{"id":18843069,"url":"https://github.com/cloudrhinoltd/ngx-waf-protect","last_synced_at":"2025-06-13T19:05:27.351Z","repository":{"id":254665536,"uuid":"847190558","full_name":"cloudrhinoltd/ngx-waf-protect","owner":"cloudrhinoltd","description":"An advanced NGINX WAF module for robust web security","archived":false,"fork":false,"pushed_at":"2024-08-29T00:38:13.000Z","size":67,"stargazers_count":0,"open_issues_count":17,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-06-13T19:04:59.488Z","etag":null,"topics":["nginx-waf-security-module-ingress-controller"],"latest_commit_sha":null,"homepage":"https://cloudrhino.netlify.app/","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloudrhinoltd.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-08-25T05:36:02.000Z","updated_at":"2024-08-29T00:38:15.000Z","dependencies_parsed_at":"2024-08-27T10:57:46.760Z","dependency_job_id":null,"html_url":"https://github.com/cloudrhinoltd/ngx-waf-protect","commit_stats":null,"previous_names":["cloudrhinoltd/ngx-waf-protect"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/cloudrhinoltd/ngx-waf-protect","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudrhinoltd%2Fngx-waf-protect","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudrhinoltd%2Fngx-waf-protect/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudrhinoltd%2Fngx-waf-protect/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudrhinoltd%2Fngx-waf-protect/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloudrhinoltd","download_url":"https://codeload.github.com/cloudrhinoltd/ngx-waf-protect/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudrhinoltd%2Fngx-waf-protect/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259704410,"owners_count":22898858,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["nginx-waf-security-module-ingress-controller"],"created_at":"2024-11-08T02:56:41.593Z","updated_at":"2025-06-13T19:05:27.328Z","avatar_url":"https://github.com/cloudrhinoltd.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n# ngx-waf-protect\n\n`ngx-waf-protect` is a custom NGINX module that provides advanced web application firewall (WAF) protection. It integrates with NGINX to detect and mitigate various web-based attacks, including SQL Injection, Cross-Site Scripting (XSS), Remote Command Execution (RCE), and more. This module can be built as part of a custom NGINX build or as a dynamic module.\n\n## Status\n\nThis module is production-ready.\n\n## Synopsis\n\n```nginx\nhttp {\n    server {\n        listen 80;\n        server_name localhost;\n\n        location / {\n            clrh_waf_handler;\n\n            enable_protocol_attack on;\n            enable_general_rules off;\n            enable_sql_injection off;\n            enable_xss off;\n            enable_rce_php_node off;\n            enable_session_rules off;\n        }\n\n        error_page 500 502 503 504 /50x.html;\n        location = /50x.html {\n            root html;\n        }\n    }\n}\n```\n\n## Description\n\n`ngx-waf-protect` provides an advanced set of rules and capabilities to protect web applications from various attacks:\n\n- **SQL Injection Protection:** Detects and blocks SQL injection attacks.\n- **Cross-Site Scripting (XSS) Protection:** Prevents malicious scripts from being executed.\n- **Protocol Attack Protection:** Mitigates attacks that exploit vulnerabilities in protocols.\n- **Remote Command Execution (RCE) Protection:** Detects and blocks RCE attempts.\n- **Session Rules Enforcement:** Ensures secure session management.\n- **General Security Rules:** Provides a baseline of security measures to protect against common threats.\n\n## Directives\n\n### `enable_protocol_attack`\n- **Syntax:** `enable_protocol_attack on | off;`\n- **Default:** `off`\n- **Context:** `http, server, location`\n- **Description:** Enables or disables protocol attack protection.\n\n### `enable_sql_injection`\n- **Syntax:** `enable_sql_injection on | off;`\n- **Default:** `off`\n- **Context:** `http, server, location`\n- **Description:** Enables or disables SQL injection protection.\n\n### `enable_xss`\n- **Syntax:** `enable_xss on | off;`\n- **Default:** `off`\n- **Context:** `http, server, location`\n- **Description:** Enables or disables Cross-Site Scripting (XSS) protection.\n\n### `enable_rce_php_node`\n- **Syntax:** `enable_rce_php_node on | off;`\n- **Default:** `off`\n- **Context:** `http, server, location`\n- **Description:** Enables or disables Remote Command Execution (RCE) protection for PHP and Node.js environments.\n\n### `enable_session_rules`\n- **Syntax:** `enable_session_rules on | off;`\n- **Default:** `off`\n- **Context:** `http, server, location`\n- **Description:** Enables or disables session management rules.\n\n### `enable_general_rules`\n- **Syntax:** `enable_general_rules on | off;`\n- **Default:** `on`\n- **Context:** `http, server, location`\n- **Description:** Enables or disables general security rules.\n\n## Rule Groups and Supported Rules\n\n### 1. General Rules\n- **920100 - Invalid HTTP Request Line**: Protects against malformed HTTP request lines.\n- **920300 - Request Missing a Host Header**: Ensures requests include a valid Host header to prevent protocol attacks.\n- **920310 - Request with Invalid Host Header**: Validates the Host header against allowed domain patterns.\n- **921110 - HTTP Protocol Anomaly: Request with Content-Length Header and Chunked Transfer-Encoding**: Detects conflicting HTTP headers that could indicate an attack.\n- **920420 - Request Contains Multiple Content-Length Headers**: Prevents requests with multiple conflicting Content-Length headers.\n\n### 2. SQL Injection Rules\n- **942100 - SQL Injection Attack Detected via LibInjection**: Uses libInjection to detect SQL injection patterns.\n- **942110 - SQL Injection Attempt Detected**: Identifies attempts to execute SQL commands.\n- **942190 - SQL Injection Attack Identified by Conditional Statements**: Looks for SQL injection patterns using conditional statements like 'IF', 'CASE', etc.\n- **942200 - SQL Injection Bypass Using Comments**: Prevents SQL injection attempts using SQL comments for bypass techniques.\n\n### 3. Cross-Site Scripting (XSS) Rules\n- **941100 - XSS Attack Detected via LibInjection**: Uses libInjection to identify common XSS attack patterns.\n- **941130 - XSS Attack via HTML Tags**: Identifies malicious use of HTML tags for scripting attacks.\n- **941180 - XSS Attack Detected Using JavaScript URIs**: Blocks malicious use of JavaScript URIs in links or other attributes.\n- **941160 - XSS Detected by Event Handlers**: Detects malicious scripts embedded in HTML event handlers.\n\n### 4. Remote Command Execution (RCE) and File Inclusion\n- **932100 - Remote Command Execution: Unix Commands**: Detects attempts to execute shell commands via Unix systems.\n- **932110 - Remote Command Execution: Windows Commands**: Identifies attempts to execute Windows-specific commands.\n- **931100 - Local File Inclusion Attempt**: Blocks attempts to include local files on the server, a common method for accessing sensitive information.\n- **931120 - Remote File Inclusion Attempt**: Detects attempts to include remote files, which can lead to unauthorized code execution.\n\n### 5. Protocol Attack Rules\n- **921130 - Request Contains Content-Length but Not Allowed Method**: Ensures only valid HTTP methods can carry a Content-Length header.\n- **921150 - Invalid HTTP Version Number**: Blocks requests using invalid or unsupported HTTP versions.\n- **921180 - Invalid Request Line Format**: Detects malformed request lines that can be used to exploit servers.\n\n### 6. Path Traversal and File Access Control\n- **930100 - Path Traversal Attempt Detected**: Identifies attempts to navigate directories improperly to access restricted files.\n- **930110 - File Access Attempt to Restricted Files**: Prevents unauthorized access to critical system or application files.\n\n### 7. Malicious User-Agent Patterns\n- **913100 - Malicious User-Agent Detected**: Identifies known malicious or suspicious user-agent patterns.\n- **913110 - User-Agent Indicates Automation Tool**: Blocks requests from known automation tools or bots that are often used in attacks.\n\n### 8. URL Encoding Abuse\n- **920430 - Multiple URL Encoding Detected**: Detects requests with multiple levels of URL encoding, often used to bypass input validation.\n- **920440 - URL Encoding Abuse Detected**: Identifies improper use of encoding to conceal malicious requests.\n\n## Installation\n\n### Building as a Static Module\n\nTo build `ngx-waf-protect` as part of a custom NGINX build:\n\n1. Clone the repository:\n   ```bash\n   git clone https://github.com/cloudrhinoltd/ngx-waf-protect.git\n   cd ngx-waf-protect\n   ```\n\n2. Download and extract the NGINX source code:\n   ```bash\n   wget 'http://nginx.org/download/nginx-1.27.1.tar.gz'\n   tar -xzvf nginx-1.27.1.tar.gz\n   cd nginx-1.27.1\n   ```\n\n3. Configure and build NGINX with the `ngx-waf-protect` module:\n   ```bash\n   ./configure --prefix=/opt/nginx                --with-http_ssl_module                --add-module=/path/to/ngx-waf-protect\n   make -j$(nproc)\n   make install\n   ```\n\n### Building as a Dynamic Module\n\nStarting with NGINX 1.9.11, `ngx-waf-protect` can also be built as a dynamic module:\n\n1. Follow steps 1 and 2 above.\n\n2. Configure NGINX with `--add-dynamic-module`:\n   ```bash\n   ./configure --prefix=/opt/nginx                --with-http_ssl_module                --add-dynamic-module=/path/to/ngx-waf-protect\n   make -j$(nproc)\n   make install\n   ```\n\n3. Load the module in `nginx.conf`:\n   ```nginx\n   load_module /path/to/modules/ngx_waf_protect.so;\n   ```\n\n## Requirements\n\nTo build `ngx-waf-protect`, you need the following:\n\n- **C++ Compiler:** Ensure that gcc or clang is installed.\n- **NGINX Source Code:** Download from nginx.org.\n- **Build Tools:** `make`, `autoconf`, and `libtool`.\n- **OpenSSL:** Required for SSL support in NGINX.\n- **PCRE:** Required for regex support in NGINX.\n\n## Building\n\nTo build `ngx-waf-protect`, use the provided build script:\n\n```bash\n./scripts/build.sh\n```\n\nThis script will download and compile all necessary dependencies and build the custom NGINX with the `ngx-waf-protect` module integrated.\n\n## License\n\nThis project is licensed under the Apache License 2.0. Note that the `ngx-waf-protect` module contains specific directives that are dual-licensed:\n\n- **Apache License 2.0:** Applies to the following directives:\n  - `enable_protocol_attack`\n  - `enable_general_rules`\n- **Enterprise License:** Required for the following directives:\n  - `enable_sql_injection`\n  - `enable_xss`\n  - `enable_rce_php_node`\n  - `enable_session_rules`\n\nFor more information on obtaining an enterprise license, please contact Cloud Rhino Pty Ltd.\n\n## Source Repository\n\nAvailable on GitHub at [cloudrhinoltd/ngx-waf-protect](https://github.com/cloudrhinoltd/ngx-waf-protect).\n\n## Author\n\nCloud Rhino Pty Ltd  \n[cloudrhinoltd@gmail.com](mailto:cloudrhinoltd@gmail.com)\n\n## See Also\n\n- [NGINX](https://nginx.org/)\n- [OpenSSL](https://www.openssl.org/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudrhinoltd%2Fngx-waf-protect","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloudrhinoltd%2Fngx-waf-protect","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudrhinoltd%2Fngx-waf-protect/lists"}