You might want to check out tinfoilsecurity.com to evaluate Naxsi. Microsoft uses them for azure.  I pass all their tests. 

As I stated a few times, I only serve static pages. I can get away with homebrew hacking detection. But I think you are kidding yourself if you think a stack of WAF rules isn't a CPU burden. ‎ There is no free lunch. 

Someone supporting 500 vhosts probably should segregate the hosts regarding if they use SQL or not. You can use different "servers" in the nginx.conf for the plain and SQL enabled. 

I wouldn't want the task of handling all the false positives Naxsi will generate. I think a site that needs a WAF should just go colo or VPS. 

One of the reasons I see so few hackers is I have built a database of CIDRs to block. I don't get repeat offenders. But you can't have one list for many different users unless they accept your opinion of who to block.  Probably a RBL is better. I only use RBLs for email since they do leak information and slow down response. Slow response isn't a big deal for email, but does matter for web hosting.


  Original Message  
From: c0nw0nk
Sent: Monday, September 26, 2016 9:10 AM
To: nginx@nginx.org
Reply To: nginx@nginx.org
Subject: Re: performance hit in using too many if's

Anoop Alias Wrote:
-------------------------------------------------------
> Ok .. reiterating my original question.
>
> Is the usage of if / map in nginx config more efficient than say
> naxsi (
> or libmodsecurity ) for something like blocking SQL injection ?
>
> For example,
> https://github.com/nbs-system/naxsi/blob/master/naxsi_config/naxsi_cor
> e.rules
> rules 1000-1099 - blockes sql injection attempt
>
> So ..do (to a limited extent )
>
> ## Block SQL injections
> set $block_sql_injections 0;
> if ($query_string ~ "union.*select.*\(") {
> set $block_sql_injections 1;
> ............
> .....................
> if ($block_file_injections = 1) {
> return 403;
> }
>
>
>
> From the point of application performance which one is better .. ?
> Performance for a shared hosting server with around 500 vhosts.

I would advise if your application is vulnerable to use Naxsi because it can
intercept post requests the example you provided is "$query_string"
(intercepts the URL) For example : http://*.com/index.php?id=10 UNION SELECT
1,null,null--

I don't think Nginx has a way to read POST data other than the WAF methods
like Naxsi ModSecurity etc.

https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)#URL_Encoding

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269808,269857#msg-269857

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx