-
Notifications
You must be signed in to change notification settings - Fork 606
runtime modifiers
Since 0.49, naxsi supports a limited set of variables that can override or modify its behavior.
-
naxsi_flag_learning: If present, this variable will override naxsi learning flag ("0" to disable learning, "1" to enable it). -
naxsi_flag_post_action: If present and set to "0" this variable may be used to disable post_action in learning mode. -
naxsi_flag_enable: If present, this variable will override naxsi's "SecRulesEnabled" ("0" to disable naxsi, "1" to enable). -
naxsi_extensive_log: If present (and set to "1"), this variable will force naxsi to log the CONTENT of variable matching rules (see notes at bottom).
Since 0.54, naxsi as well support libinjection enable/disable flags at runtime
naxsi_flag_libinjection_sqlnaxsi_flag_libinjection_xss
It is important to know that naxsi operates at the REWRITE phase of nginx. Thus, setting those variables directly in the location where naxsi is present is ineffective (as naxsi will be called before variable set is effective).
This is correct:
set $naxsi_flag_enable 0;
location / {
...
}
But this is wrong:
location / {
set $naxsi_flag_learning 1;
...
}
With that said, you can use the power of nginx, lua, etc. to change naxsi's behavior. The presence of these variables will enable/disable learning mode, naxsi itself or force extensive logging. You can thus do things naxsi is usually not able to, like modifying its behavior according to (nginx) variables set at run-time :
# Disable naxsi if client ip is 127.0.0.1
if ($remote_addr = "127.0.0.1") {
set $naxsi_flag_enable 0;
}
Those variables can as well be set from lua scripts (see nginx's mod_lua).
If naxsi_flag_learning variable is present, this value will override naxsi's current static configuration regarding learning mode.
if ($remote_addr = "1.2.3.4") {
set $naxsi_flag_learning 1;
}
location / {
...
}
post_action can be used by naxsi to literally forward a request to the DeniedUrl location. It is on by default until naxsi 0.50 (a souvenir from ̀nx_intercept`) and is off by default since 0.51, because of the switch to nxtool. Using this might lead to unpredictable behavior Can be set to 0 or 1
If naxsi_flag_enable variable is present and set to 0, naxsi will be disabled in this request. This allows you to partially disable naxsi in specific conditions.
To completely disable naxsi for "trusted" users :
set $naxsi_flag_enable 0;
location / {
...
}
If present (and set to “1”), this variable will force naxsi to log the CONTENT of variable matching rules.
Because of a potential impact on performance, use this with caution. Naxsi will log those to nginx’s error_log, ie:
NAXSI_EXLOG: ip=%V&server=%V&uri=%V&id=%d&zone=%s&var_name=%V&content=%V
See naxsi logs for more details.
If set to "1", naxsi will pass every parsed content to libinjection and ask for SQL injection detection. If the libinjection matches, internal rule libinjection_sql is fired .
If set to "1", naxsi will pass every parsed content to libinjection and ask for XSS detection. If the libinjection matches, internal rule libinjection_xss is fired .