From 3e8dedaedc66b59b66f060cb04b686c271d5f9ff Mon Sep 17 00:00:00 2001
From: Manuel <8191@users.noreply.github.com>
Date: Wed, 16 Dec 2020 20:17:04 +0100
Subject: [PATCH] Nginx: bugfixes and minor improvements (#1987)
---
www/nginx/Makefile | 2 +-
www/nginx/pkg-descr | 5 +++
.../Nginx/forms/naxsi_custom_policy.xml | 1 +
.../OPNsense/Nginx/forms/naxsi_rule.xml | 40 ++++++++++++-------
.../mvc/app/models/OPNsense/Nginx/Nginx.xml | 9 ++---
.../scripts/nginx/naxsi_rule_download.php | 11 ++++-
.../templates/OPNsense/Nginx/location.conf | 1 +
.../templates/OPNsense/Nginx/naxsirule.conf | 3 ++
8 files changed, 50 insertions(+), 22 deletions(-)
diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index ae386bc6c..9300bbe93 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,5 +1,5 @@
PLUGIN_NAME= nginx
-PLUGIN_VERSION= 1.19
+PLUGIN_VERSION= 1.20
PLUGIN_COMMENT= Nginx HTTP server and reverse proxy
PLUGIN_DEPENDS= nginx
PLUGIN_MAINTAINER= franz.fabian.94@gmail.com
diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
index 71fe052e5..7940a9828 100644
--- a/www/nginx/pkg-descr
+++ b/www/nginx/pkg-descr
@@ -8,6 +8,11 @@ reuse, SSL offload and HTTP media streaming.
Plugin Changelog
================
+1.20
+
+* User interface improvements of NAXSI configuration (contributed by 8191)
+* Fixed missing certificate validation of upstreams (contributed by 8191)
+
1.19
* Add possibility to configure SNI proxying.
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/naxsi_custom_policy.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/naxsi_custom_policy.xml
index 26f6fe026..af72115bc 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/naxsi_custom_policy.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/naxsi_custom_policy.xml
@@ -15,6 +15,7 @@
custompolicy.valuetext
+ If the sum of scores of all matching rules exceed the configured value the policy's action will get triggered.custompolicy.operator
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/naxsi_rule.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/naxsi_rule.xml
index cdaec08a4..6a8232fc0 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/naxsi_rule.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/naxsi_rule.xml
@@ -8,6 +8,7 @@
naxsi_rule.messagetext
+ A string describing the pattern. This is mostly used for analyzing and to have some human-understandable text.naxsi_rule.negate
@@ -19,6 +20,7 @@
naxsi_rule.identifiertext
+ The unique numerical ID of the rule, that will be used in logs and in whitelists. IDs inferior to 1000 are reserved for Naxsi internal rules (protocol mismatch etc.)naxsi_rule.ruletype
@@ -29,6 +31,7 @@
naxsi_rule.regexcheckbox
+ If enabled, the match value, the URL, named parameters and headers are matched using regular expressions; otherwise only exact matches trigger the rule.naxsi_rule.match_value
@@ -43,68 +46,75 @@
naxsi_rule.args
-
+
checkbox
+ Search for matchs in a request's GET arguments.naxsi_rule.url
-
+
checkbox
+ Search for matchs in a request's URL (everything before ?).naxsi_rule.headers
-
+
checkbox
+ Search for matchs in a request's HTTP headers.naxsi_rule.body
-
+
checkbox
+ Search for matchs in a request's POST arguments and its raw (unparsed) body.naxsi_rule.name
-
+
checkboxCheck this box to match the variable name and not its content when matching any of the above checkboxes.naxsi_rule.file_extension
-
+
checkbox
+ Search for matchs in a multipart POST request's filenames.naxsi_rule.raw_body
-
+
checkbox
+ Search for matchs in a request's raw unparsed body.naxsi_rule.dollar_url
-
+
text
- Enter the name of a parameter to match.
+ Restrict match to a specific URL (supports regular expressions if enabled for this rule).naxsi_rule.dollar_args_var
-
+
text
- Enter the name of a parameter to match.
+ Enter the name of a GET parameter to restrict matches to (supports regular expressions if enabled for this rule).naxsi_rule.dollar_body_var
-
+
text
- Enter the name of a variable in the HTTP body to match.
+ Enter the name of a POST parameter to restrict matches to (supports regular expressions if enabled for this rule).naxsi_rule.dollar_headers_var
-
+
text
- Enter the name of an HTTP header to match.
+ Enter the name of a HTTP header to restrict matches to (supports regular expressions if enabled for this rule).naxsi_rule.scoretext
+ If the rule matches the counter of each policy containing the rule will increase. If a policy's counter exceeds the configured "value" (to be configured at the policy) the policy's action gets triggered.
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index f81fbcdcf..7744d01ff 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -1,6 +1,6 @@
//OPNsense/Nginx
- 1.19.0
+ 1.20.0nginx web server, reverse proxy and waf
@@ -534,10 +534,6 @@
Y1000
-
- N
- /^[^"]+$/
- N/^[^"]+$/
@@ -590,6 +586,9 @@
Y
+
+ Y
+
/^[^"]+$/
diff --git a/www/nginx/src/opnsense/scripts/nginx/naxsi_rule_download.php b/www/nginx/src/opnsense/scripts/nginx/naxsi_rule_download.php
index 4840150f3..3eca0a62e 100755
--- a/www/nginx/src/opnsense/scripts/nginx/naxsi_rule_download.php
+++ b/www/nginx/src/opnsense/scripts/nginx/naxsi_rule_download.php
@@ -70,7 +70,7 @@ function parse_rules($data)
{
$parsed = [];
$tmp = null;
- $description = array('rule', 'match_type', 'match', 'message', 'match_zone', 'variable', 'value', 'id');
+ $description = array('rule', 'match_type', 'match', 'message', 'match_zone', 'variable', 'score', 'id');
foreach ($data as $line) {
$line = trim($line);
@@ -113,9 +113,12 @@ function save_to_model($data)
$rule_mdl->args = '0';
$rule_mdl->headers = '0';
$rule_mdl->name = '0';
+ $rule_mdl->body = '0';
+ $rule_mdl->url = '0';
$rule_mdl->raw_body = '0';
$rule_mdl->file_extension = '0';
$rule_mdl->negate = '0';
+ $rule_mdl->score = $rule['score'];
foreach ($rule['match_zone'] as $match_zone) {
if (stripos($match_zone, ':') === false) {
switch ($match_zone) {
@@ -128,6 +131,12 @@ function save_to_model($data)
case 'NAME':
$rule_mdl->name = '1';
break;
+ case 'BODY':
+ $rule_mdl->body = '1';
+ break;
+ case 'URL':
+ $rule_mdl->url = '1';
+ break;
case 'RAW_BODY':
$rule_mdl->raw_body = '1';
break;
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
index b4482c537..006a1b30d 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
@@ -193,6 +193,7 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
{% else %}
proxy_ssl_trusted_certificate /etc/ssl/cert.pem;
{% endif %}
+ proxy_ssl_verify {% if upstream.tls_verify == '1' %}on{% else %}off{% endif %};
{% if upstream.tls_verify_depth is defined and upstream.tls_verify_depth != '' %}
proxy_ssl_verify_depth {{ upstream.tls_verify_depth }};
{% endif %}
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/naxsirule.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/naxsirule.conf
index 709283813..a3410bc3d 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/naxsirule.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/naxsirule.conf
@@ -4,6 +4,9 @@
{% if mz_helper_rule.regex is defined and mz_helper_rule.regex == '1' %}
{% set rx_suffix = '_X' %}
{% endif %}
+{% if mz_helper_rule.body == '1' %}
+{% do mz_matches.append('BODY') %}
+{% endif %}
{% if mz_helper_rule.args == '1' %}
{% do mz_matches.append('ARGS') %}
{% endif %}