debian/modules/naxsi/README.txt - net/nginx-mbedtls - Rivoreo Source Code Repositories

   _   _                _
  | \ | | __ ___  _____(_)
  |  \| |/ _` \ \/ / __| |
  | |\  | (_| |>  <\__ \ |
  |_| \_|\__,_/_/\_\___/_|
  v0.1 alpha

 [[[!!! PLEASE REFER TO THE WIKI INSTEAD !!!]]]
 Yes, this readme is for v0.1 alpha, now is 0.46-1


 |--{ Introduction }------------------------------------------------------------|


 NAXSI is a module for nginx, the famous webserver/reverse-proxy/...
 Its goal is to help people to secure their web application against attacks
 such as SQL Injection, Cross Site Scripting, Cross Site Request Forgery,
 Local & Remote file inclusions and such.
 The difference with most WAF (Web Applicative Firewalls) out there is that
 it does not rely on signatures to detect attacks. It is using a simpler model,
 where instead of trying to detect "known" attacks, it will detect unexpected
 characters in the HTTP request/arguments. Each kind of unusual character will
 increase the score of the request. If the request reaches a score that's
 considered "too high", the request will be denied, and the user will be
 redirected to a "forbidden" page. Yes, it works a bit like a spam system.


 |--{  Why is it different ? }--------------------------------------------------|

 NAXSI is different, because it works on a learning mode (read whitelist).
 Set the module in learning mode, scroll your site, and it will generate the
 necessaries whitelists to avoid false positives !
 NAXSI doesn't relies on signatures, so it should be capable of defeating
 complex/unknown/obfuscated attack
 patterns.


 |--{  How does it work  }------------------------------------------------------|


 NAXSI relies on two separate configuration parts.
 		  * Core Rules : Located at HTTP server level configuration.
 		  * WhiteLists & Specific Rules : Located at the HTTP location
 		    level configuration.

 The first one is what we called 'core rules'.
 It's a set of rules that will contain all characters or regular expression
 that will increase the score of the request, for exemple :

 MainRule "rx:<|>" "msg:html tag ?" "mz:ARGS|URL|BODY" "s:$XSS:8" id:1302;

 This rule, will match on both < and > characters (rx:<|>), and will increase
 the score associated to the XSS threat (s:$XSS:8). This pattern will be matched
  against various zones of the request : ARGS (GET arguments),
 URL (the full URI), and BODY (POST arguments). Each rule is associated to
 unique ID (here, 1302), that is used for whitelisting.
 There is not "many" core rules (34 at the time of writting), and this set
 should normally not evolve.


 On the other hand, we have a "local" configuration, which is to be defined
 "per site" (as NAXSI main goal is to work with NGINX as a RP), and which will
 define "how strict" the security policy of the site will be, as well as
 putting exceptions (whitelists) according the site specificities :

 -----------------------------------8<-------------------------------------------
 # Define to which "location" the user will be redirected when a request is
 # denied.
 DeniedUrl "/RequestDenied";

 # Whitelist '|', as it's used on the /report/ page, in argument 'd'
 BasicRule wl:1005 "mz:$URL:/report/|$ARGS_VAR:d";
 # Whitelist ',' on URL zone as it's massively used for URL rewritting !
 BasicRule wl:1008 "mz:URL";

 # Check rules
 CheckRule "$SQL >= 8" BLOCK;
 CheckRule "$RFI >= 8" BLOCK;
 CheckRule "$TRAVERSAL >= 4" BLOCK;
 CheckRule "$XSS >= 8" BLOCK;
 -----------------------------------8<-------------------------------------------

 Let's see this configuration again to clarify things :

 * 'BasicRule' : This directive is used here to whitelist some rules.
    As you can see (and expect !) you can be more or less laxist.
    For exemple, there is a directive (BasicRule wl:1008 ...) that will totally
    disable the rule 1008 checking against URL. This rule is normally matching
    the ',' character.

 On the other hand, you can make extremly precise rules, as this one :
    BasicRule wl:1005 "mz:$URL:/report/|$ARGS_VAR:d";
    In the last exemple, we are whitelisting a rule, but only on one specific
    argument of one specific webpage (the argument named 'd' of the page
    '/report/').

 As stated earlier, "local" configuration is also used to decide how
 "strict" one site (or one part of one site) will be, that is, what is
 the maximal tolerated page score before a request is denied :

 CheckRule "$SQL >= 8" BLOCK;

 This directive tells NAXSI that every request that has a 'SQL' score superior
 or equal to 8 will be denied.


 |--{  Denied requests and whitelist generation  }------------------------------|

 When a user's request is denied, he will be (internally) redirected to the page
 defined in the configuration :
 DeniedUrl "/RequestDenied";
 This page will receive detailed informations on the rules that matched
 (it's logued in log files too), as well as both the request and the user
 context, without giving information to the user (thanks to nginx internal
 redirects). Actually the page at /RequestDenied will be called with arguments,
 like :

 server=xxxx&uri=/vulnerable.php&ip=127.0.0.1&zone0=ARGS&id0=1010&var_name0=foo1&zone1=ARGS&id1=1011&...

 If you have a closer look to the URL above, you will understand that the
 following information will be transmitted to the forbidden page :
  - Which rule matched on which argument, in which part of the request (ARGS,
    BODY, URL, HEADERS ...)
  - Original URL and hostname
  - Client IP adress

 Those information are given for both statistics generation purpose, as well as
 for whitelist generation purposes.

 Yes, actually that's a very important aspect of NAXSI : As it is heavily
 relying on whitelist for configuration, the easiest the whitelist generation is
 , the easier the configuration is ! The thing being that the DeniedUrl page
 receives enough information to generate a set of whitelisting rules that will
 allow the request that was blocked to be allowed in the future.

 To make it clear : you can generate the whole NAXSI configuration, only by
 naviguating to the site, or even better, by using a clever crawler !
 When you will do a navigation session on the website you want to create rules
 for, if you are in "LearningMode", some requests might be (and will be) tagued
  as blocked. They should be blocked, because, for example, the developpers
 (damn!) decided to massively use '|' for URL rewritting, and NAXSI
 will dislike this.

 So, as you are in learning mode (but the idea is the same when LearningMode is
 disabled), NAXSI will log the fact that the request was blocked because of the
 presence of multiples '|' in the URL. Then, with a simple script (a python
 script is provided), you can parse the log files and generate the appropriate
 whiterules to allow legitimate (false positive) requests.

 The more tricky part when talking about NAXSI and its whitelist, is when we
 come to sites that allows a LOT of wide user input : Comments, Registration
 forms and things like this. For this, either a carefull navigation, submitting
 real content is required (so that NAXSI will trigger every plausible rule on
 each kind of form field) or the usage of a clever crawler is required.
 In the worst, case, it will require to do a real navigation session to generate
 the appropriate whitelists.

 |--{  Statistics, Reporting and so on ...  }-----------------------------------|

 This is a crucial part of any WAF, and this is not done yet !
 But the good point is that, thanks to the principle of calling an external page
  that receives all the informations about every denied request, it is fairly
 simple to write your custom <insert your favorite language here> webpage to
 take care of the statistics / reporting.


 |--{  3 .. 2 .. 1 .. practice !  }---------------------------------------------|

 Ok, now, let's have a look at the practice ! Let's admit we want to create a
 setup for a website. I won't cover the basics of setting up nginx as a reverse
 proxy, but rather focus on NAXSI configuration. If you have a "normal" web
 site, with no fancy URL rewritting or strange things, the default configuration
 should do the work, but let's have a look at website with fancy rewritting,
 and complex user forms.


 To make things easier, a good point is that we can 'fool' nginx and the OS into
  thinking that he is already the reverse proxy for the website, so that we can
 setup the configuration without any risk of impacting the production servers,
 so here we go :


 /etc/nginx/site-enabled/default:
 -----------------------------------8<-------------------------------------------
 server {
 proxy_set_header Proxy-Connection "";
 resolver X.Y.Z;
 listen       *:80;
 access_log  /tmp/nginx_access.log;
 error_log  /tmp/nginx_error.log debug;

 location / {
 # specific site config
   LearningMode;
   SecRulesEnabled;
   DeniedUrl "/RequestDenied";

   ## check rules
   CheckRule "$SQL >= 8" BLOCK;
   CheckRule "$RFI >= 8" BLOCK;
   CheckRule "$TRAVERSAL >= 4" BLOCK;
   CheckRule "$XSS >= 8" BLOCK;
 # /specific site config
   proxy_pass http://xx.xx.xx.xx;
   proxy_set_header Host "www.xxx.com";
 }

 location /RequestDenied {
      proxy_pass http://127.0.0.1:4242/denied_page.php;
    }
 }
 -----------------------------------8<-------------------------------------------


 Our configuration file is extremly similar to any nginx configuration, except:
 - We defined a NAXSI "per site" configuration. This is what will determine  how
   NAXSI will behave for this site.
 - We define a location that will be used to redirect fobidden pages. Here,
   I have an apache instance listening on lo:4242

 The NAXSI "per location" configuration, simply defines :
 - CheckRule : The maximum score for each kind of "threat"
 - The "LearningMode" directive is here to make the learning easier. By default,
   NAXSI will stop processing a request as soon as it hits one of the 'BLOCK'
   scores. With this directive, it will go through every rules, making
   whitelist generation easier, while allowing the request to pass, even if
   tagued as "BLOCKED", to make learning easier.

 - The 'SecRulesEnabled' directives tells that NAXSI should be activated for
   this location. In this way, you can decide to active / desactivate it easily
   for location X or Y. (For exemple, you might not want a WAF on your
   back-office ?)
 - DeniedUrl : We tell NAXSI were to redirect the user when a request is blocked.

 and we need to add this line in the http section of nginx.conf :
 --------------------------------8<--------------------------------------
 include	   /etc/nginx/sec-rules/core.rules;
 --------------------------------8<--------------------------------------
 The "core.rules" file is provided with NAXSI, and contains all the "patterns".

 So, here we go ! Let's start

 We can now fool the OS into thinking that xxx.com is on 127.0.0.1, edit /etc/hosts. We are ready for configuration ! Fire up your favorite browser at xxx.com and start navigation.

 <roll roll>

 As you should be in "learningmode", NAXSI will allow all the request, even if
 they reach a blocking score. As well as letting them pass, it will, as well,
 "forward" the request (like nginx's post_action directive) to your DeniedUrl,
 as well as the original blocked URL (in headers) and the generated blocking
 details. In this way, the web backend is abble to generate the white-lists,
 and reload nginx 'on the fly' with the new generated whitelist rules ;)

 The 'web' part is not written yet (I suck at html), but you can yet proceed
 in a different way :


 In your nginx's log file (if set as debug), you will see a lot of lines like
 this one appear :
 -----------------------------------8<-------------------------------------------
 2011/07/11 17:12:27 [debug] 18653#0: *7 NAXSI_FMT: server=&uri=/skin/frontend/default/xxx/images/interface/fleche-grise.gif&ip=127.0.0.1&zone0=HEADERS&id0=1005&var_name0=cookie&zone1=HEADERS&id1=1008&var_name1=cookie&zone2=HEADERS&id2=1009&var_name2=cookie&zone3=HEADERS&id3=1010&var_name3=cookie&zone4=HEADERS&id4=1011&var_name4=cookie&zone5=HEADERS&id5=1308&var_name5=cookie&zone6=HEADERS&id6=1309&var_name6=cookie&zone7=HEADERS&id7=1313&var_name7=cookie
 -----------------------------------8<-------------------------------------------

 So, once you think you've done a reasonable crawling on your site, you can
 launch the "rules generator" [destination rules file] [nginx's log file]:
 -----------------------------------8<-------------------------------------------
 bui@zeroed:~$ ./rules_generator.py
 RANGE for ID=1000,ZONE=URL, range=0-4
 # for rule 1000, we have 4 elements in zone URL
 #duplicate for id 1000, delete (4 elems)
 RANGE for ID=1002,ZONE=URL, range=1-89
 ...
 {'id': '1313', 'uri': '', 'var_name': 'cookie', 'zone': 'HEADERS'}]
 -----------------------------------8<-------------------------------------------

 Rules generator default output file is /tmp/RT_naxsi.tmp, and looks like :
 -----------------------------------8<-------------------------------------------
 bui@zeroed:/home/bui/secdev/nginx/web: cat /tmp/RT_naxsi.tmp  | grep ^Basic
 BasicRule wl:1000 "mz:$URL:/skin/frontend/default/lepape/images/titre_notre_selection2.gif|URL";
 BasicRule wl:1002 "mz:URL";
 BasicRule wl:1008 "mz:URL";
 BasicRule wl:1005 "mz:$HEADERS_VAR:cookie";
 BasicRule wl:1008 "mz:$HEADERS_VAR:cookie";
 BasicRule wl:1009 "mz:$HEADERS_VAR:cookie";
 BasicRule wl:1010 "mz:$HEADERS_VAR:cookie";
 BasicRule wl:1011 "mz:$HEADERS_VAR:cookie";
 BasicRule wl:1308 "mz:$HEADERS_VAR:cookie";
 BasicRule wl:1309 "mz:$HEADERS_VAR:cookie";
 BasicRule wl:1313 "mz:$HEADERS_VAR:cookie";
 -----------------------------------8<-------------------------------------------

 What happened just here ?  The Rule Generator parsed nginx log file,
 extracted all the "denied urls", and generated (and then factorized)
 whitelist rules from your session !  If you did an exhaustive enough
 crawling / browsing session, your ruleset might be complete enough and
 ready for production !


 |--{  Detail configuration  }--------------------------------------------------|

 Here, I will go through all the directives supported by NAXSI.

 |--{  Location configuration  }------------------------------------------------|

 LearningMode : By default, NAXSI will stop parsing a request as soon
 	     as it reaches a score that will block the request.  When
 	     LearningMode is enabled, the request will be matched
 	     against every possible rules. This directive should be
 	     used when configuring NAXSI ONLY (a.k.a : generating
 	     whitelists)

 SecRulesEnabled : If the directive is not present, NAXSI will not
 inspect anything.  SecRulesDisabled : If the directive is present,
 NAXSI will not inspect anything.  (The two rules above are here for
 easier usage in production environnment, when you want to be abble to
 simply enable / disable the module)


 DeniedUrl "/location" : This directive is used to tell NAXSI where the
 	  	        user should be redirected when a request is
 	  	        blocked.  The location should be present in
 	  	        NGINX configuration for this to work, as we
 	  	        are relying on nginx's internal redirect
 	  	        feature.


 BasicRule : The 'main' thing you should care about. This can be used,
 	    either to add some whitelist, or to create some specific
 	    rules for a location (might be usefull if you have super
 	    crappy websites).  Here are some examples of possible
 	    BasicRule syntaxes :

 - BasicRule wl:1005 "mz:$URL:/bar/|$ARGS_VAR:foo" : Whitelist rule 1005 on
   the GET "foo" arg of page /bar/
 - BasicRule wl:1005 "mz:$URL:/bar/|ARGS" : Whitelist rule 1005 on the every
   GET arg of page /bar/
 - BasicRule wl:1005 : Globally disable rule 1005 on the location
 - BasicRule wl:1005 "mz:HEADERS" : Whitelist rule 1005 for all HEADERS
 - mz supports keywords like ARGS (global GET args), BODY (global POST args),
   URL (url, rly), $ARGS_VAR (named GET arg), $BODY_VAR (named POST arg),
   HEADERS (HTTP headers), $HEADERS_VAR (named header var)


 CheckRule : Used to determine when the request should be blocked, for
 example : CheckRule "$SQL >= 8" BLOCK : If the $SQL score is superior
 or equal to 8, the request will be blocked.


 |--{  Main configuration  }----------------------------------------------------|


 In main configuration, a.k.a core rules, there is only one directive :

 MainRule "str:/*" "msg:mysql comment (/*)" "mz:BODY|URL|ARGS" "s:$SQL:8" id:1003;
 This specific rule for example, will be matched against GET,POST
 arguments, as well as the URL. If the '/*' string is found, the $SQL
 score will be increased by 8.  Sounds pretty simple right ? But you
 can as well do some tricky things !

 MainRule negative "rx:application/x-www-form-urlencoded|multipart/form-data" "msg:foobar test pattern" "mz:$HEADER_VAR:Content-type" "s:$SQL:42" id:1999;
 This one is a negative rule (means that the score will be applied if the rule
 DOES NOT match). This one is used to prevent strange content types on POSTs.
 To litteraly translate it, it means : If a "Content-type" HTTP header is
 present, check weither it's 'application/x-www-form-urlencoded' or
 'multipart/form-data' (you noticed the rx: keyword, yes it means that it's a
 regular expression). If the content-type is different, then increase $SQL score
 by 42.
	_ _ _
	\| \ \| \| __ ___ _____(_)
	\| \\| \|/ _` \ \/ / __\| \|
	\| \|\ \| (_\| \|> <\__ \ \|
	\|_\| \_\|\__,_/_/\_\___/_\|
	v0.1 alpha

	[[[!!! PLEASE REFER TO THE WIKI INSTEAD !!!]]]
	Yes, this readme is for v0.1 alpha, now is 0.46-1


	\|--{ Introduction }------------------------------------------------------------\|


	NAXSI is a module for nginx, the famous webserver/reverse-proxy/...
	Its goal is to help people to secure their web application against attacks
	such as SQL Injection, Cross Site Scripting, Cross Site Request Forgery,
	Local & Remote file inclusions and such.
	The difference with most WAF (Web Applicative Firewalls) out there is that
	it does not rely on signatures to detect attacks. It is using a simpler model,
	where instead of trying to detect "known" attacks, it will detect unexpected
	characters in the HTTP request/arguments. Each kind of unusual character will
	increase the score of the request. If the request reaches a score that's
	considered "too high", the request will be denied, and the user will be
	redirected to a "forbidden" page. Yes, it works a bit like a spam system.


	\|--{ Why is it different ? }--------------------------------------------------\|

	NAXSI is different, because it works on a learning mode (read whitelist).
	Set the module in learning mode, scroll your site, and it will generate the
	necessaries whitelists to avoid false positives !
	NAXSI doesn't relies on signatures, so it should be capable of defeating
	complex/unknown/obfuscated attack
	patterns.


	\|--{ How does it work }------------------------------------------------------\|


	NAXSI relies on two separate configuration parts.
	* Core Rules : Located at HTTP server level configuration.
	* WhiteLists & Specific Rules : Located at the HTTP location
	level configuration.

	The first one is what we called 'core rules'.
	It's a set of rules that will contain all characters or regular expression
	that will increase the score of the request, for exemple :

	MainRule "rx:<\|>" "msg:html tag ?" "mz:ARGS\|URL\|BODY" "s:$XSS:8" id:1302;

	This rule, will match on both < and > characters (rx:<\|>), and will increase
	the score associated to the XSS threat (s:$XSS:8). This pattern will be matched
	against various zones of the request : ARGS (GET arguments),
	URL (the full URI), and BODY (POST arguments). Each rule is associated to
	unique ID (here, 1302), that is used for whitelisting.
	There is not "many" core rules (34 at the time of writting), and this set
	should normally not evolve.


	On the other hand, we have a "local" configuration, which is to be defined
	"per site" (as NAXSI main goal is to work with NGINX as a RP), and which will
	define "how strict" the security policy of the site will be, as well as
	putting exceptions (whitelists) according the site specificities :

	-----------------------------------8<-------------------------------------------
	# Define to which "location" the user will be redirected when a request is
	# denied.
	DeniedUrl "/RequestDenied";

	# Whitelist '\|', as it's used on the /report/ page, in argument 'd'
	BasicRule wl:1005 "mz:$URL:/report/\|$ARGS_VAR:d";
	# Whitelist ',' on URL zone as it's massively used for URL rewritting !
	BasicRule wl:1008 "mz:URL";

	# Check rules
	CheckRule "$SQL >= 8" BLOCK;
	CheckRule "$RFI >= 8" BLOCK;
	CheckRule "$TRAVERSAL >= 4" BLOCK;
	CheckRule "$XSS >= 8" BLOCK;
	-----------------------------------8<-------------------------------------------

	Let's see this configuration again to clarify things :

	* 'BasicRule' : This directive is used here to whitelist some rules.
	As you can see (and expect !) you can be more or less laxist.
	For exemple, there is a directive (BasicRule wl:1008 ...) that will totally
	disable the rule 1008 checking against URL. This rule is normally matching
	the ',' character.

	On the other hand, you can make extremly precise rules, as this one :
	BasicRule wl:1005 "mz:$URL:/report/\|$ARGS_VAR:d";
	In the last exemple, we are whitelisting a rule, but only on one specific
	argument of one specific webpage (the argument named 'd' of the page
	'/report/').

	As stated earlier, "local" configuration is also used to decide how
	"strict" one site (or one part of one site) will be, that is, what is
	the maximal tolerated page score before a request is denied :

	CheckRule "$SQL >= 8" BLOCK;

	This directive tells NAXSI that every request that has a 'SQL' score superior
	or equal to 8 will be denied.


	\|--{ Denied requests and whitelist generation }------------------------------\|

	When a user's request is denied, he will be (internally) redirected to the page
	defined in the configuration :
	DeniedUrl "/RequestDenied";
	This page will receive detailed informations on the rules that matched
	(it's logued in log files too), as well as both the request and the user
	context, without giving information to the user (thanks to nginx internal
	redirects). Actually the page at /RequestDenied will be called with arguments,
	like :

	server=xxxx&uri=/vulnerable.php&ip=127.0.0.1&zone0=ARGS&id0=1010&var_name0=foo1&zone1=ARGS&id1=1011&...

	If you have a closer look to the URL above, you will understand that the
	following information will be transmitted to the forbidden page :
	- Which rule matched on which argument, in which part of the request (ARGS,
	BODY, URL, HEADERS ...)
	- Original URL and hostname
	- Client IP adress

	Those information are given for both statistics generation purpose, as well as
	for whitelist generation purposes.

	Yes, actually that's a very important aspect of NAXSI : As it is heavily
	relying on whitelist for configuration, the easiest the whitelist generation is
	, the easier the configuration is ! The thing being that the DeniedUrl page
	receives enough information to generate a set of whitelisting rules that will
	allow the request that was blocked to be allowed in the future.

	To make it clear : you can generate the whole NAXSI configuration, only by
	naviguating to the site, or even better, by using a clever crawler !
	When you will do a navigation session on the website you want to create rules
	for, if you are in "LearningMode", some requests might be (and will be) tagued
	as blocked. They should be blocked, because, for example, the developpers
	(damn!) decided to massively use '\|' for URL rewritting, and NAXSI
	will dislike this.

	So, as you are in learning mode (but the idea is the same when LearningMode is
	disabled), NAXSI will log the fact that the request was blocked because of the
	presence of multiples '\|' in the URL. Then, with a simple script (a python
	script is provided), you can parse the log files and generate the appropriate
	whiterules to allow legitimate (false positive) requests.

	The more tricky part when talking about NAXSI and its whitelist, is when we
	come to sites that allows a LOT of wide user input : Comments, Registration
	forms and things like this. For this, either a carefull navigation, submitting
	real content is required (so that NAXSI will trigger every plausible rule on
	each kind of form field) or the usage of a clever crawler is required.
	In the worst, case, it will require to do a real navigation session to generate
	the appropriate whitelists.

	\|--{ Statistics, Reporting and so on ... }-----------------------------------\|

	This is a crucial part of any WAF, and this is not done yet !
	But the good point is that, thanks to the principle of calling an external page
	that receives all the informations about every denied request, it is fairly
	simple to write your custom <insert your favorite language here> webpage to
	take care of the statistics / reporting.


	\|--{ 3 .. 2 .. 1 .. practice ! }---------------------------------------------\|

	Ok, now, let's have a look at the practice ! Let's admit we want to create a
	setup for a website. I won't cover the basics of setting up nginx as a reverse
	proxy, but rather focus on NAXSI configuration. If you have a "normal" web
	site, with no fancy URL rewritting or strange things, the default configuration
	should do the work, but let's have a look at website with fancy rewritting,
	and complex user forms.


	To make things easier, a good point is that we can 'fool' nginx and the OS into
	thinking that he is already the reverse proxy for the website, so that we can
	setup the configuration without any risk of impacting the production servers,
	so here we go :


	/etc/nginx/site-enabled/default:
	-----------------------------------8<-------------------------------------------
	server {
	proxy_set_header Proxy-Connection "";
	resolver X.Y.Z;
	listen *:80;
	access_log /tmp/nginx_access.log;
	error_log /tmp/nginx_error.log debug;

	location / {
	# specific site config
	LearningMode;
	SecRulesEnabled;
	DeniedUrl "/RequestDenied";

	## check rules
	CheckRule "$SQL >= 8" BLOCK;
	CheckRule "$RFI >= 8" BLOCK;
	CheckRule "$TRAVERSAL >= 4" BLOCK;
	CheckRule "$XSS >= 8" BLOCK;
	# /specific site config
	proxy_pass http://xx.xx.xx.xx;
	proxy_set_header Host "www.xxx.com";
	}

	location /RequestDenied {
	proxy_pass http://127.0.0.1:4242/denied_page.php;
	}
	}
	-----------------------------------8<-------------------------------------------


	Our configuration file is extremly similar to any nginx configuration, except:
	- We defined a NAXSI "per site" configuration. This is what will determine how
	NAXSI will behave for this site.
	- We define a location that will be used to redirect fobidden pages. Here,
	I have an apache instance listening on lo:4242

	The NAXSI "per location" configuration, simply defines :
	- CheckRule : The maximum score for each kind of "threat"
	- The "LearningMode" directive is here to make the learning easier. By default,
	NAXSI will stop processing a request as soon as it hits one of the 'BLOCK'
	scores. With this directive, it will go through every rules, making
	whitelist generation easier, while allowing the request to pass, even if
	tagued as "BLOCKED", to make learning easier.

	- The 'SecRulesEnabled' directives tells that NAXSI should be activated for
	this location. In this way, you can decide to active / desactivate it easily
	for location X or Y. (For exemple, you might not want a WAF on your
	back-office ?)
	- DeniedUrl : We tell NAXSI were to redirect the user when a request is blocked.

	and we need to add this line in the http section of nginx.conf :
	--------------------------------8<--------------------------------------
	include /etc/nginx/sec-rules/core.rules;
	--------------------------------8<--------------------------------------
	The "core.rules" file is provided with NAXSI, and contains all the "patterns".

	So, here we go ! Let's start

	We can now fool the OS into thinking that xxx.com is on 127.0.0.1, edit /etc/hosts. We are ready for configuration ! Fire up your favorite browser at xxx.com and start navigation.

	<roll roll>

	As you should be in "learningmode", NAXSI will allow all the request, even if
	they reach a blocking score. As well as letting them pass, it will, as well,
	"forward" the request (like nginx's post_action directive) to your DeniedUrl,
	as well as the original blocked URL (in headers) and the generated blocking
	details. In this way, the web backend is abble to generate the white-lists,
	and reload nginx 'on the fly' with the new generated whitelist rules ;)

	The 'web' part is not written yet (I suck at html), but you can yet proceed
	in a different way :


	In your nginx's log file (if set as debug), you will see a lot of lines like
	this one appear :
	-----------------------------------8<-------------------------------------------
	2011/07/11 17:12:27 [debug] 18653#0: *7 NAXSI_FMT: server=&uri=/skin/frontend/default/xxx/images/interface/fleche-grise.gif&ip=127.0.0.1&zone0=HEADERS&id0=1005&var_name0=cookie&zone1=HEADERS&id1=1008&var_name1=cookie&zone2=HEADERS&id2=1009&var_name2=cookie&zone3=HEADERS&id3=1010&var_name3=cookie&zone4=HEADERS&id4=1011&var_name4=cookie&zone5=HEADERS&id5=1308&var_name5=cookie&zone6=HEADERS&id6=1309&var_name6=cookie&zone7=HEADERS&id7=1313&var_name7=cookie
	-----------------------------------8<-------------------------------------------

	So, once you think you've done a reasonable crawling on your site, you can
	launch the "rules generator" [destination rules file] [nginx's log file]:
	-----------------------------------8<-------------------------------------------
	bui@zeroed:~$ ./rules_generator.py
	RANGE for ID=1000,ZONE=URL, range=0-4
	# for rule 1000, we have 4 elements in zone URL
	#duplicate for id 1000, delete (4 elems)
	RANGE for ID=1002,ZONE=URL, range=1-89
	...
	{'id': '1313', 'uri': '', 'var_name': 'cookie', 'zone': 'HEADERS'}]
	-----------------------------------8<-------------------------------------------

	Rules generator default output file is /tmp/RT_naxsi.tmp, and looks like :
	-----------------------------------8<-------------------------------------------
	bui@zeroed:/home/bui/secdev/nginx/web: cat /tmp/RT_naxsi.tmp \| grep ^Basic
	BasicRule wl:1000 "mz:$URL:/skin/frontend/default/lepape/images/titre_notre_selection2.gif\|URL";
	BasicRule wl:1002 "mz:URL";
	BasicRule wl:1008 "mz:URL";
	BasicRule wl:1005 "mz:$HEADERS_VAR:cookie";
	BasicRule wl:1008 "mz:$HEADERS_VAR:cookie";
	BasicRule wl:1009 "mz:$HEADERS_VAR:cookie";
	BasicRule wl:1010 "mz:$HEADERS_VAR:cookie";
	BasicRule wl:1011 "mz:$HEADERS_VAR:cookie";
	BasicRule wl:1308 "mz:$HEADERS_VAR:cookie";
	BasicRule wl:1309 "mz:$HEADERS_VAR:cookie";
	BasicRule wl:1313 "mz:$HEADERS_VAR:cookie";
	-----------------------------------8<-------------------------------------------

	What happened just here ? The Rule Generator parsed nginx log file,
	extracted all the "denied urls", and generated (and then factorized)
	whitelist rules from your session ! If you did an exhaustive enough
	crawling / browsing session, your ruleset might be complete enough and
	ready for production !


	\|--{ Detail configuration }--------------------------------------------------\|

	Here, I will go through all the directives supported by NAXSI.

	\|--{ Location configuration }------------------------------------------------\|

	LearningMode : By default, NAXSI will stop parsing a request as soon
	as it reaches a score that will block the request. When
	LearningMode is enabled, the request will be matched
	against every possible rules. This directive should be
	used when configuring NAXSI ONLY (a.k.a : generating
	whitelists)

	SecRulesEnabled : If the directive is not present, NAXSI will not
	inspect anything. SecRulesDisabled : If the directive is present,
	NAXSI will not inspect anything. (The two rules above are here for
	easier usage in production environnment, when you want to be abble to
	simply enable / disable the module)



	DeniedUrl "/location" : This directive is used to tell NAXSI where the
	user should be redirected when a request is
	blocked. The location should be present in
	NGINX configuration for this to work, as we
	are relying on nginx's internal redirect
	feature.


	BasicRule : The 'main' thing you should care about. This can be used,
	either to add some whitelist, or to create some specific
	rules for a location (might be usefull if you have super
	crappy websites). Here are some examples of possible
	BasicRule syntaxes :

	- BasicRule wl:1005 "mz:$URL:/bar/\|$ARGS_VAR:foo" : Whitelist rule 1005 on
	the GET "foo" arg of page /bar/
	- BasicRule wl:1005 "mz:$URL:/bar/\|ARGS" : Whitelist rule 1005 on the every
	GET arg of page /bar/
	- BasicRule wl:1005 : Globally disable rule 1005 on the location
	- BasicRule wl:1005 "mz:HEADERS" : Whitelist rule 1005 for all HEADERS
	- mz supports keywords like ARGS (global GET args), BODY (global POST args),
	URL (url, rly), $ARGS_VAR (named GET arg), $BODY_VAR (named POST arg),
	HEADERS (HTTP headers), $HEADERS_VAR (named header var)


	CheckRule : Used to determine when the request should be blocked, for
	example : CheckRule "$SQL >= 8" BLOCK : If the $SQL score is superior
	or equal to 8, the request will be blocked.


	\|--{ Main configuration }----------------------------------------------------\|


	In main configuration, a.k.a core rules, there is only one directive :

	MainRule "str:/" "msg:mysql comment (/)" "mz:BODY\|URL\|ARGS" "s:$SQL:8" id:1003;
	This specific rule for example, will be matched against GET,POST
	arguments, as well as the URL. If the '/*' string is found, the $SQL
	score will be increased by 8. Sounds pretty simple right ? But you
	can as well do some tricky things !

	MainRule negative "rx:application/x-www-form-urlencoded\|multipart/form-data" "msg:foobar test pattern" "mz:$HEADER_VAR:Content-type" "s:$SQL:42" id:1999;
	This one is a negative rule (means that the score will be applied if the rule
	DOES NOT match). This one is used to prevent strange content types on POSTs.
	To litteraly translate it, it means : If a "Content-type" HTTP header is
	present, check weither it's 'application/x-www-form-urlencoded' or
	'multipart/form-data' (you noticed the rx: keyword, yes it means that it's a
	regular expression). If the content-type is different, then increase $SQL score
	by 42.