Nginx: bugfixes and minor improvements (#1987)

2026-06-08 16:34:18 -04:00 · 2020-12-16 20:17:04 +01:00 · 2020-12-16 20:17:04 +01:00 · 3e8dedaedc
commit 3e8dedaedc
parent c63c860560
8 changed files with 50 additions and 22 deletions
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@ -1,5 +1,5 @@
 PLUGIN_NAME=		nginx
-PLUGIN_VERSION=		1.19
+PLUGIN_VERSION=		1.20
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	franz.fabian.94@gmail.com
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@ -8,6 +8,11 @@ reuse, SSL offload and HTTP media streaming.
 Plugin Changelog
 ================

+1.20
+
+* User interface improvements of NAXSI configuration (contributed by 8191)
+* Fixed missing certificate validation of upstreams (contributed by 8191)
+
 1.19

 * Add possibility to configure SNI proxying.
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/naxsi_custom_policy.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/naxsi_custom_policy.xml
@ -15,6 +15,7 @@
        <id>custompolicy.value</id>
        <type>text</type>
        <label>Value</label>
+        <help>If the sum of scores of all matching rules exceed the configured value the policy's action will get triggered.</help>
    </field>
    <field>
        <id>custompolicy.operator</id>
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/naxsi_rule.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/naxsi_rule.xml
@ -8,6 +8,7 @@
        <id>naxsi_rule.message</id>
        <label>Message</label>
        <type>text</type>
+        <help>A string describing the pattern. This is mostly used for analyzing and to have some human-understandable text.</help>
    </field>
    <field>
        <id>naxsi_rule.negate</id>
@ -19,6 +20,7 @@
        <id>naxsi_rule.identifier</id>
        <label>ID</label>
        <type>text</type>
+       <help>The unique numerical ID of the rule, that will be used in logs and in whitelists. IDs inferior to 1000 are reserved for Naxsi internal rules (protocol mismatch etc.)</help>
    </field>
    <field>
        <id>naxsi_rule.ruletype</id>
@ -29,6 +31,7 @@
        <id>naxsi_rule.regex</id>
        <label>Use Regular Expressions</label>
        <type>checkbox</type>
+       <help>If enabled, the match value, the URL, named parameters and headers are matched using regular expressions; otherwise only exact matches trigger the rule.</help>
    </field>
    <field>
        <id>naxsi_rule.match_value</id>
@ -43,68 +46,75 @@
    </field>
    <field>
        <id>naxsi_rule.args</id>
-        <label>Arguments</label>
+        <label>Search in any GET Argument</label>
        <type>checkbox</type>
+       <help>Search for matchs in a request's GET arguments.</help>
    </field>
    <field>
        <id>naxsi_rule.url</id>
-        <label>URL</label>
+        <label>Search in URL</label>
        <type>checkbox</type>
+        <help>Search for matchs in a request's URL (everything before ?).</help>
    </field>
    <field>
        <id>naxsi_rule.headers</id>
-        <label>Headers</label>
+        <label>Search in any HTTP Header</label>
        <type>checkbox</type>
+       <help>Search for matchs in a request's HTTP headers.</help>
    </field>
    <field>
        <id>naxsi_rule.body</id>
-        <label>Body</label>
+        <label>Search in any POST Argument and in Body</label>
        <type>checkbox</type>
+        <help>Search for matchs in a request's POST arguments and its raw (unparsed) body.</help>
    </field>
    <field>
        <id>naxsi_rule.name</id>
-        <label>Name</label>
+        <label>Match Name Instead of Value</label>
        <type>checkbox</type>
        <help>Check this box to match the variable name and not its content when matching any of the above checkboxes.</help>
    </field>
    <field>
        <id>naxsi_rule.file_extension</id>
-        <label>File Extension</label>
+        <label>Search in Filename</label>
        <type>checkbox</type>
+        <help>Search for matchs in a multipart POST request's filenames.</help>
    </field>
    <field>
        <id>naxsi_rule.raw_body</id>
-        <label>Raw Body</label>
+        <label>Search in Raw Body</label>
        <type>checkbox</type>
+        <help>Search for matchs in a request's raw unparsed body.</help>
    </field>
    <field>
        <id>naxsi_rule.dollar_url</id>
-        <label>URL or URL Pattern</label>
+        <label>Restrict to URL</label>
        <type>text</type>
-        <help>Enter the name of a parameter to match.</help>
+        <help>Restrict match to a specific URL (supports regular expressions if enabled for this rule).</help>
    </field>
    <field>
        <id>naxsi_rule.dollar_args_var</id>
-        <label>Named Argument</label>
+        <label>Search in specific GET Argument</label>
        <type>text</type>
-        <help>Enter the name of a parameter to match.</help>
+        <help>Enter the name of a GET parameter to restrict matches to (supports regular expressions if enabled for this rule).</help>
    </field>
    <field>
        <id>naxsi_rule.dollar_body_var</id>
-        <label>Named Body Variable</label>
+        <label>Search in specific POST Argument</label>
        <type>text</type>
-        <help>Enter the name of a variable in the HTTP body to match.</help>
+        <help>Enter the name of a POST parameter to restrict matches to (supports regular expressions if enabled for this rule).</help>
    </field>
    <field>
        <id>naxsi_rule.dollar_headers_var</id>
-        <label>Named Header</label>
+        <label>Search in specific HTTP Header</label>
        <type>text</type>
-        <help>Enter the name of an HTTP header to match.</help>
+        <help>Enter the name of a HTTP header to restrict matches to (supports regular expressions if enabled for this rule).</help>
    </field>
    <field>
        <id>naxsi_rule.score</id>
        <label>Score</label>
        <type>text</type>
+        <help>If the rule matches the counter of each policy containing the rule will increase. If a policy's counter exceeds the configured "value" (to be configured at the policy) the policy's action gets triggered.</help>
    </field>

 </form>
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@ -1,6 +1,6 @@
 <model>
  <mount>//OPNsense/Nginx</mount>
-  <version>1.19.0</version>
+  <version>1.20.0</version>
  <description>nginx web server, reverse proxy and waf</description>
  <items>
    <general>
@ -534,10 +534,6 @@
        <Required>Y</Required>
        <minValue>1000</minValue>
      </identifier>
-      <url type="TextField">
-        <Required>N</Required>
-        <pattern>/^[^"]+$/</pattern>
-      </url>
      <dollar_url type="TextField">
        <Required>N</Required>
        <pattern>/^[^"]+$/</pattern>
@ -590,6 +586,9 @@
      <headers type="BooleanField">
        <Required>Y</Required>
      </headers>
+      <body type="BooleanField">
+        <Required>Y</Required>
+      </body>
      <dollar_args_var type="TextField">
        <pattern>/^[^"]+$/</pattern>
      </dollar_args_var>
--- a/www/nginx/src/opnsense/scripts/nginx/naxsi_rule_download.php
+++ b/www/nginx/src/opnsense/scripts/nginx/naxsi_rule_download.php
@ -70,7 +70,7 @@ function parse_rules($data)
 {
    $parsed = [];
    $tmp = null;
-    $description = array('rule', 'match_type', 'match', 'message', 'match_zone', 'variable', 'value', 'id');
+    $description = array('rule', 'match_type', 'match', 'message', 'match_zone', 'variable', 'score', 'id');

    foreach ($data as $line) {
        $line = trim($line);
@ -113,9 +113,12 @@ function save_to_model($data)
            $rule_mdl->args = '0';
            $rule_mdl->headers = '0';
            $rule_mdl->name = '0';
+            $rule_mdl->body = '0';
+            $rule_mdl->url = '0';
            $rule_mdl->raw_body = '0';
            $rule_mdl->file_extension = '0';
            $rule_mdl->negate = '0';
+            $rule_mdl->score = $rule['score'];
            foreach ($rule['match_zone'] as $match_zone) {
                if (stripos($match_zone, ':') === false) {
                    switch ($match_zone) {
@ -128,6 +131,12 @@ function save_to_model($data)
                        case 'NAME':
                            $rule_mdl->name = '1';
                            break;
+                        case 'BODY':
+                            $rule_mdl->body = '1';
+                            break;
+                        case 'URL':
+                            $rule_mdl->url = '1';
+                            break;
                        case 'RAW_BODY':
                            $rule_mdl->raw_body = '1';
                            break;
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
@ -193,6 +193,7 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
 {%     else %}
    proxy_ssl_trusted_certificate /etc/ssl/cert.pem;
 {%     endif %}
+    proxy_ssl_verify {% if upstream.tls_verify == '1' %}on{% else %}off{% endif %};
 {%     if upstream.tls_verify_depth is defined and upstream.tls_verify_depth != '' %}
    proxy_ssl_verify_depth {{ upstream.tls_verify_depth }};
 {%     endif %}
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/naxsirule.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/naxsirule.conf
@ -4,6 +4,9 @@
 {%   if mz_helper_rule.regex is defined and mz_helper_rule.regex == '1' %}
 {%     set rx_suffix = '_X' %}
 {%   endif %}
+{%   if mz_helper_rule.body == '1' %}
+{%     do mz_matches.append('BODY')  %}
+{%   endif %}
 {%   if mz_helper_rule.args == '1' %}
 {%     do mz_matches.append('ARGS')  %}
 {%   endif %}