load_module /usr/local/libexec/nginx/ngx_stream_module.so; load_module /usr/local/libexec/nginx/ngx_http_naxsi_module.so; load_module /usr/local/libexec/nginx/ngx_mail_module.so; load_module /usr/local/libexec/nginx/ngx_http_brotli_filter_module.so; load_module /usr/local/libexec/nginx/ngx_http_brotli_static_module.so; user www staff; worker_processes 1; error_log /var/log/nginx/error.log; events { worker_connections 1024; } http { include mime.types; MainRule id:1000 "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop" "msg:sql keywords" "mz:ARGS|$HEADERS_VAR_X:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8"; MainRule id:1002 "str:0x" "msg:0x, possible hex encoding" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8"; MainRule id:1003 "str:/*" "msg:mysql comment (/*)" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8"; MainRule id:1004 "str:*/" "msg:mysql comment (*/)" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8"; MainRule id:1006 "str:&&" "msg:mysql keyword (&&)" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8"; MainRule id:1007 "str:--" "msg:mysql comment (--)" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8"; MainRule id:1008 "str:;" "msg:semicolon" "mz:ARGS" "s:$policyade66794614d4d80bd76272367ac9034:8"; MainRule id:1009 "str:=" "msg:equal sign in var, probable sql/xss" "mz:ARGS" "s:$policyade66794614d4d80bd76272367ac9034:8"; MainRule id:1010 "str:(" "msg:open parenthesis, probable sql/xss" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8"; MainRule id:1011 "str:)" "msg:close parenthesis, probable sql/xss" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8"; MainRule id:1013 "str:'" "msg:simple quote" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8"; MainRule id:1015 "str:," "msg:comma" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8"; MainRule id:1016 "str:#" "msg:mysql comment (#)" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8"; MainRule id:1017 "str:@@" "msg:double arobase (@@)" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policyade66794614d4d80bd76272367ac9034:8"; MainRule id:1100 "str:http://" "msg:http:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8"; MainRule id:1101 "str:https://" "msg:https:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8"; MainRule id:1102 "str:ftp://" "msg:ftp:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8"; MainRule id:1103 "str:php://" "msg:php:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8"; MainRule id:1104 "str:sftp://" "msg:sftp:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8"; MainRule id:1105 "str:zlib://" "msg:zlib:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8"; MainRule id:1106 "str:data://" "msg:data:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8"; MainRule id:1107 "str:glob://" "msg:glob:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8"; MainRule id:1108 "str:phar://" "msg:phar:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8"; MainRule id:1109 "str:file://" "msg:file:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8"; MainRule id:1110 "str:gopher://" "msg:gopher:// scheme" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy1c0480d874834fdfab63313107d8d987:8"; MainRule id:1200 "str:.." "msg:double dot" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy2cc55acff3794c3291aec2bee3351296:8"; MainRule id:1202 "str:/etc/passwd" "msg:obvious probe" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy2cc55acff3794c3291aec2bee3351296:8"; MainRule id:1203 "str:c:\\" "msg:obvious windows path" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy2cc55acff3794c3291aec2bee3351296:8"; MainRule id:1204 "str:cmd.exe" "msg:obvious probe" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy2cc55acff3794c3291aec2bee3351296:8"; MainRule id:1205 "str:\\" "msg:backslash" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy2cc55acff3794c3291aec2bee3351296:8"; MainRule id:1206 "str:/" "msg:slash in args" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy2cc55acff3794c3291aec2bee3351296:8"; MainRule id:1302 "str:<" "msg:html open tag" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy127e988975984655b82d3eefe7f881c6:8"; MainRule id:1303 "str:>" "msg:html close tag" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy127e988975984655b82d3eefe7f881c6:8"; MainRule id:1310 "str:[" "msg:open square backet ([), possible js" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy127e988975984655b82d3eefe7f881c6:8"; MainRule id:1311 "str:]" "msg:close square bracket (]), possible js" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy127e988975984655b82d3eefe7f881c6:8"; MainRule id:1312 "str:~" "msg:tilde (~) character" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policy127e988975984655b82d3eefe7f881c6:8"; MainRule id:1400 "str:&#" "msg:utf7/8 encoding" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policye9d3021b531b49c4a428c16606345e86:8"; MainRule id:1401 "str:%U" "msg:M$ encoding" "mz:ARGS|$HEADERS_VAR:Cookie" "s:$policye9d3021b531b49c4a428c16606345e86:8"; MainRule id:1500 "rx:\.ph|\.asp|\.ht" "msg:asp/php file upload" "mz:FILE_EXT" "s:$policy07991d37641a4506b9e90622d9205729:8"; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; log_format anonymized ':: - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; #tcp_nopush on; # 200M should be big enough for file servers etc. client_max_body_size 200M; brotli_static on; brotli on; gzip_static on; gzip on; server_tokens off; sendfile Off; default_type application/octet-stream; keepalive_timeout 60; map $http_upgrade $connection_upgrade { default upgrade; '' close; } # TODO add when core is ready for allowing nginx to serve the web interface # include nginx_web.conf; # UPSTREAM SERVERS upstream upstream58a939473afe4f73bd7efef96629e130 { server 10.15.0.1:80 weight=1 max_conns=500 max_fails=10 fail_timeout=10; } upstream upstreamb9cdcf636a9246c7b259cbecb7cd6b0e { server 10.15.0.2:80 weight=1 max_conns=500 max_fails=10 fail_timeout=10; } server { listen 80; listen [::]:80; server_name www.xxx.com; charset utf-8; access_log /var/log/nginx/www.xxx.com.access.log main; error_log /var/log/nginx/www.xxx.com.error.log; #include tls.conf; error_page 404 /opnsense_error_404.html; error_page 500 501 502 503 504 /opnsense_server_error.html; # location to ban the host permanently set $naxsi_extensive_log 0; location @permanentban { access_log /var/log/nginx/permanentban.access.log main; internal; add_header Content-Type text/plain; add_header Charset utf-8; return 403 "You got banned permanently from this server."; } error_page 418 = @permanentban; location /opnsense_server_error.html { internal; root /usr/local/etc/nginx/views; } location /opnsense_error_404.html { internal; root /usr/local/etc/nginx/views; } location /waf_denied.html { root /usr/local/etc/nginx/views; access_log /var/log/nginx/waf_denied.access.log main; } location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; root /var/etc/acme-client/challenges; } # block based on User Agents - stuff I have found over the years in my server log if ($http_user_agent ~* Python-urllib|Nmap|python-requests|libwww-perl|MJ12bot|Jorgee|fasthttp|libwww|Telesphoreo|A6-Indexer|ltx71|okhttp|ZmEu|sqlmap|LMAO/2.0|ltx71|zgrab|Ronin/2.0|Hakai/2.0) { return 418; } if ($http_user_agent ~ "Indy\sLibrary|Morfeus Fucking Scanner|MSIE [0-6]\.\d+") { return 418; } if ($http_user_agent ~ ^Mozilla/[\d\.]+$) { return 418; } location = /opnsense-report-csp-violation { include fastcgi_params; fastcgi_param QUERY_STRING $query_string; fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/scripts/nginx/csp_report.php; fastcgi_param TLS-Cipher $ssl_cipher; fastcgi_param TLS-Protocol $ssl_protocol; fastcgi_param TLS-SNI-Host $ssl_server_name; fastcgi_param SERVER-UUID "d5602450-f3b9-4163-a5e2-f0d09e2f3678"; fastcgi_intercept_errors on; fastcgi_pass unix:/var/run/php-webgui.socket; } location /opnsense-auth-request { internal; fastcgi_pass unix:/var/run/php-webgui.socket; fastcgi_index index.php; fastcgi_param TLS-Cipher $ssl_cipher; fastcgi_param TLS-Protocol $ssl_protocol; fastcgi_param TLS-SNI-Host $ssl_server_name; fastcgi_param Original-URI $request_uri; fastcgi_param Original-HOST $host; fastcgi_param SERVER-UUID "d5602450-f3b9-4163-a5e2-f0d09e2f3678"; fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/scripts/nginx/ngx_auth.php; fastcgi_intercept_errors on; include fastcgi_params; } location / { SecRulesEnabled; LibInjectionXss; CheckRule "$LIBINJECTION_XSS >= 8" BLOCK; BasicRule wl:19; CheckRule "$policyade66794614d4d80bd76272367ac9034 >= 8" BLOCK; CheckRule "$policy1c0480d874834fdfab63313107d8d987 >= 8" BLOCK; CheckRule "$policy2cc55acff3794c3291aec2bee3351296 >= 8" BLOCK; CheckRule "$policy127e988975984655b82d3eefe7f881c6 >= 8" BLOCK; CheckRule "$policye9d3021b531b49c4a428c16606345e86 >= 8" BLOCK; CheckRule "$policy07991d37641a4506b9e90622d9205729 >= 8" BLOCK; LibInjectionSql; CheckRule "$LIBINJECTION_SQL >= 8" BLOCK; DeniedUrl "/waf_denied.html"; autoindex off; http2_push_preload off; proxy_set_header Host $host; proxy_set_header X-TLS-Cipher $ssl_cipher; proxy_set_header X-TLS-Protocol $ssl_protocol; proxy_set_header X-TLS-SNI-Host $ssl_server_name; # proxy headers for backend server proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://upstream58a939473afe4f73bd7efef96629e130; } } server { listen 80; listen [::]:80; server_name plus.xxx.com; charset utf-8; access_log /var/log/nginx/plus.xxx.com.access.log main; error_log /var/log/nginx/plus.xxx.com.error.log; #include tls.conf; error_page 404 /opnsense_error_404.html; error_page 500 501 502 503 504 /opnsense_server_error.html; # location to ban the host permanently set $naxsi_extensive_log 0; location @permanentban { access_log /var/log/nginx/permanentban.access.log main; internal; add_header Content-Type text/plain; add_header Charset utf-8; return 403 "You got banned permanently from this server."; } error_page 418 = @permanentban; location /opnsense_server_error.html { internal; root /usr/local/etc/nginx/views; } location /opnsense_error_404.html { internal; root /usr/local/etc/nginx/views; } location /waf_denied.html { root /usr/local/etc/nginx/views; access_log /var/log/nginx/waf_denied.access.log main; } location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; root /var/etc/acme-client/challenges; } # block based on User Agents - stuff I have found over the years in my server log if ($http_user_agent ~* Python-urllib|Nmap|python-requests|libwww-perl|MJ12bot|Jorgee|fasthttp|libwww|Telesphoreo|A6-Indexer|ltx71|okhttp|ZmEu|sqlmap|LMAO/2.0|ltx71|zgrab|Ronin/2.0|Hakai/2.0) { return 418; } if ($http_user_agent ~ "Indy\sLibrary|Morfeus Fucking Scanner|MSIE [0-6]\.\d+") { return 418; } if ($http_user_agent ~ ^Mozilla/[\d\.]+$) { return 418; } location = /opnsense-report-csp-violation { include fastcgi_params; fastcgi_param QUERY_STRING $query_string; fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/scripts/nginx/csp_report.php; fastcgi_param TLS-Cipher $ssl_cipher; fastcgi_param TLS-Protocol $ssl_protocol; fastcgi_param TLS-SNI-Host $ssl_server_name; fastcgi_param SERVER-UUID "8df10317-96d5-489e-9593-44cde20a2e12"; fastcgi_intercept_errors on; fastcgi_pass unix:/var/run/php-webgui.socket; } location /opnsense-auth-request { internal; fastcgi_pass unix:/var/run/php-webgui.socket; fastcgi_index index.php; fastcgi_param TLS-Cipher $ssl_cipher; fastcgi_param TLS-Protocol $ssl_protocol; fastcgi_param TLS-SNI-Host $ssl_server_name; fastcgi_param Original-URI $request_uri; fastcgi_param Original-HOST $host; fastcgi_param SERVER-UUID "8df10317-96d5-489e-9593-44cde20a2e12"; fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/scripts/nginx/ngx_auth.php; fastcgi_intercept_errors on; include fastcgi_params; } location / { SecRulesEnabled; LibInjectionXss; CheckRule "$LIBINJECTION_XSS >= 8" BLOCK; BasicRule wl:19; CheckRule "$policyade66794614d4d80bd76272367ac9034 >= 8" BLOCK; CheckRule "$policy1c0480d874834fdfab63313107d8d987 >= 8" BLOCK; CheckRule "$policy2cc55acff3794c3291aec2bee3351296 >= 8" BLOCK; CheckRule "$policy127e988975984655b82d3eefe7f881c6 >= 8" BLOCK; CheckRule "$policye9d3021b531b49c4a428c16606345e86 >= 8" BLOCK; CheckRule "$policy07991d37641a4506b9e90622d9205729 >= 8" BLOCK; LibInjectionSql; CheckRule "$LIBINJECTION_SQL >= 8" BLOCK; DeniedUrl "/waf_denied.html"; autoindex off; http2_push_preload off; proxy_set_header Host $host; proxy_set_header X-TLS-Cipher $ssl_cipher; proxy_set_header X-TLS-Protocol $ssl_protocol; proxy_set_header X-TLS-SNI-Host $ssl_server_name; # proxy headers for backend server proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://upstream58a939473afe4f73bd7efef96629e130; } } } # mail { # }