Configuration Example

Contents

In this page, we provide configuration example for some SEnginx functions.

Test site

Configuration File

In this configuration file, we enable cookie poisoning protection, robot mitigation and naxsi.

user nobody;
worker_processes  1;

error_log  logs/error.log  notice;

pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;
    include       /usr/local/senginx/naxsi/naxsi_config/naxsi_core.rules;

    geoip_country /usr/local/senginx/GeoIP.dat;
    geoip_city /usr/local/senginx/GeoLiteCity.dat;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"'
                      ' - [$geoip_city, $geoip_city_country_name]';


    sendfile       on;
    tcp_nopush     on;

    keepalive_timeout  65;

    gzip  on;

    session_max_size 1024;

    upstream backend {
        server 127.0.0.1:8080;
    }

    server {
        listen       80;
        server_name  some_site.org;

        access_log  logs/access.www.log  main;

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        session_timeout 600;
        session on;

	location /RequestDenied {
	    return 403;
	}

        location /favicon.ico {
            proxy_pass   http://backend;
        }

        location /download {
            proxy_pass   http://backend;
        }

        location /img {
            proxy_pass   http://backend;
        }

        location /cn {
            error_log logs/error.cn.log;

            robot_mitigation on;
            robot_mitigation_mode js;
            robot_mitigation_action block;
            robot_mitigation_whitelist {
                "Baidu" "Baiduspider";
                "Google" "Googlebot";
            }

            cookie_poisoning on;
            cookie_poisoning_action block;

	    #LearningMode;
	    SecRulesEnabled;
	    #SecRulesDisabled;
	     
	    DeniedUrl "/RequestDenied";
	      
	    include wl.conf;
	       
	    ## check rules
	    CheckRule "$XSS >= 4" BLOCK;
	    CheckRule "$TRAVERSAL >= 4" BLOCK;
	    CheckRule "$EVADE >= 8" BLOCK;
	    CheckRule "$UPLOAD >= 8" BLOCK;
	    CheckRule "$RFI >= 8" BLOCK;
	    CheckRule "$SQL >= 8" BLOCK;
            

            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_pass   http://backend;
        }

        location /en {
            error_log logs/error.en.log;
            
            robot_mitigation on;
            robot_mitigation_mode js;
            robot_mitigation_action block;
            robot_mitigation_whitelist {
                "Google" "Googlebot";
            }

            cookie_poisoning on;
            cookie_poisoning_action block;

	    #LearningMode;
	    SecRulesEnabled;
	    #SecRulesDisabled;
	     
	    DeniedUrl "/RequestDenied";
	      
	    include wl-en.conf;
	       
	    ## check rules
	    CheckRule "$XSS >= 4" BLOCK;
	    CheckRule "$TRAVERSAL >= 4" BLOCK;
	    CheckRule "$EVADE >= 8" BLOCK;
	    CheckRule "$UPLOAD >= 8" BLOCK;
	    CheckRule "$RFI >= 8" BLOCK;
	    CheckRule "$SQL >= 8" BLOCK;
            

            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_pass   http://backend;
        }


        location / {
            if ($geoip_country_code = CN) {
                rewrite ^/$ /cn redirect;
            }
            
            if ($geoip_country_code != CN) {
                rewrite ^/$ /en redirect;
            }
        }
    }
}

Explanation

This config file is based on senginx 1.5.3 compiled with Cookie Poisoning module and GeoIP module. Some of the directives may not be valid in other SEnginx versions.
The basic hierarchy of test site is: apache listens on port 8080 at localhost, and then senginx reverse proxies all the request to this port along with the following functions: