngx_http_waf_module_check.h:553:13: error: 'for' loop initial declarations are only allowed in C99 mode for (size_t i = 0; i < srv_conf->black_ua->nelts; i++, p++) { ^ ngx_waf-3.1.0/inc/ngx_http_waf_module_check.h: In function 'ngx_http_waf_handler_check_white_referer': ngx_waf-3.1.0/inc/ngx_http_waf_module_check.h:610:13: error: 'for' loop initial declarations are only allowed in C99 mode for (size_t i = 0; i < srv_conf->white_referer->nelts; i++, p++) { ^ ngx_waf-3.1.0/inc/ngx_http_waf_module_check.h: In function 'ngx_http_waf_handler_check_black_referer': ngx_waf-3.1.0/inc/ngx_http_waf_module_check.h:667:13: error: 'for' loop initial declarations are only allowed in C99 mode for (size_t i = 0; i < srv_conf->black_referer->nelts; i++, p++) { ^ ngx_waf-3.1.0/inc/ngx_http_waf_module_check.h: In function 'ngx_http_waf_handler_check_black_cookie': ngx_waf-3.1.0/inc/ngx_http_waf_module_check.h:713:9: error: 'for' loop initial declarations are only allowed in C99 mode for (size_t i = 0; i < r->headers_in.cookies.nelts; i++, ppcookie++) { ^ ngx_waf-3.1.0/inc/ngx_http_waf_module_check.h:715:13: error: 'for' loop initial declarations are only allowed in C99 mode for (size_t j = 0; j < srv_conf->black_cookie->nelts; j++, p++) { ^ ngx_waf-3.1.0/inc/ngx_http_waf_module_check.h: In function 'check_post': ngx_waf-3.1.0/inc/ngx_http_waf_module_check.h:803:9: error: 'for' loop initial declarations are only allowed in C99 mode for (size_t i = 0; i < srv_conf->black_post->nelts; i++, p++) { ^ In file included from ngx_waf-3.1.0/inc/ngx_http_waf_module_core.h:18:0, from ngx_waf-3.1.0/src/ngx_http_waf_module_core.c:1: ngx_waf-3.1.0/inc/ngx_http_waf_module_config.h: In function 'ngx_http_waf_mode_conf': ngx_waf-3.1.0/inc/ngx_http_waf_module_config.h:155:5: error: 'for' loop initial declarations are only allowed in C99 mode for (size_t i = 1; i < cf->args->nelts && modes != NULL; i++) { ^ ngx_waf-3.1.0/src/ngx_http_waf_module_core.c: In function 'ngx_http_waf_handler_url_args': ngx_waf-3.1.0/src/ngx_http_waf_module_core.c:123:13: error: 'for' loop initial declarations are only allowed in C99 mode for (size_t i = 0; check_proc[i] != NULL; i++) { ^ ngx_waf-3.1.0/src/ngx_http_waf_module_core.c: In function 'ngx_http_waf_handler_ip_url_referer_ua_args_cookie_post': ngx_waf-3.1.0/src/ngx_http_waf_module_core.c:188:17: error: 'for' loop initial declarations are only allowed in C99 mode for (size_t i = 0; check_proc[i] != NULL; i++) { ^ make[1]: *** [objs/addon/src/ngx_http_waf_module_core.o] Error 1 make[1]: Leaving directory /home/mock/rpmbuild/BUILD/nginx-module-http-waf-1.18.0'
make: *** [modules] Error 2
error: Bad exit status from /var/tmp/rpm-tmp.uC6JxC (%build)

RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.uC6JxC (%build)

waf_rule_type文档漏了CC-DNEY

文档中说到
https://add-sp.github.io/ngx_waf/zh-cn/advance/variable.html#waf-rule-type

测试验证发现，少了CC防护的waf_rule_type，CC攻击拦截后，日志里面显示CC-DNEY
还有没其他的waf_rule_type ？建议文档补充 CC-DNEY 和其他的

无法编译

编译安装时报错。
参数如下。

./configure
--user=www
--group=www
--prefix=/usr/local/nginx
--builddir=/usr/local/nginx/build
--sbin-path=/usr/local/nginx/sbin/nginx
--modules-path=/usr/local/nginx/modules
--pid-path=/usr/local/nginx/sbin/nginx.pid
--http-client-body-temp-path=/usr/local/nginx/temp/client
--http-proxy-temp-path=/usr/local/nginx/temp/proxy
--with-pcre=${BASEPATH}/pcre-8.42
--with-zlib=${BASEPATH}/zlib-cloudflare-1.2.8
"install.sh" 105L, 2914C
--user=www
--group=www
--prefix=/usr/local/nginx
--builddir=/usr/local/nginx/build
--sbin-path=/usr/local/nginx/sbin/nginx
--modules-path=/usr/local/nginx/modules
--pid-path=/usr/local/nginx/sbin/nginx.pid
--http-client-body-temp-path=/usr/local/nginx/temp/client
--http-proxy-temp-path=/usr/local/nginx/temp/proxy
--with-pcre=${BASEPATH}/pcre-8.42
--with-zlib=${BASEPATH}/zlib-cloudflare-1.2.8
--with-pcre-jit
--with-threads
--with-http_ssl_module
--with-http_v2_module
--with-http_gzip_static_module
--with-http_gunzip_module
--with-http_sub_module
--with-http_stub_status_module
--with-http_degradation_module
--with-http_realip_module
--with-stream
--with-stream_ssl_preread_module
--with-stream_ssl_module
--add-module=${BASEPATH}/ngx_waf
--add-module=${BASEPATH}/ngx_brotli && make

报错信息
/root/nginx/ngx_waf/src/../inc/ngx_http_waf_module_check.h: In function ‘ngx_http_waf_handler_check_white_url’:
/root/nginx/ngx_waf/src/../inc/ngx_http_waf_module_check.h:302:5: error: ‘for’ loop initial declarations are only allowed in C99 mode
for (size_t i = 0; i < srv_conf->white_url->nelts; i++, p++) {

编译安装报错

你好，我在编译安装ngx_waf时报错，不知道怎么解决
nginx版本为：1.19.5
系统为：CentOS 7.9
编译时加入--add-module=/root/ngx_waf
报错：
adding module in /root/ngx_waf
checking for uthash library ... not found
./configure: error: the ngx_http_waf_module module requires the uthash library.

centos8 编译失败

报错信息：

./configure: error: the ngx_http_waf_module module requires the uthash library.

版本信息

os: centos8
nginx: 1.18.0

编译参数

--prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' --add-dynamic-module=/app/plugins/ngx_brotli --add-dynamic-module=/app/plugins/ngx_waf

feat: 能否增加一个 Dockerfile ？

现在用容器的比较多，
可否有一个官方的Dockerfile

编译过程中提示ngx_http_waf_module_core.h: No such file or directory

如何触发错误。
ngx_waf -master 5.2.0
`nginx 1.9.9
执行./configure --add-module=/usr/local/src/ngx_waf --with-cc-opt='-O2 -std=c99 -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl111/include'
正常，后执行make报错，报错信息如下：

-o objs/src/http/modules/ngx_http_upstream_ip_hash_module.o
src/http/modules/ngx_http_upstream_ip_hash_module.c
cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -O2 -std=c99 -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl111/include -I src/core -I src/event -I src/event/modules -I src/os/unix -I objs -I src/http -I src/http/modules
-o objs/src/http/modules/ngx_http_upstream_least_conn_module.o
src/http/modules/ngx_http_upstream_least_conn_module.c
cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -O2 -std=c99 -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl111/include -I src/core -I src/event -I src/event/modules -I src/os/unix -I objs -I src/http -I src/http/modules
-o objs/src/http/modules/ngx_http_upstream_keepalive_module.o
src/http/modules/ngx_http_upstream_keepalive_module.c
cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -O2 -std=c99 -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl111/include -I src/core -I src/event -I src/event/modules -I src/os/unix -I objs -I src/http -I src/http/modules
-o objs/src/http/modules/ngx_http_upstream_zone_module.o
src/http/modules/ngx_http_upstream_zone_module.c
cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -O2 -std=c99 -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl111/include -I src/core -I src/event -I src/event/modules -I src/os/unix -I objs -I src/http -I src/http/modules -I src/mail -I src/stream
-o objs/addon/src/ngx_http_waf_module_core.o
/usr/local/src/ngx_waf/src/ngx_http_waf_module_core.c
/usr/local/src/ngx_waf/src/ngx_http_waf_module_core.c:1:38: fatal error: ngx_http_waf_module_core.h: No such file or directory
#include <ngx_http_waf_module_core.h>
^
compilation terminated.
make[1]: *** [objs/addon/src/ngx_http_waf_module_core.o] Error 1
make[1]: Leaving directory `/data/nginx-1.9.9'
make: *** [build] Error 2
操作系统：centos7

worker process exited on signal 11

I use a docker web tools called Portainer,when I try to access it,the nginx occured error.

2021/01/15 13:27:46 [alert] 1#1: worker process 30 exited on signal 11
2021/01/15 13:27:47 [alert] 1#1: worker process 31 exited on signal 11
2021/01/15 13:27:47 [alert] 1#1: worker process 32 exited on signal 11
2021/01/15 13:27:48 [alert] 1#1: worker process 33 exited on signal 11
2021/01/15 13:27:48 [alert] 1#1: worker process 34 exited on signal 11

I also find that when waf_mode STD;,the error occurred,when waf_mode CC;,the nginx runs well.

v4.1.0-beta.3 waf_cache_size 缓存大小参数不见了

https://add-sp.github.io/ngx_waf/zh-cn/guide/configuration.html
原本参照这里填写过缓存大小为100M
即waf_cache_size 100m;
今天编译了新版本后，nginx -t 显示
nginx: [emerg] ngx_waf: Unable to convert [100m] to a positive integer (22: Invalid argument)
在v4.1.0-beta.2版本无此问题
最后我参照https://add-sp.github.io/ngx_waf/zh-cn/advance/syntax.html#waf-cache-size
去掉了上述参数，改为waf_cache_size 120 50;可以正常重载nginx了
大佬是取消了原本的那个参数吗？以后不需要设置缓存大小了对吧

feat: 能否在 Docker 镜像中内置 ngx_http_geoip2_module

不知道可否即成 GEOIP2 的功能呢？
这个比较有用的功能，现在官方知有 geoip2 了。

找到些资料如下：

leev/ngx_http_geoip2_module: Nginx GeoIP2 module
https://github.com/leev/ngx_http_geoip2_module

nginx-geoip2/Dockerfile at master · ar414-com/nginx-geoip2
https://github.com/ar414-com/nginx-geoip2/blob/master/tests/Dockerfile

nginx-alpine-geoip2/Dockerfile at master · bubelov/nginx-alpine-geoip2
https://github.com/bubelov/nginx-alpine-geoip2/blob/master/Dockerfile

Failure to compile in CentOS/RHEL 6 or 7

If we compile NGINX with system libraries for OpenSSL, it eventually seems to include a file that has the same constant already defined, then compilation fails:

In file included from ngx_waf-2.0.0/src/../inc/ngx_http_waf_module_core.h:7,
                 from ngx_waf-2.0.0/src/ngx_http_waf_module_core.c:2:
ngx_waf-2.0.0/src/../inc/ngx_http_waf_module_macro.h:19: error: "TRUE" redefined [-Werror]
 #define TRUE                    (1)
 
In file included from /usr/include/krb5.h:8,
                 from /usr/include/openssl/kssl.h:73,
                 from /usr/include/openssl/ssl.h:165,
                 from src/event/ngx_event_openssl.h:15,
                 from src/core/ngx_core.h:84,
                 from ngx_waf-2.0.0/src/../inc/ngx_http_waf_module_core.h:2,
                 from ngx_waf-2.0.0/src/ngx_http_waf_module_core.c:2:
/usr/include/krb5/krb5.h:177: note: this is the location of the previous definition
 #define TRUE    1
 
In file included from ngx_waf-2.0.0/src/../inc/ngx_http_waf_module_core.h:7,
                 from ngx_waf-2.0.0/src/ngx_http_waf_module_core.c:2:
ngx_waf-2.0.0/src/../inc/ngx_http_waf_module_macro.h:20: error: "FALSE" redefined [-Werror]
 #define FALSE                   (0)
 
In file included from /usr/include/krb5.h:8,
                 from /usr/include/openssl/kssl.h:73,
                 from /usr/include/openssl/ssl.h:165,
                 from src/event/ngx_event_openssl.h:15,
                 from src/core/ngx_core.h:84,
                 from ngx_waf-2.0.0/src/../inc/ngx_http_waf_module_core.h:2,
                 from ngx_waf-2.0.0/src/ngx_http_waf_module_core.c:2:
/usr/include/krb5/krb5.h:174: note: this is the location of the previous definition
 #define FALSE   0
 
cc1: all warnings being treated as errors

In CentOS/RHEL 8, this does not happen for whatever reason...although the related files /usr/include/krb5/krb5.h has same "fences":

#ifndef FALSE
#define FALSE   0
#endif
#ifndef TRUE
#define TRUE    1
#endif

I think similar things should be added over to inc/ngx_http_waf_module_macro.h?

nginx如果reload会重新读取规则吗

文档里面说
https://add-sp.github.io/ngx_waf/zh-cn/guide/faq.html#post%E6%A3%80%E6%B5%8B%E5%A4%B1%E6%95%88

可以在运行时修改规则么？
不可以，本模块只会在 nginx 启动时读取规则，之后不再读取。

nginx 如果reload ,会重新读取规则吗？如果会文档建议改下

一些问题希望得到帮助

规则优先级问题

在文档中写着CC防御检测高于IP 白名单检测
如果原站使用CDN比如cloudflare, 会不会出现cloudflare ip 触发cc被拉黑的情况？
我想的是将cf的ip添加到白名单中，但是看文档的优先级我不知道这样是否会起作用

url黑白名单检测

这个url是指location吗？比如 https://github.com/ADD-SP/ngx_waf
那么文档中的url指的是 location=/ADD-SP/ngx_waf 吗?
我看了看rules目录下的url规则，我有一点小混乱~

规则正则的书写

我想请教一下user-agent中的 (?i)(?:zgrab) 这个正则的意思
我看了http://www.pcre.org/current/doc/html/pcre2syntax.html的说明
(?...) named capture group (Perl)
(?:...) non-capture group
将说明代入到上面的正则不太理解，我推测是UA包含zgrab的意思，望大佬解答一二

可能问题有点小白，但还是想问问，感谢!

无法正常编译

强烈建议提供的信息

如何触发错误。
静态模块make
ngx_waf 的版本/分支。
master
nginx -V 命令的输出内容。
engine version: Tengine/2.3.3
nginx version: nginx/1.18.0
built by gcc 8.3.0 (Debian 8.3.0-6)
built with OpenSSL 1.1.1k 25 Mar 2021
TLS SNI support enabled
configure arguments: --user=www --group=www --prefix=/www/server/nginx --add-module=/www/server/nginx/src/ngx_devel_kit --add-module=/www/server/nginx/src/lua_nginx_module --add-module=/www/server/ngx_brotli --add-module=/www/server/nginx/src/ngx_cache_purge --add-module=/www/server/nginx/src/nginx-sticky-module --with-openssl=/www/server/nginx/src/openssl --with-pcre=pcre-8.43 --with-http_v2_module --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_stub_status_module --with-http_ssl_module --with-http_image_filter_module --with-http_gzip_static_module --with-http_gunzip_module --with-ipv6 --with-http_sub_module --with-http_flv_module --with-http_addition_module --with-http_realip_module --with-http_mp4_module --with-ld-opt=-Wl,-E --with-cc-opt=-Wno-error --with-ld-opt=-ljemalloc --with-http_dav_module --add-module=/www/server/nginx/src/nginx-dav-ext-module
出错时 shell 的输出内容。
root@VM-4-13-debian:/usr/local/src/nginx-1.18.0# make
make -f objs/Makefile
make[1]: Entering directory '/usr/local/src/nginx-1.18.0'
cd pcre-8.43
&& if [ -f Makefile ]; then make distclean; fi
&& CC="cc" CFLAGS="-O2 -fomit-frame-pointer -pipe "
./configure --disable-shared
/bin/sh: line 0: cd: pcre-8.43: No such file or directory
make[1]: *** [objs/Makefile:2475: pcre-8.43/Makefile] Error 1
make[1]: Leaving directory '/usr/local/src/nginx-1.18.0'
make: *** [Makefile:8: build] Error 2
操作系统，包括名称和版本。
Distributor ID: Debian
Description: Debian GNU/Linux 10 (buster)
Release: 10

LTS version

There have been fast "breaking" releases over time.

By breaking I mean primarily those which introduced some library dependency (e.g. libinjection), or a program (e.g. flex) during compile time.

Can we have a version line, e.g. 6.x which would be updated with any fixes, but not have "breaking" releases?

E.g. new versions will be released but a specific branch like 6.x would incorporate important fixes, while not having many moving parts.

An example is Varnish Cache. The last version is 6.6.1 (some ABI/breaking changes are OK in there), while the last LTS version is 6.0.8 (all versions 6.0.x are LTS and include only important security/bug fixes).

Background: making RPM packages, but builds of newer versions constantly fail due to "yet another dependency change".

centos7.9 X64源码编译出错

如果不加参加数--with-cc-opt='-std=gnu99'会报建如下错
For gcc, you can enable the C99 standard by appending the parameter --with-cc-opt='-std=gnu99'.
如果加上参数--with-cc-opt='-std=gnu99'会报如下错误，
cc1plus: error: command line option ‘-std=gnu99’ is valid for C/ObjC but not for C++ [-Werror]

这个需要怎么解决呢

Failure to compile with mainline NGINX

Latest release 2.0.2 does not compile with NGINX 1.19.5. Errors:

In file included from ngx_waf-2.0.2/src/ngx_http_waf_module_core.c:13:
ngx_waf-2.0.2/src/../inc/ngx_http_waf_module_config.h: In function 'ngx_http_waf_create_srv_conf':
ngx_waf-2.0.2/src/../inc/ngx_http_waf_module_config.h:184:25: error: too few arguments to function 'ngx_log_init'
     srv_conf->ngx_log = ngx_log_init(NULL);
                         ^~~~~~~~~~~~
In file included from src/core/ngx_core.h:60,
                 from ngx_waf-2.0.2/src/../inc/ngx_http_waf_module_core.h:2,
                 from ngx_waf-2.0.2/src/ngx_http_waf_module_core.c:2:
src/core/ngx_log.h:231:12: note: declared here
 ngx_log_t *ngx_log_init(u_char *prefix, u_char *error_log);
            ^~~~~~~~~~~~

Looks like the function ngx_log_init has changed its signature at some point and requires a second argument on the mainline branch only (stable is fine).

is ngx_waf can possible compatible with openresty?

Hi ,

I'm tested on nginx working perfect,
but in my prod env we are using openresty ,
so is possible compile with openresty ?
thanks

为何v6.x和v7.x都没了Dockerfile.alpine

有个问题

v6.x和v7.x还有v8.x里面都是 Dockerfile.musl，怎么和v5.x里面 Dockerfile.alpine 不一样了
使用 Dockerfile.musl 编译的镜像无法启动，里面没nginx
建议v6.x和v7.x还有v8.x和v5.x一样都提供下 Dockerfile.alpine

uthash 版本适配

环境：CentOS7
版本：ngx_waf 6.1.4

来自EPEL的软件包 uthash-devel 版本过低，无法编译通过，提示找不到uthash
手动下载uthash 2.3.0 ，将.h 头文件覆盖到/usr/include 下恢复正常，编译通过。

建议适配 uthash 2.0.x 或者参考libinjection的处理方式，放入源码的某个位置，比如inc/uthash

http://mirrors.ustc.edu.cn/epel/7/x86_64/Packages/u/uthash-devel-2.0.2-1.el7.noarch.rpm

compatibility with the ngx_http_rewrite_module

solve

diff --git a/inc/ngx_http_waf_module_config.h b/inc/ngx_http_waf_module_config.h
index d412315..78698d8 100644
--- a/inc/ngx_http_waf_module_config.h
+++ b/inc/ngx_http_waf_module_config.h
@@ -1168,7 +1168,7 @@ static ngx_int_t ngx_http_waf_init_after_load_config(ngx_conf_t* cf) {
     ngx_http_core_main_conf_t* cmcf;
 
     cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module);
-    h = ngx_array_push(&cmcf->phases[NGX_HTTP_ACCESS_PHASE].handlers);
+    h = ngx_array_push(&cmcf->phases[NGX_HTTP_REWRITE_PHASE].handlers);
     if (h == NULL) {
         return NGX_ERROR;
     }

libinjection as submodule

solve

diff --git a/.gitignore b/.gitignore
index bdbe8fa..5fd5a66 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,5 +3,4 @@ node_modules
 docs/.vuepress/dist
 yarn.lock
 package-lock.json
-inc/libinjection
 inc/libsodium
\ No newline at end of file
diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..0f9c163
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "inc/libinjection"]
+	path = inc/libinjection
+	url = https://github.com/libinjection/libinjection.git
diff --git a/inc/libinjection b/inc/libinjection
new file mode 160000
index 0000000..49904c4
--- /dev/null
+++ b/inc/libinjection
@@ -0,0 +1 @@
+Subproject commit 49904c42a6e68dc8f16c022c693e897e4010a06c

建议拦截可以自定义返回

建议

拦截可以自定义返回文本或者HTML代码
当前拦截会返回403，可以配置中自定义返回200，或者其他状态码

About Anti-XSS | 关于 XSS 保护

I would like to use a third party XSS semantic analysis engine for XSS protection, but I can't find one at the moment, please tell me what XSS semantic analysis engines are available.

我想使用第三方的 XSS 语义分析引擎来实现 XSS 保护，不过我现在还没有找到，如果您知道的话请告诉我。

在使用CDN时CC防护会误封

在使用CDN时，由于发起请求的IP为CDN提供商的节点造成误封。有没有可能通过X-Forwarded-For头来判断攻击IP？

alpine build error

In file included from ../../module/ngx_waf/src/ngx_http_waf_module_core.c:1:
In file included from ../../module/ngx_waf/inc/ngx_http_waf_module_core.h:17:
In file included from ../../module/ngx_waf/inc/ngx_http_waf_module_check.h:15:
../../module/ngx_waf/inc/ngx_http_waf_module_util.h:191:27: error: no member named '__in6_u' in 'struct in6_addr'
    memcpy(prefix, &addr6.__in6_u.__u6_addr8, 16);
                    ~~~~~ ^
In file included from ../../module/ngx_waf/src/ngx_http_waf_module_core.c:1:
In file included from ../../module/ngx_waf/inc/ngx_http_waf_module_core.h:17:
In file included from ../../module/ngx_waf/inc/ngx_http_waf_module_check.h:17:
../../module/ngx_waf/inc/ngx_http_waf_module_ip_trie.h:173:42: error: no member named '__in6_u' in 'struct in6_addr'
            if (CHECK_BIT(inx_addr->ipv6.__in6_u.__u6_addr8[uint8_index], 7 - (bit_index % 8)) != TRUE) {
                          ~~~~~~~~~~~~~~ ^
../../module/ngx_waf/inc/ngx_http_waf_module_macro.h:295:51: note: expanded from macro 'CHECK_BIT'
#define CHECK_BIT(origin, bit_index) (CHECK_FLAG((origin), 1 << (bit_index)))
                                                  ^~~~~~
../../module/ngx_waf/inc/ngx_http_waf_module_macro.h:284:37: note: expanded from macro 'CHECK_FLAG'
#define CHECK_FLAG(origin, flag) (((origin) & (flag)) != 0 ? TRUE : FALSE)
                                    ^~~~~~
In file included from ../../module/ngx_waf/src/ngx_http_waf_module_core.c:1:
In file included from ../../module/ngx_waf/inc/ngx_http_waf_module_core.h:17:
In file included from ../../module/ngx_waf/inc/ngx_http_waf_module_check.h:17:
../../module/ngx_waf/inc/ngx_http_waf_module_ip_trie.h:194:38: error: no member named '__in6_u' in 'struct in6_addr'
        if (CHECK_BIT(inx_addr->ipv6.__in6_u.__u6_addr8[uint8_index], 7 - (bit_index % 8)) != TRUE) {
                      ~~~~~~~~~~~~~~ ^
../../module/ngx_waf/inc/ngx_http_waf_module_macro.h:295:51: note: expanded from macro 'CHECK_BIT'
#define CHECK_BIT(origin, bit_index) (CHECK_FLAG((origin), 1 << (bit_index)))
                                                  ^~~~~~
../../module/ngx_waf/inc/ngx_http_waf_module_macro.h:284:37: note: expanded from macro 'CHECK_FLAG'
#define CHECK_FLAG(origin, flag) (((origin) & (flag)) != 0 ? TRUE : FALSE)
                                    ^~~~~~
In file included from ../../module/ngx_waf/src/ngx_http_waf_module_core.c:1:
In file included from ../../module/ngx_waf/inc/ngx_http_waf_module_core.h:17:
In file included from ../../module/ngx_waf/inc/ngx_http_waf_module_check.h:17:
../../module/ngx_waf/inc/ngx_http_waf_module_ip_trie.h:235:42: error: no member named '__in6_u' in 'struct in6_addr'
            if (CHECK_BIT(inx_addr->ipv6.__in6_u.__u6_addr8[uint8_index], 7 - (bit_index % 8)) != TRUE) {
                          ~~~~~~~~~~~~~~ ^
../../module/ngx_waf/inc/ngx_http_waf_module_macro.h:295:51: note: expanded from macro 'CHECK_BIT'
#define CHECK_BIT(origin, bit_index) (CHECK_FLAG((origin), 1 << (bit_index)))
                                                  ^~~~~~
../../module/ngx_waf/inc/ngx_http_waf_module_macro.h:284:37: note: expanded from macro 'CHECK_FLAG'
#define CHECK_FLAG(origin, flag) (((origin) & (flag)) != 0 ? TRUE : FALSE)
                                    ^~~~~~
In file included from ../../module/ngx_waf/src/ngx_http_waf_module_core.c:1:
In file included from ../../module/ngx_waf/inc/ngx_http_waf_module_core.h:18:
../../module/ngx_waf/inc/ngx_http_waf_module_config.h:522:34: error: no member named '__in6_u' in 'struct in6_addr'
            memcpy(inx_addr.ipv6.__in6_u.__u6_addr8, ipv6.prefix, 16);
                   ~~~~~~~~~~~~~ ^

模块预构建版本

@ADD-SP 你好👋，我看到有用户反馈编译构建失败，所以做了一个简单的，基于官方容器环境和构建参数的预构建版本（目前只有ubuntu/alpine）

后续或许可以将 scratch 中的二进制模块添加到项目的 release 中，以及添加更多不同的版本预构建文件、以及支持更多的系统/平台。

https://github.com/nginx-with-docker/ngx_http_waf_module

希望对项目有帮助。

amazon linux 2 编译出错

环境： Amazon LInux 2 + gcc 7.3.1
版本： nginx 1.20.1 + ngx_waf 6.1.5

编译参数如下

./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --add-dynamic-module=ngx_waf-6.1.5 --with-compat '--with-cc-opt=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -std=gnu99 ' '--with-ld-opt=-Wl,-z,relro -Wl,-z,now ' --with-debug

报错信息如下

make modules
make -f objs/Makefile modules
make[1]: Entering directory /home/ec2-user/rpmbuild/BUILD/nginx-module-waf-1.20.1' 此处省略N字 ngx_waf-6.1.5/src/ngx_http_waf_module_vm.c cc -c -fPIC -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -std=gnu99 -I src/core -I src/event -I src/event/modules -I src/os/unix -I ngx_waf-6.1.5/inc -I ngx_waf-6.1.5/inc/libinjection/src -I objs -I src/http -I src/http/modules -I src/http/v2 -I src/mail -I src/stream \ -o objs/addon/src/ngx_http_waf_module_lexer.o \ ngx_waf-6.1.5/src/ngx_http_waf_module_lexer.c src/ngx_http_waf_module_lexer.c: In function 'ngx_http_waf_lex': src/ngx_http_waf_module_lexer.c:933:23: error: comparison between signed and unsigned integer expressions [-Werror=sign-compare] src/ngx_http_waf_module_lexer.c: In function 'ngx_http_waf__scan_bytes': src/ngx_http_waf_module_lexer.c:1986:17: error: comparison between signed and unsigned integer expressions [-Werror=sign-compare] cc1: all warnings being treated as errors make[1]: *** [objs/addon/src/ngx_http_waf_module_lexer.o] Error 1 make[1]: Leaving directory /home/ec2-user/rpmbuild/BUILD/nginx-module-waf-1.20.1'
make: *** [modules] Error 2
error: Bad exit status from /var/tmp/rpm-tmp.0OwOq2 (%build)

RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.0OwOq2 (%build)

Many attacks are bypassed and whitelist/blacklist IP

Hi,

We have tested with some tools to check WAF like Nikto scan tools, owasp to check the ability to block and bypass, but still get ByPass quite a lot even though waf_mode=FULL.

Can you update this rules or we can customize the rules in the path /usr/local/src/ngx_waf/assets/rules. It would be nice if this modules can be able to integrate with 3rd apps like modsecurity like we are currently using.

In addition, the IP whitelist and IP blacklist features we don't really understand. When adding an IP to the blacklist, this IP can still request the url and uri of the website.

Looking forward to hearing from you soon

Thanks !

使用v5.1.0版本，网站出现MIME type不匹配问题

具体表现为网站的大部分图片和部分样式返回403,F12显示MIME type全是('text/html')
换回v5.0.0版本，一切都正常

nginx -V

nginx version: nginx/1.19.10
built with OpenSSL 1.1.1k  25 Mar 2021
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --with-openssl=/build/nginx/../openssl --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_flv_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_mp4_module --with-http_perl_module=dynamic --with-http_random_index_module --with-http_secure_link_module --with-http_sub_module --with-http_xslt_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_geoip_module=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --add-module=/build/nginx/sb-modules/ngx_brotli --add-dynamic-module=/build/nginx/debian/modules/http-headers-more-filter --add-dynamic-module=/build/nginx/debian/modules/http-auth-pam --add-dynamic-module=/build/nginx/debian/modules/http-cache-purge --add-dynamic-module=/build/nginx/debian/modules/http-dav-ext --add-dynamic-module=/build/nginx/debian/modules/http-ndk --add-dynamic-module=/build/nginx/debian/modules/http-echo --add-dynamic-module=/build/nginx/debian/modules/http-fancyindex --add-dynamic-module=/build/nginx/debian/modules/http-geoip2 --add-dynamic-module=/build/nginx/sb-modules/ngx_http_ipdb_module --add-dynamic-module=/build/nginx/debian/modules/nchan --add-dynamic-module=/build/nginx/debian/modules/http-lua --add-dynamic-module=/build/nginx/debian/modules/rtmp --add-dynamic-module=/build/nginx/debian/modules/http-uploadprogress --add-dynamic-module=/build/nginx/debian/modules/http-upstream-fair --add-dynamic-module=/build/nginx/debian/modules/http-subs-filter

使用的配置如下

    waf on;
    waf_rule_path /etc/nginx/ngx_waf/rules/;
    waf_mode DYNAMIC;
    waf_cc_deny  rate=10r/m duration=2h size=50m;
    waf_cache capacity=100;
    waf_priority "W-IP IP W-URL URL CC ARGS UA W-REFERER REFERER COOKIE";

自定义了白名单

(?i)(?:wp-json)
(?i)(?:wp-content)
(?i)(?:wp-includes)
(?i)(?:wp-admin)

error_log如下

2021/04/23 03:44:45 [alert] 3109#3109: *132 ngx_waf: [WHITE-URL][(?i)(?:wp-content)], client: 173.82.212.xx, server: blog.hibobmaster.com, request: "GET /wp-content/uploads/2021/04/2021-04-01_21-47.png HTTP/1.1", host: "blog.hibobmaster.com", referrer: "https://blog.hibobmaster.com/"
2021/04/23 03:44:45 [alert] 3109#3109: *133 ngx_waf: [WHITE-URL][(?i)(?:wp-content)], client: 173.82.212.xx, server: blog.hibobmaster.com, request: "GET /wp-content/uploads/2021/01/geert-pieters-8QrPJ3Kfie4-unsplash.jpg HTTP/1.1", host: "blog.hibobmaster.com", referrer: "https://blog.hibobmaster.com/"
2021/04/23 03:44:45 [alert] 3109#3109: *134 ngx_waf: [WHITE-URL][(?i)(?:wp-content)], client: 173.82.212.xx, server: blog.hibobmaster.com, request: "GET /wp-content/uploads/2021/02/2021020310294363.png HTTP/1.1", host: "blog.hibobmaster.com", referrer: "https://blog.hibobmaster.com/"
2021/04/23 03:44:45 [alert] 3109#3109: *135 ngx_waf: [WHITE-URL][(?i)(?:wp-content)], client: 173.82.212.xx, server: blog.hibobmaster.com, request: "GET /wp-content/uploads/2021/03/109951165277053473.jpg HTTP/1.1", host: "blog.hibobmaster.com", referrer: "https://blog.hibobmaster.com/"
2021/04/23 03:44:45 [alert] 3109#3109: *136 ngx_waf: [WHITE-URL][(?i)(?:wp-content)], client: 173.82.212.xx, server: blog.hibobmaster.com, request: "GET /wp-content/uploads/2021/01/2021010711333445.jpg HTTP/1.1", host: "blog.hibobmaster.com", referrer: "https://blog.hibobmaster.com/"
2021/04/23 03:44:46 [alert] 3109#3109: *137 ngx_waf: [WHITE-URL][(?i)(?:wp-content)], client: 173.82.212.xx, server: blog.hibobmaster.com, request: "GET /wp-content/uploads/2021/01/2021011712080980.jpeg HTTP/1.1", host: "blog.hibobmaster.com", referrer: "https://blog.hibobmaster.com/"
2021/04/23 03:44:46 [alert] 3109#3109: *138 ngx_waf: [WHITE-URL][(?i)(?:wp-content)], client: 173.82.212.xx, server: blog.hibobmaster.com, request: "GET /wp-content/uploads/2020/12/caelm.png HTTP/1.1", host: "blog.hibobmaster.com", referrer: "https://blog.hibobmaster.com/"

Error when install modsec and libmaxmind

We got this error when compile running this command:

cd /usr/local/src && wget https://github.com/maxmind/libmaxminddb/releases/download/1.6.0/libmaxminddb-1.6.0.tar.gz -O libmaxminddb.tar.gz && mkdir libmaxminddb && tar -zxf "libmaxminddb.tar.gz" -C libmaxminddb --strip-components=1 && cd libmaxminddb && ./configure --prefix=/usr/local/libmaxminddb && make -j $(nproc) && make install && cd /usr/local/src && git clone -b v3.0.5 https://github.com/SpiderLabs/ModSecurity.git && cd ModSecurity && chmod +x build.sh && ./build.sh && git submodule init && git submodule update && ./configure --prefix=/usr/local/modsecurity --with-maxmind=/usr/local/libmaxminddb \ && make -j $(nproc) \ && make install && export LIB_MODSECURITY=/usr/local/modsecurity && cd /usr/local/src/nginx

Error:

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

git checkout -b new_branch_name

libtoolize: putting auxiliary files in .'. libtoolize: copying file ./ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, build'. libtoolize: copying file build/libtool.m4'
libtoolize: copying file build/ltoptions.m4' libtoolize: copying file build/ltsugar.m4'
libtoolize: copying file build/ltversion.m4' libtoolize: copying file build/lt~obsolete.m4'
This Perl not built to support threads
Compilation failed in require at /usr/share/automake-1.13/Automake/ChannelDefs.pm line 23.
BEGIN failed--compilation aborted at /usr/share/automake-1.13/Automake/ChannelDefs.pm line 26.
Compilation failed in require at /usr/share/automake-1.13/Automake/Configure_ac.pm line 27.
BEGIN failed--compilation aborted at /usr/share/automake-1.13/Automake/Configure_ac.pm line 27.
Compilation failed in require at /usr/bin/aclocal line 39.
BEGIN failed--compilation aborted at /usr/bin/aclocal line 39.
autoreconf: aclocal failed with exit status: 255
This Perl not built to support threads
Compilation failed in require at /usr/bin/automake line 138.
BEGIN failed--compilation aborted at /usr/bin/automake line 143.
configure.ac:45: error: possibly undefined macro: AM_INIT_AUTOMAKE
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
configure.ac:50: error: possibly undefined macro: AM_PROG_AR
configure.ac:86: error: possibly undefined macro: AM_CONDITIONAL
configure.ac:361: error: possibly undefined macro: AC_CONFIG_FILES
configure.ac:371: error: possibly undefined macro: AM_COND_IF
Submodule 'bindings/python' (https://github.com/SpiderLabs/ModSecurity-Python-bindings.git) registered for path 'bindings/python'
Submodule 'others/libinjection' (https://github.com/libinjection/libinjection.git) registered for path 'others/libinjection'
Submodule 'test/test-cases/secrules-language-tests' (https://github.com/SpiderLabs/secrules-language-tests) registered for path 'test/test-cases/secrules-language-tests'
Cloning into 'bindings/python'...
remote: Enumerating objects: 41, done.
remote: Total 41 (delta 0), reused 0 (delta 0), pack-reused 41
Unpacking objects: 100% (41/41), done.
Submodule path 'bindings/python': checked out 'bc625d5bb0bac6a64bcce8dc9902208612399348'
Cloning into 'others/libinjection'...
remote: Enumerating objects: 10002, done.
remote: Counting objects: 100% (10002/10002), done.
remote: Compressing objects: 100% (2959/2959), done.
remote: Total 10002 (delta 7040), reused 9971 (delta 7013), pack-reused 0
Receiving objects: 100% (10002/10002), 3.82 MiB | 2.44 MiB/s, done.
Resolving deltas: 100% (7040/7040), done.
Submodule path 'others/libinjection': checked out 'bfba51f5af8f1f6cf5d6c4bf862f1e2474e018e3'
Cloning into 'test/test-cases/secrules-language-tests'...
remote: Enumerating objects: 267, done.
remote: Counting objects: 100% (19/19), done.
remote: Compressing objects: 100% (15/15), done.
remote: Total 267 (delta 4), reused 19 (delta 4), pack-reused 248
Receiving objects: 100% (267/267), 103.92 KiB | 0 bytes/s, done.
Resolving deltas: 100% (142/142), done.
Submodule path 'test/test-cases/secrules-language-tests': checked out 'a3d4405e5a2c90488c387e589c5534974575e35b'
configure: WARNING: you should use --build, --host, --target
configure: WARNING: invalid host type:
configure: WARNING: unrecognized options: --with-maxmind
./configure: line 2128: syntax error near unexpected token -Wall' ./configure: line 2128: AM_INIT_AUTOMAKE(-Wall -Werror foreign subdir-objects)'

在nginx的stream模块使用ngx_waf的问题

在nginx的stream模块能使用ngx_waf吗

no assets/hCaptcha.html

Good day,
in assets/ no any hCaptcha.html or other CAPTCHA examples.
Thank you.

make: *** No rule to make target ` '. Stop.

Got error make: *** No rule to make target ` '. Stop. when complie libmaxminddb

OS: CentOS 7.9.2009, 3.10.0-1160.42.2.el7.x86_64

config.status: creating src/libmaxminddb.pc
config.status: creating Makefile
config.status: creating src/Makefile
config.status: creating bin/Makefile
config.status: creating t/Makefile
config.status: creating config.h
config.status: creating include/maxminddb_config.h
config.status: executing libtool commands
config.status: executing depfiles commands
make: *** No rule to make target ` '.  Stop.

CC 防护增加验证码访问功能

CC 防护是否可以考虑增加一个访问频繁转跳验证码的功能，验证码通过则可以访问，否则锁定一段时间持续要求填写验证码，大部分 toC 的业务层可能都需要这种功能，尤其是业务规模不大的情况下，又遇到刷单的问题。

Failure to compile in CentOS/RHEL 7

Error

checking for uthash library ... not found
./configure: error: the ngx_http_waf_module module requires the uthash library.

Please run:
    On Ubuntu or Debian: 
            apt-get update && apt-get install --yes uthash-dev
    On Alpine: 
            apk update && apk add uthash-dev
    On other OS:
            cd /usr/local/src \
        &&  git clone https://github.com/troydhanson/uthash.git \
        &&  export LIB_UTHASH=/usr/local/src/uthash \
        &&  cd /usr/local/src/nginx-1.18.0

Run the following commands

I run the following commands when i first saw this error, but noting was changed, the error shows again.

    On other OS:
            cd /usr/local/src \
        &&  git clone https://github.com/troydhanson/uthash.git \
        &&  export LIB_UTHASH=/usr/local/src/uthash \
        &&  cd /usr/local/src/nginx-1.18.0

ngx_slab_free(): outside of pool

在nginx的error log里看到这个alert，请问有啥影响吗？
v5.0.0-beta.2

拦截日志能单独定义一个文件吗

建议

拦截日志能单独定义一个文件
拦截日志可以定义格式，比如时间的格式2021-05-10 13:02:55这样

[Feature Request] 能不能增加js校验功能

大佬，你好，突然觉得某些时刻js校验很有用，CC拉黑防不过来了(代理池)。
这个时候有个类似cloudflare的5s盾或者类似verynginx的js或cookie校验可能会好点

这个功能实现方便吗？

cc防护要一分钟才能防护？

CC 防御参数，1000 每分钟请求次数上限，超出上限后封禁对应 ip 60 分钟。
waf_cc_deny rate=1000r/m duration=60m;
能不能配置10秒 100次请求上限？
或者10秒300次请求上线？
觉得一分钟有点久，或者20秒，30秒？？如何配置？

move code from .h to .c

please, move all code from *.h to *.c

does not compile with -Werror -Wmissing-prototypes

fix

diff --git a/flex/lexer.lex b/flex/lexer.lex
index d8a8245..dafd9be 100644
--- a/flex/lexer.lex
+++ b/flex/lexer.lex
@@ -279,6 +279,6 @@ BREAK_LINE              (\r)?\n
 
 %%
 
-void ngx_http_waf_error(UT_array* array, ngx_pool_t* pool, const char* msg) {
+static void ngx_http_waf_error(UT_array* array, ngx_pool_t* pool, const char* msg) {
     printf("error: %s in line %d\n", msg, yylineno);
 }
\ No newline at end of file

日志轮转时出错

nginx 版本 1.20.1
ngx_waf 版本 6.1.5 （6.1.4也存在类似问题）

通过dmesg -T 命令发现，ngx_http_waf 模块有如下类似报错

[Sat Oct 9 03:20:15 2021] nginx[3355]: segfault at 18 ip 00007fa9f6493659 sp 00007ffe2a3c0600 error 4 in ngx_http_waf_module.so[7fa9f6453000+6b000]

开debug之后，error.log部分日志如下

2021/10/09 03:22:01 [debug] 3355#3355: *345447 ngx_waf_debug: The module context has been obtained.
2021/10/09 03:22:01 [debug] 3355#3355: *345447 ngx_waf_debug: The configuration of the module has been obtained.
2021/10/09 03:22:01 [notice] 25988#25988: signal 17 (SIGCHLD) received from 3355
2021/10/09 03:22:01 [alert] 25988#25988: worker process 3355 exited on signal 11
2021/10/09 03:22:01 [notice] 25988#25988: start worker process 4887
2021/10/09 03:22:01 [notice] 25988#25988: signal 29 (SIGIO) received
2021/10/09 03:22:01 [notice] 4887#4887: sched_setaffinity(): using cpu #2
2021/10/09 03:22:01 [debug] 4887#4887: *346468 ngx_waf_debug: The scheduler has been started.
2021/10/09 03:22:01 [debug] 4887#4887: *346468 ngx_waf_debug: The module context has been obtained.
2021/10/09 03:22:01 [debug] 4887#4887: *346468 ngx_waf_debug: The configuration of the module has been obtained.

此次问题大概发生在logrotate 时，其它时间也偶有触发，手动 logrotate -f /etc/logrotate.d/nginx 无法重现，请求大神分析。

openresty support(编译失败)

环境

centos8
openresty(nginx version: openresty/1.19.3.2)

错误信息

./configure: error: the ngx_http_waf_module module requires the following command to be run to generate the necessary files.

    cd /app/plugins/ngx_waf && flex flex/lexer.lex && cd /app/plugins/openresty-1.19.3.2/build/nginx-1.19.3

ERROR: failed to run command: sh ./configure --prefix=/usr/local/openresty/nginx \...

编译指令

./configure --prefix=/usr/local/openresty
--with-cc-opt='-O2 -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl111/include'
--with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl111/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl111/lib'
--with-cc='ccache gcc -fdiagnostics-color=always'
--with-pcre-jit
--with-stream
--with-stream_ssl_module
--with-stream_ssl_preread_module
--with-http_v2_module
--without-mail_pop3_module
--without-mail_imap_module
--without-mail_smtp_module
--with-http_stub_status_module
--with-http_realip_module
--with-http_addition_module
--with-http_auth_request_module
--with-http_secure_link_module
--with-http_random_index_module
--with-http_gzip_static_module
--with-http_sub_module
--with-http_dav_module
--with-http_flv_module
--with-http_mp4_module
--with-http_gunzip_module
--with-threads
--with-compat
--with-stream
--with-http_ssl_module
--add-dynamic-module=path/ngx_waf

IP 黑名单似乎不支持 0.0.0.0/0 ？

版本为最新的 ngx_waf v7.0.0 Current，Nginx 版本为 1.20.1，预编译的动态模块（sh assets/download.sh 1.20.1 current）

测试环境配置好 Nginx 之后，在 ipv4 写上 0.0.0.0/0，在 white-ipv4 写上本机 IP 如 192.168.1.100，实际效果是黑名单没有生效，其它 IP 的机器都可以访问得到网站。

将某个 IP 如 192.168.1.101 加入到黑名单后，在 192.168.1.101 这台机器上是无法访问到网站的，证明黑名单已生效。

其实就是想知道，是否支持纯白名单模式。

Evaluate use of system uthash

Even quite conservative distros like CentOS 6, 7 and 8, all have uthash 2.0.2 available.

As I have checked, the module compiles just fine if I replace the include everywhere with <uthash.h>.

Would there be a problem to use this uthash version?

This would simplify instructions to simply install uthash-devel package on RedHat-based distros,
and uthash-dev on Debian-based distros.

And the resulting module file would use the system library which (potentially) receives security updates; lower mem use if something else besides this module uses the library.

Modules ngx_http_waf_module.so error version 1021003 instead of 1020001 in webmin

Hi,

We got this errors when setup nginx with webmin, can you help us check it.

nginx: [emerg] module "/usr/share/nginx/modules/ngx_http_waf_module.so" version 1021003 instead of 1020001 in /usr/share/nginx/modules/load_modules.conf:1
nginx: configuration file /etc/nginx/nginx.conf test failed

Thanks and Regards !

waf_cc_deny 和 waf_cache capacity错误

请问该如何配置下面规制
waf on;
waf_rule_path /usr/local/nginx/conf/rules/;
waf_mode FULL;
waf_cc_deny rate=1000r/m;
waf_cache capacity=50;
使用nginx -t显示一下错误
nginx: [emerg] unknown directive "waf_cc_deny" in /usr/local/nginx/conf/nginx.conf:95
nginx: [emerg] unknown directive " waf_cache capacity" in /usr/local/nginx/conf/nginx.conf:95

error pulling image configuration: received unexpected HTTP status: 500 Internal Server Error

阿里云国内服务器。

sh assets/download.sh 1.20.1 lts
checking for command ... yes
checking for libc implementation ... yes

GNU C libary
Pulling remote image addsp/ngx_waf-prebuild:ngx-1.20.1-module-lts-glibc
Trying to pull repository docker.io/addsp/ngx_waf-prebuild ...
sha256:6d3374abfbdaf3706c2561bf3a4c42ea993bcec71ef30af38522f5305cc97d9d: Pulling from docker.io/addsp/ngx_waf-prebuild
165ee3d256a7: Already exists
a151590c9929: Already exists
324ac1b47ffd: Already exists
error pulling image configuration: received unexpected HTTP status: 500 Internal Server Error