Configuration Example
Contents |
In this page, we provide configuration example for some SEnginx functions.
Test site
Configuration File
In this configuration file, we enable cookie poisoning protection, robot mitigation and naxsi.
user nobody;
worker_processes 1;
error_log logs/error.log notice;
pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
include /usr/local/senginx/naxsi/naxsi_config/naxsi_core.rules;
geoip_country /usr/local/senginx/GeoIP.dat;
geoip_city /usr/local/senginx/GeoLiteCity.dat;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'
' - [$geoip_city, $geoip_city_country_name]';
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
gzip on;
session_max_size 1024;
upstream backend {
server 127.0.0.1:8080;
}
server {
listen 80;
server_name some_site.org;
access_log logs/access.www.log main;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
session_timeout 600;
session on;
location /RequestDenied {
return 403;
}
location /favicon.ico {
proxy_pass http://backend;
}
location /download {
proxy_pass http://backend;
}
location /img {
proxy_pass http://backend;
}
location /cn {
error_log logs/error.cn.log;
robot_mitigation on;
robot_mitigation_mode js;
robot_mitigation_action block;
robot_mitigation_whitelist {
"Baidu" "Baiduspider";
"Google" "Googlebot";
}
cookie_poisoning on;
cookie_poisoning_action block;
#LearningMode;
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";
include wl.conf;
## check rules
CheckRule "$XSS >= 4" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 8" BLOCK;
CheckRule "$UPLOAD >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$SQL >= 8" BLOCK;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass http://backend;
}
location /en {
error_log logs/error.en.log;
robot_mitigation on;
robot_mitigation_mode js;
robot_mitigation_action block;
robot_mitigation_whitelist {
"Google" "Googlebot";
}
cookie_poisoning on;
cookie_poisoning_action block;
#LearningMode;
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";
include wl-en.conf;
## check rules
CheckRule "$XSS >= 4" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 8" BLOCK;
CheckRule "$UPLOAD >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$SQL >= 8" BLOCK;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass http://backend;
}
location / {
if ($geoip_country_code = CN) {
rewrite ^/$ /cn redirect;
}
if ($geoip_country_code != CN) {
rewrite ^/$ /en redirect;
}
}
}
}
Explanation
This config file is based on senginx 1.5.3 compiled with Cookie Poisoning module and GeoIP module. Some of the directives may not be valid in other SEnginx versions.
The basic hierarchy of test site is: apache listens on port 8080 at localhost, and then senginx reverse proxies all the request to this port along with the following functions:
- Dispatch requests based on the request's Geo-Location (according to the source IP address)
- HTTP Robot Mitigation
- Cookie Poisoning
- Naxsi application firewall
