pbooth Wrote: ------------------------------------------------------- > Wow- I really like the sound of naxsi. In the past I've used F5's ASM, > the WAF built on their big-ip platform. It was powerful though prone > to false positives. I don't believe there are any real shortcuts that > allow you to build an effective waf without understanding the details > of your own websiteby mex - Nginx Mailing List - English
Hello christian, naxsi-contributor first bad news first: naxsi wouldnt work on websockets. Any other security for websockets you have to implement yourself. list of usefull reads: - https://devcenter.heroku.com/articles/websocket-security - https://security.stackexchange.com/questions/48378/anti-dos-websockets-best-practices/ - https://gist.github.com/subudeepak/9897212 - htby mex - Nginx Mailing List - English
grey rules means they are deactivated i'm gonna write a blog on how we use spike + doxi-rules in our setup, but it will take some time.by mex - Nginx Mailing List - English
Hi c0nw0nk, mex here, inital creator of http://spike.nginx-goodies.com/rules/ and maintainer of Doxi-Rules https://bitbucket.org/lazy_dogtown/doxi-rules/overview (this us where the rules live we create with spike :) the doxi-rules in its current state are inspired by emerging threats rules, and not by the CRS-System because: - mod_security can hook into any phase of a request, while nby mex - Nginx Mailing List - English
How do you transfer metrics from nginx to your pfsense? mayak Wrote: ------------------------------------------------------- > We are blocking 2.2 million addresses, however, we do it at the > firewall/router (pfsense pfBlocker). > > Ultra fast. > > HTH > > Mayak > > _______________________________________________ > nginx mailing list >by mex - Nginx Mailing List - English
Hi Eric, see my reply https://forum.nginx.org/read.php?2,270680,270757#msg-270757 we do a similar thing but keep a counter within nginx (lua_shared_dict FTW) and export this stuff via /badass - location. although its not realtime we have a delay of 5 sec which is enough for us cheers, mex Cox, Eric S Wrote: --------------------------------------------------by mex - Nginx Mailing List - English
Lucas Rolff Wrote: ------------------------------------------------------- > You could very well do a small ipset together with iptables, it's > fast, > and you don't have to reload for every subnet / ip you add. we had the very same issue, 40k IPs to block daily and we came up with ipset add / del which is fast as hell and has a build-in TTL if you have a huge and dynamic setby mex - Nginx Mailing List - English
Hi Alex, you can do it that way or use something like this inside your server {} block: allow IP1; allow IP2; allow IP3; deny all; http://nginx.org/en/docs/http/ngx_http_access_module.html#allowby mex - Nginx Mailing List - English
Hi Alex this might be an inspiration for your task: https://www.howtoforge.com/nginx-how-to-block-visitors-by-country-with-the-geoip-module-debian-ubuntu cheers, mexby mex - Nginx Mailing List - English
for a nice and simple*) but yet powerfull WAF-solution for nginx you might want to try naxsi https://github.com/nbs-system/naxsi *) simple in terms of: easy to setup, easy to maintain, easy to adjust cheers, mexby mex - Nginx Mailing List - English
Hello, did you followed the atlassian-guide? > https://confluence.atlassian.com/jirakb/integrating-jira-with-nginx-426115340.html > https://confluence.atlassian.com/confkb/how-to-use-nginx-to-proxy-requests-for-confluence-313459790.html usually when nginxy says "502" you should trust this. for debuggging, try curl -v http://JIRA_IP:JIRA_PORT/ from the server nginby mex - Nginx Mailing List - English
hi list, i have an nginx infront of apaches, and the apacheshold a list of locations with basic-auth. i cannot pass the auth-request from the upstream through nginx to the user, when i access the urls through nginx i get 403 Forbidden, while direct access sends the correct 401 Authorization Required back. is there a simple way to passthrough the auth-request without doing nginxby mex - Nginx Mailing List - English
this one: https://www.nginx.com/blog/new-joomla-exploit-cve-2015-8562/ i'd suggest to change the ua-detection from "JDatabaseDriverMysql" to a regex detecting the PHP-Object-Injection to cover additional attack-vectors (like my gurus @ emergingthreats said: "mitigation against the vuln, not the exploit you should create" :D i also suggest to delete the "O:"by mex - Nginx Mailing List - English
this one: https://www.nginx.com/blog/new-joomla-exploit-cve-2015-8562/ i'd suggest to change the ua-detection from "JDatabaseDriverMysql" to a regex detecting the PHP-Object-Injection to cover additional attack-vectors (like my gurus @ emergingthreats said: "mitigation against the vuln, not the exploit you should create" :D i also suggest to delete the "O:"by mex - Nginx Mailing List - English
hi daniel, hiw did you installed nginx, manually (self-compiled) or through your distratos repo? can you provide the nginx -V - output? usually /etc/nginx/nginx.conf is the default-config, if not given; nginx -V will tell what defaults arre used in your config. cheers, mexby mex - Nginx Mailing List - English
> I could set up but the Machine A only access to one URL or Site at > same time. > How can I access to any URL at internet from Machine A? > nginx is a reverse-proxy, what you are looking for is a forward-proxy and you could use apache or squid for this for more information on diffferences reverse vs forward-proxy read http://stackoverflow.com/questions/224664/differenceby mex - Nginx Mailing List - English
hi, is there a way to log access (ip, date, size of payload) within the stream-module? i found error - log configurable for the stream only so far. cheers, mexby mex - Nginx Mailing List - English
if you ask for something like mod_cgi from the apache-world, there is nothing like this; the following article might help to define requirements and find a solution: > https://www.digitalocean.com/community/tutorials/a-comparison-of-web-servers-for-python-based-web-applications Nitin Solanki Wrote: ------------------------------------------------------- > Hi all, I am not usingby mex - Nginx Mailing List - English
Ray Cote Wrote: ------------------------------------------------------- > We use gUnicorn for our nginx/Django deployments. > Lots of good guidance on the gUnicorn site: > http://gunicorn-docs.readthedocs.org/en/latest/deploy.html > nginx is their deployment of choice... > -Ray > gunicorn (+nginx for static content, caching, ssl-offload and waf-features) is what we useby mex - Nginx Mailing List - English
thank you very much, looks promising!by mex - Nginx Mailing List - English
Hello, happily testing the stream{} - feature and loadbalancing-mechanism with nginx 1.9 and it works very smoth; looks like we ca use nginx as http-lb as well as tcp-lb in production very soon; thank you, nginx-team! is there something like allow/deny planned for the stream {} - method? http://nginx.org/en/docs/http/ngx_http_access_module.html#allow atm we use a packetfilter, but haby mex - Nginx Mailing List - English
thank you for your comment; i'll re-test with 1.8 and adjust the document accordingly. i think the config-workaround is obsolete too. cheers, mexby mex - Nginx Mailing List - English
Hi, nginx + libressl works without any issues; we have it running since last summer and have seen no problems so far, but did not tested it with 1.8.x though the following explians how to do it: https://8ack.de/guides/nginx-libressl-first-test cheers, mexby mex - Nginx Mailing List - English
if you have questions on naxsi, feel free to join the naxsi-discuss - ml https://groups.google.com/forum/#!forum/naxsi-discuss cheers, mexby mex - Nginx Mailing List - English
hi cole, if implemetable you couldd use naxsi https://github.com/nbs-system/naxsi for this, there exists a rule to detect and block shellshock-exploit-attempts: MainRule "str:() {" "msg:Possible Remote code execution through Bash CVE-2014-6271" "mz:BODY|HEADERS" "s:$ATTACK:8" id:42000393 ; see -> http://spike.nginx-goodies.com/rules/view/42000by mex - Nginx Mailing List - English
Hello, what does naxsi has to do with it? you probably wanted to talk about nginx, naxsi is a 3rd-party-module, extending nginx on WAF-features four your probkem you might wnat to check http://nginx.org/en/docs/http/ngx_http_limit_req_module.html cheers, mexby mex - Nginx Mailing List - English
Hi Noah, thanx for your guides; interesting read. for everyone else: there bis a nagios-plguin to monitor the stub/status - outputs: https://bitbucket.org/maresystem/dogtown-nagios-plugins/overview beside monitoring it also extracts all date from the status page and returns them as performance-data for graphing and as sources for warning/critival - notifications Performancedata:by mex - Nginx Mailing List - English
Google dumps SPDY in favour of HTTP/2, any plans ore roadmap for HTTP/2 in nginx? see https://blog.chromium.org/2015/02/hello-http2-goodbye-spdy-http-is_9.html "HTTP is the fundamental networking protocol that powers the web. The majority of sites use version 1.1 of HTTP, which was defined in 1999 with RFC2616. A lot has changed on the web since then, and a new version of the protocolby mex - Nginx Mailing List - English
you'll need a lot of packages from the SDK-DVDs. IIRC those are not available as online-repos, but situation might have changed. mexby mex - Nginx Mailing List - English
Hi, > I tried ngx_lua but I might've been doing something wrong. It > complained that I am not allowed to use "proxy_pass" following a > content rewrite. you should read the documentatrion carefully: http://wiki.nginx.org/HttpLuaModule#content_by_lua "Do not use this directive and other content handler directives in the same location. For example, this diby mex - Nginx Mailing List - English